Upcoming certification actions related to the security of machine learning (ML) based systems raise major evaluation challenges that are amplified by the large-scale deployment of models in many hardware platforms. Until recently, most of research works focused on API-based attacks that consider a ML model as a pure algorithmic abstraction. However, new implementation-based threats have been revealed, emphasizing the urgency to propose both practical and simulation-based methods to properly evaluate the robustness of models. A major concern is parameter-based attacks (such as the Bit-Flip Attack, BFA) that highlight the lack of robustness of typical deep neural network models when confronted by accurate and optimal alterations of their internal parameters stored in memory. Setting in a security testing purpose, this work practically reports, for the first time, a successful variant of the BFA on a 32-bit Cortex-M microcontroller using laser fault injection. It is a standard fault injection means for security evaluation, that enables to inject spatially and temporally accurate faults. To avoid unrealistic brute-force strategies, we show how simulations help selecting the most sensitive set of bits from the parameters taking into account the laser fault model.

翻译：与基于机器学习（ML）系统的安全性相关的未来认证行动引发了重大的评估挑战，而模型在众多硬件平台上的大规模部署进一步放大了这些挑战。直到最近，大多数研究工作集中于基于API的攻击，这些攻击将ML模型视为纯算法抽象。然而，新的基于实现的威胁已被揭示，凸显了提出基于实践与仿真的方法来适当评估模型鲁棒性的紧迫性。一个主要关注点是基于参数的攻击（例如比特翻转攻击，BFA），这些攻击强调了典型深度神经网络模型在面对存储于内存中的内部参数进行精确且最优的篡改时，缺乏鲁棒性。出于安全测试目的，本研究首次在实际中报告了一种在32位Cortex-M微控制器上利用激光故障注入成功实施的BFA变体。激光故障注入是安全评估的标准故障注入手段，能够实现空间和时间上精确的故障注入。为避免不切实际的暴力破解策略，我们展示了如何通过仿真，在考虑激光故障模型的情况下，从参数中选取最敏感的比特集合。