隨著深度神經網路加速器被用於各種關鍵任務，確保這些加速器的安全性已經成為一個至關重要的議題。本篇論文提出了一套應用於深度神經網路加速器之高安全性且輕量化記憶體保護方法。我們利用深度神經網路的資料特性來減少記憶體加密和記憶體完整性驗證的開銷，同時提供強健的安全性。我們提出了一種重要性感知位元位置加密方法來減少需要加密的資料量，並提出了一種嵌入式訊息鑑別碼方法來減少用於完整性驗證的訊息鑑別碼的儲存空間和記憶體存取。此外，我們提供了所提出方法的調整版本以適用於量化後的深度神經網路模型。我們還設計並實現了一個輕量化記憶體保護單元用以實現所提出的方法。實驗結果顯示我們所提出的記憶體保護方法能抵禦大多數與記憶體相關的攻擊，且即使部署在小型高效能的深度神經網路加速器上也只會造成非常小的性能(~1%)、面積(<1%)及功耗(<2%)開銷。

As deep neural network (DNN) accelerators have been used for various mission-critical applications, ensuring the security of these accelerators has become a pivotal concern. This thesis proposes a high-security and lightweight memory protection scheme for DNN accelerators. We leverage the data characteristics of DNNs to reduce the overhead of memory encryption and integrity verification while providing robust security features. Specifically, a criticality-aware bit position encryption method is used to reduce the amount of data to be encrypted, and an embedded message authentication code (MAC) method is employed to reduce the storage and memory accesses of MACs for integrity verification. Besides, we also provide adapted versions of the proposed methods to fit quantized models. A lightweight memory protection unit to implement the proposed methods is designed and implemented. Experimental results demonstrate that the proposed memory protection scheme can defend against most memory-related attacks with very small overhead in performance (~1%), area (<1%), and power (<2%) even when deployed on a small energy-efficient DNN accelerator.

[1] V. Sze, Y.-H. Chen, T.-J. Yang, and J. S. Emer, "Efficient processing of deep neural networks: A tutorial and survey," Proc. IEEE, vol. 105, no. 12, pp. 2295–2329, Dec. 2017.
[2] S. Mittal, H. Gupta, and S. Srivastava, "A survey on hardware security of DNN models and accelerators," J. Syst. Archit., vol. 117, Art. no. 102163, Aug. 2021.
[3] S. Gueron, "Memory Encryption for General-Purpose Processors," IEEE Security & Privacy, vol. 14, no. 6, pp. 54-62, Nov. 2016.
[4] W. Hua, M. Umar, Z. Zhang, and G. E. Suh, "GuardNN: secure accelerator architecture for privacy-preserving deep learning," in Proc. ACM/IEEE Design Automation Conf. (DAC), 2022, pp. 349-354.
[5] W. Hua, M. Umar, Z. Zhang, and G. E. Suh, "MGX: Near-zero overhead memory protection for data-intensive accelerators," in Proc. ACM/IEEE. Int. Symp. Computer Architecture (ISCA), 2022, pp. 726-741.
[6] S. Lee, J. Kim, S. Na, J. Park, and J. Huh, "TNPU: Supporting Trusted Execution with Tree-less Integrity Protection for Neural Processing Unit," in Proc. IEEE Int. Symp. High-Performance Computer Architecture (HPCA), 2022, pp. 229-243.
[7] Y. Cai, X. Chen, L. Tian, Y. Wang, and H. Yang, "Enabling Secure NVM-Based in-Memory Neural Network Computing by Sparse Fast Gradient Encryption," IEEE Trans. Comput., vol. 69, no. 11, pp. 1596-1610, Nov. 2020.
[8] M. Xue, Z. Wu, Y. Zhang, J. Wang, and W. Liu, "AdvParams: An Active DNN Intellectual Property Protection Technique via Adversarial Perturbation based Parameter Encryption," IEEE Trans. Emerg. Topics Comput., early access, Dec. 2022.
[9] N. Lin, X. Chen, H. Lu, and X. Li, "Chaotic Weights: A Novel Approach to Protect Intellectual Property of Deep Neural Networks," IEEE Trans. Comput.-Aided Design Integr. Circuits Syst., vol. 40, no. 7, pp. 1327-1339, July. 2021.
[10] N. Lin, X. Chen, C. Xia, J. Ye, and X. Li, "ChaoPIM: A PIM-based Protection Framework for DNN Accelerators Using Chaotic Encryption," in Proc. IEEE Asian Test Symp. (ATS), 2021, pp. 1-6.
