@article{jiang_potluri_ho_2023, title={Scalable Scan-Chain-Based Extraction of Neural Network Models}, ISSN={["1530-1591"]}, DOI={10.23919/DATE56975.2023.10137156}, abstractNote={Scan chains have greatly improved hardware testability while introducing security breaches for confidential data. Scan-chain attacks have extended their scope from cryptoprocessors to AI edge devices. The recently proposed scan-chain-based neural network (NN) model extraction attack (lCCAD 2021) made it possible to achieve fine-grained extraction and is multiple orders of magnitude more efficient both in queries and accuracy than its coarse-grained mathematical counterparts. However, both query formulation complexity and constraint solver failures increase drastically with network depth/size. We demonstrate a more powerful adversary, who is capable of improving scalability while maintaining accuracy, by relaxing high-fidelity constraints to formulate an approximate-fidelity-based layer-constrained least-squares extraction using random queries. We conduct our extraction attack on neural network inference topologies of different depths and sizes, targeting the MNIST digit recognition task. The results show that our method outperforms the scan-chain attack proposed in ICCAD 2021 by an average increase in the extracted neural network's functional accuracy of ≈ 32% and 2–3 orders of reduction in queries. Furthermore, we demonstrated that our attack is highly effective even in the presence of countermeasures against adversarial samples.}, journal={2023 DESIGN, AUTOMATION & TEST IN EUROPE CONFERENCE & EXHIBITION, DATE}, author={Jiang, Shui and Potluri, Seetal and Ho, Tsung-Yi}, year={2023} }
 @article{potluri_kundu_kumar_basu_aysu_2023, title={SeqL plus : Secure Scan-Obfuscation With Theoretical and Empirical Validation}, volume={42}, ISSN={["1937-4151"]}, DOI={10.1109/TCAD.2022.3199153}, abstractNote={Scan-obfuscation is a powerful methodology to protect Silicon-based intellectual property from theft. Prior work on scan-obfuscation in the context of logic-locking have unique limitations, which are addressed by our previous work, SeqL, which looks at functional output corruption to obfuscate scan-chains, but is unable to resist removal attacks on circuits with inadequate number of flip-flops without feedback. To address this issue, we propose to scramble flip-flops with feedback to increase key length without introducing further vulnerabilities. This study reveals the first formulation and complexity analysis of Boolean satisfiability (SAT)-based attack on scan-scrambling. We formulate the attack as a conjunctive normal form (CNF) using a worst-case <inline-formula> <tex-math notation="LaTeX">$\mathcal {O}(n^{3})$ </tex-math></inline-formula> reduction in terms of scramble-graph size <inline-formula> <tex-math notation="LaTeX">$n$ </tex-math></inline-formula>. In order to defeat SAT-based attack, we propose an iterative swapping-based scan-cell scrambling algorithm that has <inline-formula> <tex-math notation="LaTeX">$\mathcal {O}(n)$ </tex-math></inline-formula> implementation time-complexity and <inline-formula> <tex-math notation="LaTeX">$\mathcal {O}(2^{\lfloor ({\alpha.n+1}/{3}) \rfloor })$ </tex-math></inline-formula> SAT-decryption time-complexity in terms of a user-configurable cost constraint <inline-formula> <tex-math notation="LaTeX">$\alpha ~(0 < \alpha \le 1)$ </tex-math></inline-formula>.}, number={5}, journal={IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS}, author={Potluri, Seetal and Kundu, Shamik and Kumar, Akash and Basu, Kanad and Aysu, Aydin}, year={2023}, month={May}, pages={1406–1410} }
 @article{sayadi_aliasgari_aydin_potluri_aysu_edmonds_tehranipoor_2022, title={Towards AI-Enabled Hardware Security: Challenges and Opportunities}, ISSN={["1942-9398"]}, DOI={10.1109/IOLTS56730.2022.9897507}, abstractNote={Recent developments in Artificial Intelligence (AI) and Machine Learning (ML), driven by a substantial increase in the size of data in emerging computing systems, have led into successful applications of such intelligent techniques in various disciplines including security. Traditionally, integrity of data has been protected with various security protocols at the software level with the underlying hardware assumed to be secure. This assumption however is no longer true with an increasing number of attacks reported on the hardware. The emergence of new security threats (e.g., malware, side-channel attacks, etc.) requires patching/updating the software-based solutions that needs a vast amount of memory and hardware resources. Therefore, the security should be delegated to the underlying hardware, building a bottom-up solution for securing computing devices rather than treating it as an afterthought. This paper highlights the growing role of AI/ML techniques in hardware and architecture security field and provides insightful discussions on pressing challenges, opportunities, and future directions of designing accurate and efficient machine learning-based attacks and defense mechanisms in response to emerging hardware security vulnerabilities in modern computer systems and next generation of cryptosystems.