Health monitoring apps can help people manage chronic illnesses or stay on track with their fitness goals, using nothing more than a smartphone. However, these apps can be slow and power-inefficient because the large machine learning models that power them must be transferred between a smartphone and a central memory server.
Engineers often speed things up by using hardware that reduces the need to move as much data back and forth. Although these machine learning accelerators can streamline calculations, they are vulnerable to attackers who can steal secret information.
To reduce this vulnerability, researchers at MIT and the MIT-IBM Watson AI Lab created a machine learning accelerator that is resilient to the two most common types of attacks. Their chip can keep a user’s health records, financial information, or other sensitive data private while allowing massive AI models to run efficiently on devices.
The team has developed several optimizations that provide enhanced security while only slightly slowing down the device. Additionally, the additional security has no impact on the accuracy of the calculations. This machine learning accelerator could be particularly beneficial for demanding AI applications like augmented and virtual reality or autonomous driving.
Although implementing the chip would make a device slightly more expensive and less energy efficient, it’s sometimes a worthwhile price to pay for security, says lead author Maitreyi Ashok, a graduate student in electrical and computer engineering (EECS ) at MIT.
“It’s important to design with security in mind from the start. If you try to add even a modicum of security after a system has been designed, it is extremely expensive. We were able to effectively balance many of these trade-offs during the design phase,” says Ashok.
His co-authors include EECS graduate student Saurav Maji; Xin Zhang and John Cohn of the MIT-IBM Watson AI Lab; and lead author Anantha Chandrakasan, MIT chief innovation and strategy officer, dean of the School of Engineering, and EECS Vannevar Bush Professor. The research will be presented at the IEEE Custom Integrated Circuits conference.
Susceptibility to side channels
The researchers targeted a type of machine learning accelerator called in-memory digital computing. An IMC digital chip performs calculations in a device’s memory, where elements of a machine learning model are stored after being moved from a central server.
The entire model is too large to store on the device, but by breaking it into pieces and reusing those pieces as much as possible, IMC chips reduce the amount of data that needs to be moved back and forth.
But IMC chips can be susceptible to hackers. In a side-channel attack, a hacker monitors the chip’s power consumption and uses statistical techniques to reverse engineer the data while the chip is computing. In a bus probing attack, the hacker can steal pieces of the model and dataset by probing the communication between the accelerator and off-chip memory.
Digital IMC accelerates computation by performing millions of operations at a time, but this complexity makes it difficult to prevent attacks using traditional security measures, Ashok says.
She and her collaborators took a three-pronged approach to blocking side-channel and bus-probing attacks.
First, they used a security measure whereby the BMI data is divided into random chunks. For example, a zero bit can be divided into three bits that are always zero after a logical operation. IMC never calculates with all elements in the same operation, so a side-channel attack will never be able to reconstruct the actual information.
But for this technique to work, random bits must be added to split the data. Since digital IMC performs millions of operations at a time, generating that many random bits would involve too much calculation. For their chip, the researchers found a way to simplify the calculations, making it easier to split data efficiently while eliminating the need for random bits.
Second, they prevented bus probe attacks by using lightweight encryption that encrypts the pattern stored in off-chip memory. This light figure requires only simple calculations. Additionally, they only decrypted the model parts stored on the chip when necessary.
Third, to improve security, they generated the key that decrypts the cipher directly on the chip, rather than moving it with the model. They generated this unique key from random variations in the chip introduced during manufacturing, using what’s called a physically unclonable function.
“Maybe one wire will be a little thicker than another. We can use these variations to extract zeros and ones from a circuit. For each chip, we can get a random key that should be consistent, because these random properties should not change significantly over time,” Ashok explains.
They reused the chip’s memory cells, exploiting imperfections in those cells to generate the key. This requires less calculations than generating a key from scratch.
“As security has become a critical issue in the design of edge devices, there is a need to develop a complete system stack focused on secure operation. This work focuses on the security of machine learning workloads and describes a digital processor that uses cross-sectional optimization. It integrates access to encrypted data between memory and processor, approaches to prevent side-channel attacks using randomization and exploitation of variability to generate unique codes. Such designs will be essential in future mobile devices,” says Chandrakasan.
Security testing
To test their chip, the researchers took on the role of hackers and attempted to steal secret information using side-channel and bus probing attacks.
Even after making millions of attempts, they could not reconstruct any real information or extract elements from the model or dataset. The figure also remained unbreakable. In contrast, it only took about 5,000 samples to steal information from an unprotected chip.
Adding security reduced the energy efficiency of the accelerator and also required a larger chip area, which would make it more expensive to manufacture.
The team plans to explore methods that could reduce the power consumption and size of their chip in the future, making it easier to implement on a large scale.
“As it becomes too expensive, it becomes more difficult to convince someone that security is essential. Future work could explore these tradeoffs. Maybe we could make it a little less secure but easier to implement and less expensive,” says Ashok.
Written by Adam Zewe
Source: Massachusetts Institute of Technology
Originally published in The European Times.
source link eu news
