MIT and MIT-IBM Watson AI Lab researchers have invented a machine-learning chip resistant to the most common forms of cyberattacks. The technology caters to increasing demand for secure health-monitoring apps for individuals with chronic diseases or fitness goals, as well as for hardware-heavy uses such as autonomous vehicles and virtual reality. Health records and other sensitive data like financial information can be kept private without compromising the accuracy of computations or the speed of devices.
The chip is known as a digital In-Memory Compute (IMC) accelerator. Digital IMC accelerators execute calculations inside a device’s memory, where components of a machine-learning model, transferred from a central server, are stored. The model is too large to be stored on a device in its entirety, so breaking it into parts and reusing them as necessary reduces the need to transfer large volumes of data.
The main methods of hacking IMC chips are through side-channel and bus-probing attacks. Hackers can monitor energy consumption through a side-channel attack, using statistics to decrypt data. Bus-probing allows hackers to snatch bits of the model and data set by monitoring communication between the accelerator and the off-chip memory. These attacks are challenging to thwart due to the complexity of simultaneous operations of digital IMC chips.
In response, the team introduced a three-fold security approach. Firstly, data in the IMC is broken into random pieces to make side-channel attacks less viable due to its inability to compute all pieces of information at once. Secondly, a lightweight cipher encrypts the model held in the off-chip memory, preventing bus-probing attacks. This cipher only needs simple computations and model data on the chip is decrypted only as necessary. Lastly, a unique key decrypts the cipher directly on the chip, reducing the need to move it with the model.
The key is created from random variations in the chip, like thickness between wires, present during manufacturing. These variations inform the generation of zeros and ones in a circuit, producing a random key that’s unique to each chip. These minimally changing properties ensure the key remains consistent over time.
The researchers have undertaken an extensive series of tests to assess the chip’s defences against side-channel and bus-probing attacks through attempts to steal information. Their millions of attempts yielded no accessibility to meaningful data, model or data-set components, or the cipher. This is a stark contrast to the ease with which a mere 5000 samples could be stolen from an unsecured chip.
Additional security features reduce the energy efficiency of the chip, increasing its size and potential fabrication costs. The team is exploring methods to make a more cost-effective and energy-efficient chip that can be implemented on a larger scale. Future exploration of possible trade-offs such as making the chip slightly less secure for easier implementation and a reduction in cost are also on the cards.