}, journal={2022 IEEE 28TH INTERNATIONAL SYMPOSIUM ON ON-LINE TESTING AND ROBUST SYSTEM DESIGN (IOLTS 2022)}, author={Sayadi, Hossein and Aliasgari, Mehrdad and Aydin, Furkan and Potluri, Seetal and Aysu, Aydin and Edmonds, Jack and Tehranipoor, Sara}, year={2022} }
 @article{kashyap_aydin_potluri_franzon_aysu_2021, title={2Deep: Enhancing Side-Channel Attacks on Lattice-Based Key-Exchange via 2-D Deep Learning}, volume={40}, ISSN={["1937-4151"]}, url={http://dx.doi.org/10.1109/tcad.2020.3038701}, DOI={10.1109/TCAD.2020.3038701}, abstractNote={Advancements in quantum computing present a security threat to classical cryptography algorithms. Lattice-based key exchange protocols show strong promise due to their resistance to theoretical quantum-cryptanalysis and low implementation overhead. By contrast, their physical implementations have shown vulnerability against side-channel attacks (SCAs) even with a single power measurement. The state-of-the-art SCAs are, however, limited to simple, sequentialized executions of post-quantum key-exchange (PQKE) protocols, leaving the vulnerability of complex, parallelized architectures unknown. This article proposes 2Deep—a deep-learning (DL)-based SCA—targeting parallelized implementations of PQKE protocols, namely, <monospace>Frodo</monospace> and <monospace>NewHope</monospace> with data augmentation techniques. Specifically, we explore approaches that convert 1-D time-series power measurement data into 2-D images to formulate SCA an image recognition task. The results show our attack’s superiority over conventional techniques including horizontal differential power analysis (DPA), template attacks (TAs), and straightforward DL approaches. We demonstrate improvements up to <inline-formula> <tex-math notation="LaTeX">$1.5\times $ </tex-math></inline-formula> to recover a 100% success rate compared to DL with 1-D input data while using fewer data. We furthermore show that machine learning improves the results up to <inline-formula> <tex-math notation="LaTeX">$1.25\times $ </tex-math></inline-formula> compared to TAs. Furthermore, we perform cross-device attacks that obtain profiles from a single device, which has never been explored. Our 2-D approach is especially favored in this setting, improving the success rate of attacking <monospace>Frodo</monospace> from 20% to 99% compared to the 1-D approach. Our work thus urges countermeasures even on parallel architectures and single-trace attacks.}, number={6}, journal={IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={Kashyap, Priyank and Aydin, Furkan and Potluri, Seetal and Franzon, Paul D. and Aysu, Aydin}, year={2021}, month={Jun}, pages={1217–1229} }
 @article{potluri_aysu_2021, title={Stealing Neural Network Models through the Scan Chain: A New Threat for ML Hardware}, ISSN={["1933-7760"]}, DOI={10.1109/ICCAD51958.2021.9643547}, abstractNote={Stealing trained machine learning (ML) models is a new and growing concern due to the model's development cost. Existing work on ML model extraction either applies a mathematical attack or exploits hardware vulnerabilities such as side-channel leakage. This paper shows a new style of attack, for the first time, on ML models running on embedded devices by abusing the scan-chain infrastructure. We illustrate that having course-grained scan-chain access to non-linear layer outputs is sufficient to steal ML models. To that end, we propose a novel small-signal analysis inspired attack that applies small perturbations into the input signals, identifies the quiescent operating points and, selectively activates certain neurons. We then couple this with a Linear Constraint Satisfaction based approach to efficiently extract model parameters such as weights and biases. We conduct our attack on neural network inference topologies defined in earlier works, and we automate our attack. The results show that our attack outperforms mathematical model extraction proposed in CRYPTO 2020, USENIX 2020, and ICML 2020 by an increase in accuracy of $2^{20.7}\times, 2^{50.7}\times$, and $2^{33.9}\times$, respectively, and a reduction in queries by $2^{6.5}\times, 2^{4.6}\times$, and $2^{14.2}\times$, respectively.}, journal={2021 IEEE/ACM INTERNATIONAL CONFERENCE ON COMPUTER AIDED DESIGN (ICCAD)}, author={Potluri, Seetal and Aysu, Aydin}, year={2021} }
