Deep neural networks (DNNs), which support services such as driving assistants and medical diagnoses, undergo lengthy and expensive training procedures. Therefore, the training's outcome - the DNN weights - represents a significant intellectual property asset to protect. Side-channel analysis (SCA) has recently appeared as an effective approach to recover this confidential asset from DNN implementations. In response, researchers have proposed to defend DNN implementations through classic side-channel countermeasures, at the cost of higher energy consumption, inference time, and resource utilisation. Following a different approach, Ding et al. (HOST'25) introduced MACPRUNING, a novel SCA countermeasure based on pruning, a performance-oriented Approximate Computing technique: at inference time, the implementation randomly prunes (or skips) non-important weights (i.e., with low contribution to the DNN's accuracy) of the first layer, exponentially increasing the side-channel resilience of the protected DNN implementation. However, the original security analysis of MACPRUNING did not consider a control-flow dependency intrinsic to the countermeasure design. This dependency may allow an attacker to circumvent MACPRUNING and recover the weights important to the DNN's accuracy. This paper describes a preprocessing methodology to exploit the above-mentioned control-flow dependency. Through practical experiments on a Chipwhisperer-Lite running a MACPRUNING-protected Multi-Layer Perceptron, we target the first 8 weights of each neuron and recover 96% of the important weights, demonstrating the drastic reduction in security of the protected implementation. Moreover, we show how microarchitectural leakage improves the effectiveness of our methodology, even allowing for the recovery of up to 100% of the targeted non-important weights. Lastly, by adapting our methodology [continue in pdf].

翻译：深度神经网络（DNN）支撑着诸如驾驶辅助和医疗诊断等服务，其训练过程漫长且代价高昂。因此，训练成果——DNN权重——是需要重点保护的知识产权资产。侧信道分析（SCA）最近已成为从DNN实现中恢复这一机密资产的有效方法。作为回应，研究人员提出了采用经典的侧信道防护措施来保护DNN实现，但这会带来更高的能耗、推理时间和资源占用。Ding等人（HOST'25）则另辟蹊径，引入了MACPRUNING，一种基于剪枝的新型SCA防护机制。剪枝是一种面向性能的近似计算技术：在推理阶段，该实现会随机剪除（或跳过）第一层中不重要的权重（即对DNN精度贡献低的权重），从而以指数方式提升受保护DNN实现的侧信道鲁棒性。然而，MACPRUNING最初的安全性分析并未考虑该防护机制设计中固有的控制流依赖性。这种依赖性可能允许攻击者绕过MACPRUNING并恢复对DNN精度至关重要的权重。本文描述了一种利用上述控制流依赖性的预处理方法。通过在运行受MACPRUNING保护的多层感知器的Chipwhisperer-Lite上进行实际实验，我们针对每个神经元的前8个权重进行攻击，成功恢复了96%的重要权重，证明了受保护实现的安全性急剧下降。此外，我们还展示了微架构泄漏如何提升我们方法的有效性，甚至允许恢复高达100%的目标非重要权重。最后，通过调整我们的方法[pdf中继续]。