Semiconductor Engineering sat down to discuss hardware security challenges, including new threat models from AI-based attacks. Serge Leef, an AI-For-Silicon strategist at Microsoft. Scott Vest, senior director of Lambas silicon security products. Lee Harrison, Director of Tescent Automotive IC Solutions at Siemens Eda. Mohit Arora, Senior Director of Architecture at Synaptics. Mike Borza, a leading security technician and scientist at Synopsys. Mark Tehranipoor, a well-known professor in the ECE department at the University of Florida and co-founder of Caspia Technologies. Below is an excerpt from that discussion.
LR: Tehranipur, Caspia. The best of Lambus. Synopsys 'Borza; Synaptics 'Arora, Keysight's Fern; Microsoft Leaf. Siemens Eda's Harrison.
SE: Where are new threat models emerging, with a very focus on everything about AI?
Fern: AI-specific attacks have been announced, like data addiction. [which is] Hostile input to something like a massive language model that is about to break away from protection. When you ask, “How do you make a bomb?”, it is not expected that you will convey any specific information when you ask. Another important threat to AI systems is the confidentiality of training data. It may not be a threat to other types of systems, but honestly, it comes down to the basics of security of confidentiality, integrity and availability, and almost every threat to an AI system can fall into those buckets. There are also attack technologies specifically designed for AI, machine learning and deep learning systems, but there are also traditional methods for attacks. For example, a physical attack on an embedded device. If you have an entire network with all your own weights, then someone can use flash extraction attacks or read all the data directly from the flash chip, then you have an entire network. This is an example of traditional attacks that have been applied to machine learning or AI contexts.
Harrison: There are two key elements of AI and attack. One is an attack on AI data used for training. We are now beginning to see a lot of initiatives. When I think about AI a few years ago, people wanted to get as much training data as possible and didn't really care where it came from. “In the case of training data, that's good data.” But is there a lot of movement now in terms of how to authenticate that data? Organizations are being implemented to ensure that the data they are using for training is reliable AI data. That's important. But then you also see a physical attack. There is no need for huge interference in AI networks. Push the AI model in a specific direction. Many people can press this to attack and see the direction in which they can get AI hardware and misrepresent information. We have moved from pure hardware attacks to this new era of attacking training data, but the impact is increasing.
The best: There are two answers to this question. For one, with the advent of AI systems, as you explained, obfuscation as a security approach has been dead for a very long time. Obfuscation is no longer a security approach. If the AI is written, whether you're trying to hide something with camouflage or in code or other ways, then it's done. However, training data is not the only one at risk. It is also edge data. Once a model is distributed to the system, it ensures that the privacy of the model, reliability, and freshness of the model are important. When data travels back and forth to HBM or if you have the chips turned off in DRAM, there is a security threat with regard to resting data and data in use. There is also a leak of side channels if that data is used within the AI core. It leaks information about calculating the use of that model. A Barracuda paper published several years ago showed a power analysis attack to extract the models used from NPU systems. So, all the standard approaches I'm concerned about – resting data, data in use, and very high values for these models sit in edge-based deployment systems. Integrating the model costs tens of millions of dollars, and if the enemy can retrieve it, it can run it on an NPU without spending tens of millions of dollars. Therefore, the security required to protect these models is worth a lot.
Tehranipur: Where do we provide security? We are in a much better position than ever before when it comes to customer attention to industry, business and security issues. We no longer have to work hard to convince people. Many companies we work with at the C-Suite level are extremely informed of security issues. That's good news. The bad news is obviously always cost, cost, cost, and you want to make sure that simple automation is available. As for AI, it's a double-edged sword. For example, a few years ago, I asked students to inject vulnerabilities into some designs. At the time, it was manual and each vulnerability took a simple week or two. I wanted to do this with a lot of designs. A few months later, we were able to inject vulnerabilities into some of our designs. At one point, in parallel, I was working with LLMS to see if LLMS could do that. The point is, if you find a way to use it well, it's really powerful. But at the same time, the enemy can use it in attack mode. Genai can understand the limitations of what is detected today and can be used to counter it. This means it's really important to understand how it can take advantage of the opportunities it offers, but at the same time keeping an eye on the challenges. Furthermore, with the number of agents developing under genai, problems will arise quickly if you don't design well with some rules and operational understanding.
