Analog CiM Security Analysis

Abstract

Traditional Von-Neumann based computing architectures suffer from the memory wall problem, which describes an increasing gap between processor performance and memory bandwidth. The compute-in-memory (CiM) paradigm aims to overcome this problem by performing computations directly within memory, thereby avoiding the overhead associated with data transfers.

CiM-architectures based on memristive devices such as ReRAM, STT-MRAM and PCRAM have become promising candidates for embedded applications that are bound to strict area and power consumption constraints. Such architectures typically comprise a memristive crossbar configuration and additional peripheral circuitry including digital-to-analog converters and analog-to-digital converters (ADCs). While these architectures can be used to implement high-performance energy-efficient deep neural network (DNN) inference accelerators, they also introduce new security challenges that must be investigated thoroughly. A specific set of challenges arises when the accelerator is deployed at the edge, which provides physical access to adversaries.

This thesis investigates the security challenges of deploying a ReRAM-based DNN inference accelerator at the edge. Specifically, it investigates the possibility of reconstructing the ternary weights that are encoded within the memory cells of the accelerator by performing a power side-channel attack against its ADCs. The ADCs are based on a novel design where the conversion process is governed by a voltage-controlled oscillator (VCO). A vulnerability assessment is performed in order to identify potential leakage of information by the power side-channels of the VCO-based ADCs. Two distinct vulnerabilities have been identified that can be exploited by an adversary in order to reconstruct the weight values that are encoded within the memory cells of the accelerator.

The results of the vulnerability analysis have led to the development of a two-stage power side-channel attack. The first stage of the power side-channel attack consists of a profiling phase that aims to gain an insight into the distribution of the weights that are stored within each row of the memristive crossbar. The second stage of the power side-channel attack consists of analysing the effect of applying different weight patterns to the crossbar in order to infer the position and the value of each unknown weight. The attack has been demonstrated against a 32-by-4 memristive crossbar configuration. Results show that all weights encoded within the memristive crossbar can be reconstructed successfully.

Two distinct countermeasure circuits have been evaluated. The first countermeasure is based on a current-flattening technique. Results show that the circuit is able to protect the VCO-based ADC from exploitation of its power-related side-channel. However, the circuit introduces significant overheads in terms of energy consumption. The second countermeasure is based on mimicking the current draw of the ADC that is associated with different MAC outcomes using a memristor-based physical unclonable function (PUF). While the PUF-based countermeasure comes with a much lower overhead than the current-flattening approach, the circuit still introduces significant energy overhead. Therefore future work should focus on the development of more energy-efficient countermeasures.