Health monitoring apps can help you manage chronic diseases and reach your fitness goals using just your smartphone. However, these apps can be slow and energy-inefficient because the vast machine learning models that power them must be shuttled back and forth between the smartphone and a central memory server.
Engineers often speed up their work by using hardware that reduces the need to move large amounts of data back and forth. Although these machine learning accelerators can streamline computation, they are vulnerable to attacks by attackers who steal sensitive information.
To mitigate this vulnerability, researchers at MIT and the MIT-IBM Watson AI Lab created a machine learning accelerator that is resistant to two of the most common types of attacks. The company's chips enable huge AI models to run efficiently on devices while keeping users' health records, financial information, and other sensitive data private.
The team has developed several optimizations that allow for stronger security with only a slight reduction in device speed. Furthermore, the added security does not affect the accuracy of calculations. This machine learning accelerator could be particularly beneficial for demanding AI applications such as augmented reality, virtual reality, and autonomous driving.
Implementing this chip makes the device slightly more expensive and less energy efficient, but it may be a price worth paying for security, said lead author and MIT professor of electrical engineering and computer science. EECS) said Maitreyi Ashok, a graduate student.
“It's important to design with security in mind from the ground up. Attempting to add minimal security after a system has been designed is cost-prohibitive. We make many of these trade-offs at the design stage. We were able to effectively balance this,” says Ashok.
Her co-authors include EECS graduate student Saurav Maji. Xin Zhang and John Cohn of the MIT-IBM Watson AI Lab. and lead author Anantha Chandrakasan, MIT's chief innovation and strategy officer, dean of the School of Engineering, and Vannevar Bush Professor at EECS. This research will be presented at the IEEE Custom Integrated Circuits Conference.
side channel sensitivity
The researchers targeted a type of machine learning accelerator called digital in-memory computing. Digital IMC chips perform calculations within the device's memory. This is where parts of the machine learning model are stored after being moved from the central server.
The entire model is too large to store on the device, but the IMC chip splits the model into parts and reuses those parts as much as possible, reducing the amount of data that needs to be moved back and forth. To do.
However, IMC chips can be vulnerable to hacker attacks. In a side-channel attack, a hacker monitors a chip's power consumption and uses statistical techniques to reverse engineer the data as the chip calculates. A bus probe attack allows a hacker to steal bits of the model and dataset by probing the communication between the accelerator and her off-chip memory.
Digital IMC speeds up computation by performing millions of operations at once, but Ashok says this complexity makes it difficult for traditional security measures to prevent attacks.
She and her collaborators took a three-pronged approach to blocking side-channel and bus-probe attacks.
First, we adopted a security measure that splits the data in the IMC into random parts. For example, bit 0 may be split into three bits and still be equal to 0 after a logical operation. IMC never computes all parts in the same operation, so side-channel attacks cannot reconstruct the actual information.
However, for this technique to work, we need to add random bits to split the data. Digital IMC performs millions of operations at once, so generating so many random bits requires a large amount of computing. For chips, researchers have discovered a way to simplify calculations and make it easier to effectively partition data while eliminating the need for random bits.
Second, we used lightweight cryptography to encrypt models stored in off-chip memory to prevent bus probe attacks. This lightweight cipher requires only simple calculations. Additionally, we decrypted parts of the model stored on the chip only when necessary.
Third, to improve security, we generated the decryption key directly on the chip, rather than moving it to and from the model. They generated this unique key from random variations within the chip introduced during manufacturing using a so-called physically non-replicable feature.
“Maybe one wire is a little thicker than another. You can use these variations to get 0s and 1s from your circuit. These random characteristics change a lot over time. You shouldn't, so you get consistent random keys from chip to chip,” Ashok explains.
They reused memory cells on the chip and exploited the imperfections in these cells to generate keys. This requires less computation than generating keys from scratch.
“Security has become a key issue in the design of edge devices, requiring the development of a complete system stack with a focus on secure operation. In this research, we focus on the security of machine learning workloads. , describes a digital processor that uses cross-cutting optimizations, including encrypted data access between memory and processors, preventing side-channel attacks using randomization, and generating unique code. “Such designs will be important in future mobile devices,” says Chandrakasan.
Safety test
To test the chip, researchers assumed the role of hackers and tried to steal sensitive information using side-channel and bus probe attacks.
Despite millions of attempts, we were unable to reconstruct the actual information or extract parts of the model or dataset. The code also remained unbreakable. By contrast, stealing information from an unprotected chip required only about 5,000 samples.
Adding security also makes the accelerator less energy efficient and requires more chip area, making it more expensive to manufacture.
In the future, the team plans to explore ways to reduce energy consumption and chip size, making it easier to implement at scale.
“If it gets too expensive, it becomes difficult to convince someone that security is important. Future research might explore these trade-offs. Maybe it's a little less secure. But it could be easier to implement and cheaper,” says Ashok.
This research was funded in part by the MIT-IBM Watson AI Lab, the National Science Foundation, and a Mathworks Engineering Fellowship.