 @article{haas_potluri_aysu_2021, title={iTimed: Cache Attacks on the Apple A10 Fusion SoC}, DOI={10.1109/HOST49136.2021.9702290}, abstractNote={This paper proposes the first cache timing side-channel attack on one of Apple's mobile devices. Utilizing a recent, permanent exploit named checkm8, we reverse-engineered Apple's BootROM and created a powerful toolkit for running arbitrary hardware security experiments on Apple's in-house designed ARM systems-on-a-chip (SoC). Using this toolkit, we then implement an access-driven cache timing attack (in the style of PRIME+PROBE) as a proof-of-concept illustrator. The advanced hardware control enabled by our toolkit allowed us to reverse-engineer key microarchitectural details of the Apple A10 Fusion's memory hierarchy. We find that the SoC employs a randomized cache-line replacement policy as well as a hardware-based L1 prefetcher. We propose statistical innovations which specifically account for these hardware structures and thus further the state-of-the-art in cache timing attacks. We find that our access-driven attack, at best, can reduce the security of OpenSSL AES-128 by 50 more bits than a straightforward adaptation of PRIME+PROBE, while requiring only half as many side channel measurement traces.}, journal={2021 IEEE INTERNATIONAL SYMPOSIUM ON HARDWARE ORIENTED SECURITY AND TRUST (HOST)}, author={Haas, Gregor and Potluri, Seetal and Aysu, Aydin}, year={2021}, pages={80–90} }
 @article{regazzoni_bhasin_pour_alshaer_aydin_aysu_beroulle_di natale_franzon_hely_et al._2020, title={Machine Learning and Hardware security: Challenges and Opportunities -Invited Talk}, ISSN={["1933-7760"]}, DOI={10.1145/3400302.3416260}, abstractNote={Machine learning techniques have significantly changed our lives. They helped improving our everyday routines, but they also demonstrated to be an extremely helpful tool for more advanced and complex applications. However, the implications of hardware security problems under a massive diffusion of machine learning techniques are still to be completely understood. This paper first highlights novel applications of machine learning for hardware security, such as evaluation of post quantum cryptography hardware and extraction of physically unclonable functions from neural networks. Later, practical model extraction attack based on electromagnetic side-channel measurements are demonstrated followed by a discussion of strategies to protect proprietary models by watermarking them.}, journal={2020 IEEE/ACM INTERNATIONAL CONFERENCE ON COMPUTER AIDED-DESIGN (ICCAD)}, author={Regazzoni, Francesco and Bhasin, Shivam and Pour, Amir Ali and Alshaer, Ihab and Aydin, Furkan and Aysu, Aydin and Beroulle, Vincent and Di Natale, Giorgio and Franzon, Paul and Hely, David and et al.}, year={2020} }
 @article{chen_potluri_koushanfar_2020, title={Security of Microfluidic Biochip: Practical Attacks and Countermeasures}, volume={25}, ISSN={["1557-7309"]}, DOI={10.1145/3382127}, abstractNote={With the advancement of system miniaturization and automation, Lab-on-a-Chip (LoC) technology has revolutionized traditional experimental procedures. Microfluidic Biochip (MFB) is an emerging branch of LoC with wide medical applications such as DNA sequencing, drug delivery, and point of care diagnostics. Due to the critical usage of MFBs, their security is of great importance. In this article, we exploit the vulnerabilities of two types of MFBs: Flow-based Microfluidic Biochip (FMFB) and Digital Microfluidic Biochip (DMFB). We propose a systematic framework for applying Reverse Engineering (RE) attacks and Hardware Trojan (HT) attacks on MFBs as well as for practical countermeasures against the proposed attacks. We evaluate the attacks and defense on various benchmarks where experimental results prove the effectiveness of our methods. Security metrics are defined to quantify the vulnerability of MFBs. The overhead and performance of the proposed attacks as well as countermeasures are also discussed.}, number={3}, journal={ACM TRANSACTIONS ON DESIGN AUTOMATION OF ELECTRONIC SYSTEMS}, author={Chen, Huili and Potluri, Seetal and Koushanfar, Farinaz}, year={2020}, month={May} }