With the large-scale integration and use of neural network models, especially in critical embedded systems, their security assessment to guarantee their reliability is becoming an urgent need. More particularly, models deployed in embedded platforms, such as 32-bit microcontrollers, are physically accessible by adversaries and therefore vulnerable to hardware disturbances. We present the first set of experiments on the use of two fault injection means, electromagnetic and laser injections, applied on neural networks models embedded on a Cortex M4 32-bit microcontroller platform. Contrary to most of state-of-the-art works dedicated to the alteration of the internal parameters or input values, our goal is to simulate and experimentally demonstrate the impact of a specific fault model that is instruction skip. For that purpose, we assessed several modification attacks on the control flow of a neural network inference. We reveal integrity threats by targeting several steps in the inference program of typical convolutional neural network models, which may be exploited by an attacker to alter the predictions of the target models with different adversarial goals.

翻译：随着神经网络模型的大规模集成与应用，尤其是在关键嵌入式系统中，对其可靠性进行安全评估已成为迫切需求。更具体而言，部署在嵌入式平台（如32位微控制器）上的模型，由于对手可物理访问，因此易受硬件干扰的影响。我们首次开展了一系列实验，使用电磁和激光两种故障注入手段，针对部署在Cortex M4 32位微控制器平台上的神经网络模型进行了测试。与大多数专注于修改内部参数或输入值的现有研究工作不同，我们的目标是模拟并通过实验证明一种特定故障模型——指令跳转的影响。为此，我们评估了针对神经网络推理控制流的若干修改攻击。通过针对典型卷积神经网络模型推理程序中的多个步骤，我们揭示了完整性威胁，攻击者可能利用这些威胁来改变目标模型的预测结果，从而实现不同的对抗目标。