Health monitoring apps can assist people manage chronic diseases or achieve fitness goals using only their smartphone. However, these applications can be tardy and energy-efficient because the extensive machine learning models that power them must be transferred between the smartphone and a central storage server.
Engineers often speed up their work by using equipment that reduces the need to move so much data back and forth. While these machine learning accelerators can improve computation, they are vulnerable to attacks that can steal secret information.
To mitigate this vulnerability, researchers from MIT and the MIT-IBM Watson AI Lab have created a machine learning accelerator that is resistant to two of the most common types of attacks. Their chip can ensure the privacy of a user’s health records, financial information, and other sensitive data while enabling massive artificial intelligence models to run efficiently on devices.
The team has developed several optimizations that provide mighty security while only slightly slowing down the device. Moreover, additional security does not affect the accuracy of the calculations. This machine learning accelerator can be particularly useful in demanding artificial intelligence applications such as augmented and virtual reality and autonomous driving.
Although implementing the chip would make the device slightly more high-priced and less energy productive, sometimes it’s a price worth paying for security, says lead author Maitreyi Ashok, an electrical engineering and computer science (EECS) graduate student at MIT.
“It’s important to design from the ground up with safety in mind. If you try to add even minimal security after designing the system, it is too expensive. We managed to successfully balance many of these trade-offs at the design stage,” says Ashok.
Its co-authors are Saurav Maji, EECS graduate; Xin Zhang and John Cohn of the MIT-IBM Watson AI Lab; and senior author Anantha Chandrakasan, MIT’s director of innovation and strategy, dean of the School of Engineering, and Vannevar Bush Professor of EECS. The research results will be presented at the IEEE Custom Integrated Circuits Conference.
Lateral canal compliance
Researchers turned to a type of machine learning accelerator called digital in-memory computing. The digital IMC chip performs calculations in the device’s memory, where fragments of the machine learning model are stored after being transferred from the central server.
The entire model is too enormous to store on the device, but by breaking it into pieces and reusing them as much as possible, IMC chips reduce the amount of data that must be transferred back and forth.
But IMC chips can be vulnerable to hacker attacks. In a side-channel attack, the hacker monitors the chip’s power consumption and uses statistical techniques to reverse-engineer the data as the chip computes. In a bus probing attack, a hacker can steal pieces of the model and data set by examining communication between the accelerator and external storage.
Digital IMC speeds up computations by performing millions of operations at once, but this complexity makes it complex to prevent attacks using customary security measures, Ashok says.
She and her colleagues took a three-pronged approach to blocking side-channel and bus-probing attacks.
First, they used a security measure of splitting the data in IMC into random fragments. For example, the zero bit can be divided into three bits, which are still zero after the logical operation. IMC never computes with all elements in the same operation, so a side-channel attack will never be able to reconstruct the true information.
However, for this technique to work, random bits must be added to partition the data. Since the digital IMC performs millions of operations at once, generating so many random bits would require too much computation. For their chip, the researchers found a way to simplify computation, making it easier to divide data efficiently while eliminating the need for random bits.
Second, they prevented bus probing attacks by using a lightweight cipher that encrypts the model stored in external memory. This lightweight cipher requires only uncomplicated calculations. In addition, they decrypted parts of the model stored on the chip only when necessary.
Third, to improve security, they generated a key that decrypts the cipher directly on the chip, rather than moving it back and forth with the model. They generated this unique key based on random changes to the chip made during production, using a so-called physically unclonable feature.
“Maybe one wire will be a little thicker than the other. We can exploit these variations to get the 0s and 1s from the perimeter. We can get a random key for each chip, which should be consistent because these random properties should not change significantly over time,” Ashok explains.
They reused the memory cells on the chip, exploiting the imperfections in those cells to generate a key. This requires less computation than generating the key from scratch.
“As security has become a key consideration in edge device design, there is a need to develop a complete system stack focused on secure operation. This work focuses on the security of machine learning workloads and describes a digital processor using cross-sectional optimization. It includes encrypted data access between memory and the CPU, an approach to preventing side-channel attacks using randomization, and exploiting variability to generate unique codes. Such designs will be crucial in future mobile devices,” says Chandrakasan.
Security tests
To test their chip, researchers took on the role of hackers and tried to steal secret information using side-channel and bus-probing attacks.
Even after millions of tries, they were unable to reconstruct any real information or extract parts of the model or dataset. The cipher also remained unbreakable. In contrast, it only took about 5,000 samples to steal information from an unprotected chip.
Adding protections reduced the accelerator’s energy efficiency and also required more chip area, which would have made it more high-priced to produce.
The team plans to investigate future methods that could reduce chip power consumption and size, making it easier to deploy on a enormous scale.
“As it becomes too expensive, it becomes more and more difficult to convince someone that safety is crucial. Future work could explore these trade-offs. Perhaps we could make it a little less secure, but easier to implement and cheaper,” says Ashok.
The research is funded in part by the MIT-IBM Watson AI Lab, the National Science Foundation, and the Mathworks Engineering Fellowship.