MIT and the MIT-IBM Watson AI Lab researchers have developed a machine-learning accelerator ingrained with defenses against the most common cyber-attacks. The device, which could find use in advanced AI applications like VR/AR and autonomous vehicles, offers robust security at the cost of increased power consumption and a slightly higher price tag. But maintaining optimum device performance and computational accuracy during security optimizations was key to the researchers’ success.
The team led by Maitreyi Ashok, an MIT graduate student, aimed to overcome the vulnerabilities of digital in-memory compute (IMC) chips, commonly exploited in machine-learning accelerators. These chips handle calculations inside a device’s memory where model segments are stored after being transferred from a central server. But these chips are prone to hacking via side-channel and bus-probing attacks, tactics that leverage power monitoring and communications probing to steal data and reverse engineer computational processes.
To overcome these vulnerabilities, the researchers split data in the IMC into random pieces, preventing a hacker from piecing together the complete data in a single operation. However, this requires adding random bits to the data, which is computationally intense in a digital IMC that performs millions of operations at once. To address this, the researchers simplified computations, eliminating the need for random bits.
To thwart bus-probing attacks, the team applied a lightweight cipher that encrypts models stored in off-chip memory, decrypting them on-chip only when necessary. They also kept the decryption key on the chip, taking it from random hardware variations created during manufacturing rather than sharing it with the model. This unique key was then generated using the chip’s memory cells, reducing computational demand, since it didn’t have to be formulated from scratch.
To verify the chip’s real-world effectiveness, the team attempted side-channel and bus-probing attacks from a hacker’s perspective. Across millions of attempts, they could not extract any significant data or model components, or crack the cipher. By contrast, only about 5,000 samples were needed to steal data from an unprotected chip.
Reduced energy efficiency and larger device size were the trade-offs for added security, making the optimized chip more expensive to produce. Future plans involve exploring ways to minimize energy consumption and chip size, improving the machine-learning accelerators’ scalability.