Over the last decade, applications of neural networks (NNs) have spread to various aspects of our lives. A large number of companies base their businesses on building products that use neural networks for tasks such as face recognition, machine translation, and self-driving cars. Much of the intellectual property underpinning these products is encoded in the exact parameters of the neural networks. Consequently, protecting these is of utmost priority to businesses. At the same time, many of these products need to operate under a strong threat model, in which the adversary has unfettered physical control of the product. In this work, we present BarraCUDA, a novel attack on general purpose Graphic Processing Units (GPUs) that can extract parameters of neural networks running on the popular Nvidia Jetson Nano device. BarraCUDA uses correlation electromagnetic analysis to recover parameters of real-world convolutional neural networks.

翻译：过去十年间，神经网络的应用已渗透到我们生活的方方面面。大量企业基于神经网络技术开发产品，用于人脸识别、机器翻译和自动驾驶等任务。这些产品的知识产权很大程度上编码在神经网络的精确参数中。因此，保护这些参数对企业至关重要。与此同时，许多此类产品需要在强威胁模型下运行，即攻击者具备对产品的完全物理控制能力。本研究提出BarraCUDA——一种针对通用图形处理器的新型攻击方法，能够提取流行设备Nvidia Jetson Nano上运行的神经网络参数。BarraCUDA利用相关电磁分析技术，成功恢复了真实卷积神经网络的参数。