Logic locking has been proposed to safeguard intellectual property (IP) during chip fabrication. Logic locking techniques protect hardware IP by making a subset of combinational modules in a design dependent on a secret key that is withheld from untrusted parties. If an incorrect secret key is used, a set of deterministic errors is produced in locked modules, restricting unauthorized use. A common target for logic locking is neural accelerators, especially as machine-learning-as-a-service becomes more prevalent. In this work, we explore how logic locking can be used to compromise the security of a neural accelerator it protects. Specifically, we show how the deterministic errors caused by incorrect keys can be harnessed to produce neural-trojan-style backdoors. To do so, we first outline a motivational attack scenario where a carefully chosen incorrect key, which we call a trojan key, produces misclassifications for an attacker-specified input class in a locked accelerator. We then develop a theoretically-robust attack methodology to automatically identify trojan keys. To evaluate this attack, we launch it on several locked accelerators. In our largest benchmark accelerator, our attack identified a trojan key that caused a 74\% decrease in classification accuracy for attacker-specified trigger inputs, while degrading accuracy by only 1.7\% for other inputs on average.

翻译：逻辑锁定被提出用于保护芯片制造过程中的知识产权。逻辑锁定技术通过使设计中一组组合模块依赖于一个对不可信方保密的密钥来保护硬件IP。若使用错误的密钥，锁定模块会产生一组确定性错误，从而限制未授权使用。逻辑锁定的常见目标是神经加速器，尤其在机器学习即服务日益普及的背景下。本文探索了如何利用逻辑锁定来破坏其所保护的神经加速器的安全性。具体而言，我们展示了错误密钥导致的确定性错误如何被用于产生神经木马式后门。为此，我们首先概述了一种动机性攻击场景：精心选择的错误密钥（称为木马密钥）会使锁定加速器对攻击者指定的输入类别产生误分类。随后我们开发了一种理论上稳健的攻击方法来自动识别木马密钥。为评估该攻击，我们在多个锁定加速器上实施测试。在最大基准加速器中，我们的攻击识别出一个木马密钥，该密钥使攻击者指定触发输入的分类准确率下降74%，而其他输入的平均准确率仅降低1.7%。