Over the last decade, applications of neural networks (NNs) have spread to various aspects of our lives. A large number of companies base their businesses on building products that use neural networks for tasks such as face recognition, machine translation, and self-driving cars. Much of the intellectual property underpinning these products is encoded in the exact parameters of the neural networks. Consequently, protecting these is of utmost priority to businesses. At the same time, many of these products need to operate under a strong threat model, in which the adversary has unfettered physical control of the product. In this work, we present BarraCUDA, a novel attack on general purpose Graphic Processing Units (GPUs) that can extract parameters of neural networks running on the popular Nvidia Jetson Nano device. BarraCUDA uses correlation electromagnetic analysis to recover parameters of real-world convolutional neural networks.

翻译：在过去的十年中，神经网络（NNs）的应用已渗透到我们生活的各个方面。众多企业将其业务建立在开发使用神经网络的产品之上，这些产品应用于人脸识别、机器翻译和自动驾驶汽车等任务。支撑这些产品的知识产权很大程度上编码于神经网络的具体参数中。因此，保护这些参数对企业而言至关重要。与此同时，许多此类产品需要在强大的威胁模型下运行，即攻击者能够不受限制地物理控制产品。在本研究中，我们提出了BarraCUDA，一种针对通用图形处理单元（GPUs）的新型攻击方法，能够从流行的Nvidia Jetson Nano设备上运行的神经网络中提取参数。BarraCUDA利用相关电磁分析技术，成功恢复了实际卷积神经网络的参数。