Logic locking has been proposed to safeguard intellectual property (IP) during chip fabrication. Logic locking techniques protect hardware IP by making a subset of combinational modules in a design dependent on a secret key that is withheld from untrusted parties. If an incorrect secret key is used, a set of deterministic errors is produced in locked modules, restricting unauthorized use. A common target for logic locking is neural accelerators, especially as machine-learning-as-a-service becomes more prevalent. In this work, we explore how logic locking can be used to compromise the security of a neural accelerator it protects. Specifically, we show how the deterministic errors caused by incorrect keys can be harnessed to produce neural-trojan-style backdoors. To do so, we first outline a motivational attack scenario where a carefully chosen incorrect key, which we call a trojan key, produces misclassifications for an attacker-specified input class in a locked accelerator. We then develop a theoretically-robust attack methodology to automatically identify trojan keys. To evaluate this attack, we launch it on several locked accelerators. In our largest benchmark accelerator, our attack identified a trojan key that caused a 74\% decrease in classification accuracy for attacker-specified trigger inputs, while degrading accuracy by only 1.7\% for other inputs on average.

翻译：逻辑锁定被提出用于在芯片制造过程中保护知识产权（IP）。逻辑锁定技术通过使设计中的部分组合模块依赖于一个对不可信方保密的密钥，从而保护硬件IP。若使用错误的密钥，锁定模块会产生一组确定性错误，从而限制未授权使用。神经加速器是逻辑锁定的常见目标，尤其是在机器学习即服务日益普及的背景下。本文探索了逻辑锁定如何被用于破坏其所保护的神经加速器的安全性。具体而言，我们展示了如何利用错误密钥引起的确定性错误来产生神经木马式后门。为此，我们首先概述了一种动机性攻击场景：精心选择的错误密钥（称为木马密钥）会在锁定的加速器中为攻击者指定的输入类别产生错误分类。随后，我们开发了一种理论上稳健的攻击方法，用于自动识别木马密钥。为评估该攻击，我们在多个锁定加速器上进行了实验。在最大的基准加速器中，我们的攻击识别出的木马密钥导致攻击者指定的触发输入的分类准确率下降74%，而其他输入的平均准确率仅下降1.7%。