Arora: Second. Enemies can use LLM to attack binary and suggest ways to automatically attack them. As Scott mentioned, side-channel attacks are extremely popular in terms of how AI can be used to reduce development cycles. It's an offensive use of AI. What you can do is a vulnerability chain, and that's an important trend that's coming now. This is where AI is used to look at all transformations or limitations of a product and then chain it. I've seen many times reduce the attack cycle. Working on PCI payment cards, there was a standard that specified new requirements for 10-hour side channel protection. But that was 2010. At the time, they thought 10 hours would be enough to prevent attacks at the system level. But now, AI can do more value-added attacks as the attack cycle actually shrinks. The same applies to Platform Security Architecture (PSA) Level 3 and Level 4 using ARM. They usually take 35 days to see how much they can attack. But if you can't make it much faster, you can make a much higher value attack later. It's one of the important trends we're looking at. Synaptics is trying to run AI directly for low latency as part of a secure video path, but it's a reliable boundary, so you need to be very careful.
Bolza: The real situation with AI is to significantly increase the size of the attack perimeter, and with the exception of cloud computing, I have never seen an explosion at such attack perimeter. If you can enter a data center, you can either walk from place to place, or reverse engineer them from within the cloud, adjacent to someone else's computing load, which will cause a lot of damage. Genai presents the opportunity, but it is distributed. Generally, it's not just genai, but also AI systems. Whether it's a large language model or not, there are edge devices that carry many neural models around, and they are attacked not only through side channels but through direct manipulation. People are trying to get into them, steal models, and manipulate them. If you can change your model at the hardware level, you can do the same kind of things you can do if you're addicted to training data. The way the model works is changed. This is an increase in the size of the attack surface and is extremely difficult to deal with. There are also some specific attacks that are unique to AI systems. This is a number of side-channel attacks that use AI as an oracle and make them spill beans on information that is not able to escape from the trained thing, trained methods, and models. It's all there and there's an opportunity to do that through clever prompts or by directly accessing the hardware itself and the underlying data. Therefore, the attack surface is huge. I have hopes to use AI to do some of the red team. But if you're doing a red team with AI, that by definition means your enemies are also using it against you. And if you haven't, your enemies will be doing it anyway.
Leaf:I wanted to comment on the concept of dataset pollution. What we are seeing more and more is that tweaks are happening with lesser degree of tweaking. People are adding value outside of LLM. In other words, font enhancements such as high-generation (RAG) graph search. What this means is that a valuable ID, or knowledge property, is returning to the premises. They sit in a local place. They have not returned to LLM, so there is no secret leakage passing through this IP one-way membrane. For me, the biggest issue with security as a business is its low economics. Before you sell a solution, you need to explain to people why there is a problem. It's similar to selling vitamins, in contrast to life-saving drugs for life-threatening diseases. The objection to the security sales pitch is that “there are no security experts here and nothing happened.” This is where AI can enter the equation and play an interesting role. I saw this while I was in Darpa. There were several classes for security-interested customers. There were large merchant semiconductor companies that frequently had a very large division of people who had made custom security for each chip. Then there were the opposite extremes of Edge IoT startups. This really cared about getting out to the market as soon as possible and building something that would stand out for your smartphone. It leaves two parties in the middle. The first is large application-centric semiconductor vendors focusing on specific domains. They don't actually have many security experts, so when you talk to economic value decision makers and try to sell security, this person says, “No one understands this. It's hard to find them. They're expensive.” That's not the starter. The second is the MIL/Aero Constituency, which views this as art rather than science. They have several people hiding in their closets where they whip for special government programs. I have a barrier to entering security, which bridges the gaps from security to economic decision makers within the client company. AI is useful here. Historically, the EDA industry has sold tools when combined with humans. Therefore, economic value was provided. But you still needed a person who knew what to do with the tool, and the obvious attack vector here is, “Why do we need humans? What if it's an agent?” So, when you bundle the tool and agent together, suddenly, you deliver a decision-maker's solution to a silver platter that doesn't require the acquisition of highly differentiated, expensive professionals. For some dollars, if someone who is not a domain expert can press a button and objectively improve the reduction in the risk of being sued in situations that interfere with life, they can actually pay $500,000 or $1 million to take this away. What prevents the adoption of such things is the need to have experts.
