Foto von Manuel Brosch

M.Sc. Manuel Brosch

Research Interests

  • Side-Channel Analysis of Neural Networks, AI Hardware Accelerators and Neuromorphic Hardware
  • Countermeasures against Side-Channel Analysis
  • Secure Implementations of Neural Networks

Open Positions for Students

If you are interested in my research area, feel free to contact me for possible Bachelor Thesis, Master Thesis or research internship.

Bachelorarbeiten

Enhancing a masked AI Accelerator

Stichworte:
SCA, Machine Learning, VHDL, Masking

Beschreibung

Artificial Intelligence (AI) experience growing popularity in edge devices. The increasing usage of AI on edge devices enlarges the relevance of security of the Intellectual Property (IP) stored within the algorithm. As an attacker can gain physical access to the device, hardware attacks such as Side-Channel Analysis (SCA) must be considered [1]. SCA uses physical quantities like the power consumption to extract valuable information about the AI algorithm.

A common technique to counter SCA is masking [2], which introduces random numbers to make intermediate results and the power consumption independent of secret values.

In this work an existing FPGA implementation of a neural network accelerator should be extended to execute different types of neural networks.

 

Start: Anytime

References

[1] Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. 2019. CSI NN: reverse engineering of neural network architectures through electromagnetic side channel. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC'19). USENIX Association, USA, 515–532.

[2] Athanasiou, Konstantinos & Wahl, Thomas & Ding, A. & Fei, Yunsi. (2022). Masking Feedforward Neural Networks Against Power Analysis Attacks. Proceedings on Privacy Enhancing Technologies. 2022. 501-521. 10.2478/popets-2022-0025.

 

 

Voraussetzungen

  • VHDL
  • Python

Kontakt

manuel.brosch@tum.de

Betreuer:

Manuel Brosch

Masterarbeiten

SCA of AI Hardware Accelerator

Stichworte:
SCA, Neural Networks, Hardware, FPGA

Beschreibung

Neural Networks are inevitable in everyday life. Speech and face recognition as well as driverless cars are just some examples where Artificial Neural Networks (ANN) are used. Training a deep ANN is very time-consuming and computational expensive. Thus, the intellectual property stored in an ANN is an asset worth to protect. Additionally, implementations on edge devices need to be power-efficient whilst maintaining a high throughput. [1] or [2] are examples for frameworks aiming to fulfill these requirements.


A side-channel attack can be used to extract the network parameters such as the number or type of layers, as well as weights and bias values. In [3, 4] side-channel attacks on different implementations of ANNs are performed. 

In this work, a side-channel attack on autogenerated implementations of different ANNs should be performed. This includes a detailed analysis of the side-channel properties of the different implementations.

 Start of Thesis: Anytime


References:

[1] M. Blott, T. B. Preußer, N. J. Fraser, G. Gambardella, K. O’brien, Y. Umuroglu, M. Leeser, and K. Vissers, “Finn-r: An end-to-end deep-learning framework for fast exploration of quantized neural networks,” ACM Transactions on Reconfigurable Technology and Systems (TRETS), vol. 11, no. 3, pp. 1–23, 2018.
[2] Y. Umuroglu and M. Jahre, “Streamlined deployment for quantized neural networks,” arXiv preprint arXiv:1709.04060, 2017.
[3] L. Batina, S. Bhasin, D. Jap, and S. Picek, “{CSI}{NN}: Reverse engineering of neural network architectures through electromagnetic side channel,” in 28th {USENIX} Security Symposium ({USENIX} Security 19), pp. 515–532, 2019.
[4] A. Dubey, R. Cammarota, and A. Aysu, “Bomanet: Boolean masking of an entire neural network," arXiv preprint arXiv:2006.09532, 2020.

Voraussetzungen

  • VHDL/Verilog Knowledge
  • Sichere Implementierung Kryptographischer Verfahren (SIKA)
  • Python Skills

Kontakt

manuel.brosch@tum.de or matthias.probst@tum.de

Betreuer:

Manuel Brosch, Matthias Probst

Forschungspraxis (Research Internships)

Enhancing a masked AI Accelerator

Stichworte:
SCA, Machine Learning, VHDL, Masking

Beschreibung

Artificial Intelligence (AI) experience growing popularity in edge devices. The increasing usage of AI on edge devices enlarges the relevance of security of the Intellectual Property (IP) stored within the algorithm. As an attacker can gain physical access to the device, hardware attacks such as Side-Channel Analysis (SCA) must be considered [1]. SCA uses physical quantities like the power consumption to extract valuable information about the AI algorithm.

A common technique to counter SCA is masking [2], which introduces random numbers to make intermediate results and the power consumption independent of secret values.

In this work an existing FPGA implementation of a neural network accelerator should be extended to execute different types of neural networks.

