Over the last decade, applications of neural networks have spread to cover all aspects of life. A large number of companies base their businesses on building products that use neural networks for tasks such as face recognition, machine translation, and autonomous cars. They are being used in safety and security-critical applications like high definition maps and medical wristbands, or in globally used products like Google Translate and ChatGPT. Much of the intellectual property underpinning these products is encoded in the exact configuration of the neural networks. Consequently, protecting these is of utmost priority to businesses. At the same time, many of these products need to operate under a strong threat model, in which the adversary has unfettered physical control of the product. Past work has demonstrated that with physical access, attackers can reverse engineer neural networks that run on scalar microcontrollers, like ARM Cortex M3. However, for performance reasons, neural networks are often implemented on highly-parallel general purpose graphics processing units (GPGPUs), and so far, attacks on these have only recovered course-grained information on the structure of the neural network, but failed to retrieve the weights and biases. In this work, we present BarraCUDA, a novel attack on GPGPUs that can completely extract the parameters of neural networks. BarraCUDA uses correlation electromagnetic analysis to recover the weights and biases in the convolutional layers of neural networks. We use BarraCUDA to attack the popular NVIDIA Jetson Nano device, demonstrating successful parameter extraction of neural networks in a highly parallel and noisy environment.

翻译：过去十年间，神经网络的应用已扩展至生活的方方面面。大量公司以使用神经网络构建产品为业务基础，涉及人脸识别、机器翻译和自动驾驶汽车等任务。它们被用于高清地图和医疗腕带等安全关键型应用，或谷歌翻译和ChatGPT等全球性产品。这些产品背后的大量知识产权编码于神经网络的精确配置中，因此保护这些配置对企业至关重要。与此同时，许多产品需在强威胁模型下运行，其中攻击者可对产品进行不受限的物理控制。此前研究已表明，通过物理访问，攻击者能够逆向工程在标量微控制器（如ARM Cortex M3）上运行的神经网络。然而，出于性能考虑，神经网络通常部署在高度并行的通用图形处理器（GPGPU）上，而目前针对这类芯片的攻击仅能恢复神经网络的粗粒度结构信息，却未能提取权重和偏置。本文提出BarraCUDA——一种针对GPGPU的新型攻击方法，能够完整提取神经网络参数。BarraCUDA利用相关性电磁分析恢复神经网络卷积层中的权重和偏置。我们使用BarraCUDA攻击流行的NVIDIA Jetson Nano设备，在高度并行且噪声密集的环境中成功实现了神经网络参数的提取。