[11] P. Zuo, Y. Hua, L. Liang, X. Xie, X. Hu, and Y. Xie, "SEALing Neural Network Models in Encrypted Deep Learning Accelerators," in Proc. ACM/IEEE Design Automation Conf. (DAC), 2021, pp. 1255-1260.
[12] G. E. Suh, D. Clarke, B. Gassend, M. van Dijk, and S. Devadas, "AEGIS: architecture for tamper-evident and tamper-resistant processing," in Proc. Annu. Int. Conf. Supercomputing (ICS), 2003, pp. 160-171.
[13] B. Rogers, S. Chhabra, M. Pavlović, and Y. Solihin, "Using Address Independent Seed Encryption and Bonsai Merkle Trees to Make Secure Processors Os-And Performance-Friendly," in Proc. IEEE/ACM Int. Symp. Microarchitecture (MICRO), 2007, pp. 183-196.
[14] I. J. Goodfellow, J. Shlens, and C. Szegedy, "Explaining and harnessing adversarial examples," in Int. Conf. Learn. Representations (ICLR), 2015.
[15] A. Kurakin, I. Goodfellow, and S. Bengio, "Adversarial examples in the physical world." arXiv:1607.02533, 2016.
[16] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, "Towards Deep Learning Models Resistant to Adversarial Attacks," arXiv:1706.06083, 2017.
[17] K. He, X. Zhang, S. Ren, and J. Sun, "Deep Residual Learning for Image Recognition," in Proc. IEEE Conf. Computer Vision and Pattern Recognition (CVPR), 2016, pp. 770-778.
[18] K. Simonyan and A. Zisserman, "Very deep convolutional networks for large-scale image recognition." in Int. Conf. Learn. Representations (ICLR), 2015.
[19] M. Sandler, A. Howard, M. Zhu, A. Zhmoginov, and L.-C. Chen," MobileNetV2: Inverted Residuals and Linear Bottlenecks," in Proc. IEEE Conf. Computer Vision and Pattern Recognition (CVPR), 2018, pp. 4510–4520.
[20] H. Guan, L. Ning, Z. Lin, X. Shen, H. Zhou, and S.-H. Lim, "In-Place Zero-Space Memory Protection for CNN," in Proc. Adv. Neural Inf. Process. Syst., 2019, pp. 5735–5744.
[21] C. D. Canniére, "Trivium: a stream cipher construction inspired by block cipher design principles," in Proc. Int. Conf. Information Security, 2006, pp. 171–186.
[22] R. S. Katti and R. Sule, "MISRs for Fast Authentication of Long Messages," in Proc. Euromicro Conf. Digital System Design, 2013, pp. 653-657.
[23] L.-T. Wang, C.-W. Wu, and X. Wen, VLSI Test Principles and Architectures: Design for Testability. San Mateo, CA, USA: Morgan Kaufmann, 2006.
[24] A. Samajdar, Y. Zhu, P. Whatmough, M. Mattina, and T. Krishna, "SCALE-Sim: Systolic CNN Accelerator Simulator," arXiv:1811.02883, 2018.
[25] A. Samajdar, J. M. Joseph, Y. Zhu, P. Whatmough, M. Mattina and T. Krishna, "A Systematic Methodology for Characterizing Scalability of DNN Accelerators using SCALE-Sim," in Proc. IEEE Int. Symp. Performance Analysis of Systems and Software (ISPASS), 2020, pp. 58-68.
[26] Y. Kim et al., "Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors," in Proc. ACM/IEEE Int. Symp. Computer Architecture (ISCA), 2014, pp. 361-372.
[27] J. A. Halderman et al., "Lest we remember: cold-boot attacks on encryption keys," Commun. ACM, vol. 52, no. 5, pp. 91–98, May. 2009.
[28] W. Shan, A. Fan, J. Xu, J. Yang, and M. Seok, "A 923 Gbps/W, 113-Cycle, 2-Sbox Energy-efficient AES Accelerator in 28nm CMOS," in Proc. Symp. VLSI Circuits (VLSI), 2019, pp. C236-C237.
[29] N. P. Jouppi et al., "In-datacenter performance analysis of a tensor processing unit," in Proc. ACM/IEEE Int. Symp. Computer Architecture (ISCA), 2017, pp. 1-12.
[30] C. -Y. Du et al., "A 28nm 11.2TOPS/W Hardware-Utilization-Aware Neural-Network Accelerator with Dynamic Dataflow," in Proc. IEEE Int. Solid-State Circuits Conf. (ISSCC), 2023, pp. 1-3.