The growing use of third-party hardware accelerators (e.g., FPGAs, ASICs) for deep neural networks (DNNs) introduces new security vulnerabilities. Conventional model-level backdoor attacks, which only poison a model's weights to misclassify inputs with a specific trigger, are often detectable because the entire attack logic is embedded within the model (i.e., software), creating a traceable layer-by-layer activation path. This paper introduces the HArdware-Model Logically Combined Attack (HAMLOCK), a far stealthier threat that distributes the attack logic across the hardware-software boundary. The software (model) is now only minimally altered by tuning the activations of few neurons to produce uniquely high activation values when a trigger is present. A malicious hardware Trojan detects those unique activations by monitoring the corresponding neurons' most significant bit or the 8-bit exponents and triggers another hardware Trojan to directly manipulate the final output logits for misclassification. This decoupled design is highly stealthy, as the model itself contains no complete backdoor activation path as in conventional attacks and hence, appears fully benign. Empirically, across benchmarks like MNIST, CIFAR10, GTSRB, and ImageNet, HAMLOCK achieves a near-perfect attack success rate with a negligible clean accuracy drop. More importantly, HAMLOCK circumvents the state-of-the-art model-level defenses without any adaptive optimization. The hardware Trojan is also undetectable, incurring area and power overheads as low as 0.01%, which is easily masked by process and environmental noise. Our findings expose a critical vulnerability at the hardware-software interface, demanding new cross-layer defenses against this emerging threat.

翻译：随着深度神经网络（DNN）中第三方硬件加速器（如FPGA、ASIC）的使用日益增多，新的安全漏洞也随之出现。传统的模型级后门攻击仅通过毒化模型权重来误分类带有特定触发器的输入，但由于整个攻击逻辑都嵌入在模型（即软件）内部，会形成可追踪的逐层激活路径，因此通常可被检测。本文提出硬件-模型逻辑组合攻击（HAMLOCK），这是一种隐蔽性更强的威胁，它将攻击逻辑分布在硬件-软件边界两侧。软件（模型）仅通过微调少量神经元的激活值进行最小程度的修改，使得在触发器出现时产生独特的高激活值。恶意的硬件木马通过监控对应神经元的最有效位或8位指数来检测这些独特激活，并触发另一个硬件木马直接操纵最终输出逻辑值以导致误分类。这种解耦的设计具有高度隐蔽性，因为模型本身不像传统攻击那样包含完整的后门激活路径，因此看起来完全良性。实验表明，在MNIST、CIFAR10、GTSRB和ImageNet等基准测试中，HAMLOCK实现了接近完美的攻击成功率，且干净准确率下降可忽略不计。更重要的是，HAMLOCK无需任何自适应优化即可规避最先进的模型级防御。该硬件木马也难以检测，其面积和功耗开销低至0.01%，极易被工艺和环境噪声掩盖。我们的研究结果揭示了硬件-软件接口处的一个关键漏洞，亟需针对这一新兴威胁开发新的跨层防御机制。