TY - GEN
T1 - On the Security Vulnerabilities of MRAM-based In-Memory Computing Architectures against Model Extraction Attacks
AU - Roy, Saion K.
AU - Shanbhag, Naresh R.
N1 - This research was supported by SRC and DARPA funded JUMP 2.0 centers, COCOSYS and CUBIC.
PY - 2025/4/9
Y1 - 2025/4/9
N2 - This paper studies the security vulnerabilities of embedded nonvolatile memory (eNVM)-based in-memory computing (IMC) architectures to model extraction attacks (MEAs). These attacks allow the reconstruction of private training data from trained model parameters thereby leaking sensitive user information. The presence of analog noise in eNVM-based IMC computation suggests that they may be intrinsically robust to MEA. However, we show that this conjecture is false. Specifically, we consider the scenario where an attacker aims to retrieve model parameters via input-output query access, and propose three attacks that exploit the statistics of the IMC computation. We demonstrate the efficacy of these attacks in extracting the model parameters of the last layer of a ResNet-20 network from the bitcell array of an MRAM-based IMC prototype in 22 nm process. Employing the proposed MEAs, the attacker obtains a CIFAR-10 accuracy within 0.1% of that of a N = 64 dimensional, 7 b × 4 b fixed-point digital baseline. To the best of our knowledge, this is the first work to demonstrate MEAs for eNVM-based IMC on a real-life IC prototype. Our results indicate the critical importance of investigating the security vulnerabilities of IMCs in general, and eNVM-based IMCs, in particular.
AB - This paper studies the security vulnerabilities of embedded nonvolatile memory (eNVM)-based in-memory computing (IMC) architectures to model extraction attacks (MEAs). These attacks allow the reconstruction of private training data from trained model parameters thereby leaking sensitive user information. The presence of analog noise in eNVM-based IMC computation suggests that they may be intrinsically robust to MEA. However, we show that this conjecture is false. Specifically, we consider the scenario where an attacker aims to retrieve model parameters via input-output query access, and propose three attacks that exploit the statistics of the IMC computation. We demonstrate the efficacy of these attacks in extracting the model parameters of the last layer of a ResNet-20 network from the bitcell array of an MRAM-based IMC prototype in 22 nm process. Employing the proposed MEAs, the attacker obtains a CIFAR-10 accuracy within 0.1% of that of a N = 64 dimensional, 7 b × 4 b fixed-point digital baseline. To the best of our knowledge, this is the first work to demonstrate MEAs for eNVM-based IMC on a real-life IC prototype. Our results indicate the critical importance of investigating the security vulnerabilities of IMCs in general, and eNVM-based IMCs, in particular.
KW - In-Memory Computing
KW - MRAM
KW - Model Extraction Attacks
KW - Security Vulnerabilities
KW - eNVM
UR - http://www.scopus.com/inward/record.url?scp=105003627167&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=105003627167&partnerID=8YFLogxK
U2 - 10.1145/3676536.3676685
DO - 10.1145/3676536.3676685
M3 - Conference contribution
AN - SCOPUS:105003627167
T3 - IEEE/ACM International Conference on Computer-Aided Design, Digest of Technical Papers, ICCAD
BT - Proceedings of the 43rd IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2024
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 43rd International Conference on Computer-Aided Design, ICCAD 2024
Y2 - 27 October 2024 through 31 October 2024
ER -