 

Start: Anytime

References

[1] Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. 2019. CSI NN: reverse engineering of neural network architectures through electromagnetic side channel. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC'19). USENIX Association, USA, 515–532.

[2] Athanasiou, Konstantinos & Wahl, Thomas & Ding, A. & Fei, Yunsi. (2022). Masking Feedforward Neural Networks Against Power Analysis Attacks. Proceedings on Privacy Enhancing Technologies. 2022. 501-521. 10.2478/popets-2022-0025.

 

 

Voraussetzungen

  • VHDL
  • Python

Kontakt

manuel.brosch@tum.de

Betreuer:

Manuel Brosch

Parameter Optimitzation for On-Chip Voltage Sensor

Beschreibung

In a Multi-tenant FPGA scenario multiple users have their own partial reconfigurable region on a single FPGA. Each of theses regions allows a single user to implement her/his design, without being able to directly interact with the design of another user on the same FPGA. So-called Time to Digital Converters (TDCs) can be used to perform remote side-channel attacks in such multi-tenant FPGAs, to extract secrets from other users.

The TDC is used as remote power measurement unit of the FPGA. The working principle is to use a long path in which timing violations are caused. Since the delay of transistors are proportional to the supply voltage, the amount of timing violations is a measure of the devices power consumption.

Different publications have already shown that cryptographic implementations [1, 2] and neural networks [3] can be attacked with such sensors.

In this work, design parameters of the TDC should be explored, in order to evaluate the influence on measurements of the on-device power consumption.

 

[1] F. Schellenberg, D. R. E. Gnad, A. Moradi, and M. B. Tahoori, “An inside job: Remote power analysis attacks on FPGAs,” in Design, Automation and Test in Europe Conference & Exhibition (DATE), 2018, pp. 1111–1116.

[2] O. Glamo?anin, L. Coulon, F. Regazzoni, and M. Stojilovi?, “Are cloud fpgas really vulnerable to power analysis attacks?” in 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 2020, pp. 1007–1010.

[3] V. Meyers, D. Gnad and M. Tahoori, "Reverse Engineering Neural Network Folding with Remote FPGA Power Analysis," 2022 IEEE 30th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM), 2022, pp. 1-10, doi: 10.1109/FCCM53951.2022.9786107.

Voraussetzungen

VHDL/Verilog knowledge, Python skills

Kontakt

manuel.brosch@tum.de
matthias.probst@tum.de

Betreuer:

Manuel Brosch, Matthias Probst

SCA of AI Hardware Accelerator

Stichworte:
SCA, Neural Networks, Hardware, FPGA

Beschreibung

Neural Networks are inevitable in everyday life. Speech and face recognition as well as driverless cars are just some examples where Artificial Neural Networks (ANN) are used. Training a deep ANN is very time-consuming and computational expensive. Thus, the intellectual property stored in an ANN is an asset worth to protect. Additionally, implementations on edge devices need to be power-efficient whilst maintaining a high throughput. [1] or [2] are examples for frameworks aiming to fulfill these requirements.


A side-channel attack can be used to extract the network parameters such as the number or type of layers, as well as weights and bias values. In [3, 4] side-channel attacks on different implementations of ANNs are performed. 

In this work, a side-channel attack on autogenerated implementations of different ANNs should be performed. This includes a detailed analysis of the side-channel properties of the different implementations.

 Start of Thesis: Anytime


References:

[1] M. Blott, T. B. Preußer, N. J. Fraser, G. Gambardella, K. O’brien, Y. Umuroglu, M. Leeser, and K. Vissers, “Finn-r: An end-to-end deep-learning framework for fast exploration of quantized neural networks,” ACM Transactions on Reconfigurable Technology and Systems (TRETS), vol. 11, no. 3, pp. 1–23, 2018.
[2] Y. Umuroglu and M. Jahre, “Streamlined deployment for quantized neural networks,” arXiv preprint arXiv:1709.04060, 2017.
[3] L. Batina, S. Bhasin, D. Jap, and S. Picek, “{CSI}{NN}: Reverse engineering of neural network architectures through electromagnetic side channel,” in 28th {USENIX} Security Symposium ({USENIX} Security 19), pp. 515–532, 2019.
[4] A. Dubey, R. Cammarota, and A. Aysu, “Bomanet: Boolean masking of an entire neural network," arXiv preprint arXiv:2006.09532, 2020.

Voraussetzungen

  • VHDL/Verilog Knowledge
  • Sichere Implementierung Kryptographischer Verfahren (SIKA)
  • Python Skills

Kontakt

manuel.brosch@tum.de or matthias.probst@tum.de

Betreuer:

Manuel Brosch, Matthias Probst

Publications

2022

  • Brosch, Manuel and Probst, Matthias and Sigl, Georg: Counteract Side-Channel Analysis of Neural Networks by Shuffling. 2022 Design, Automation & Test in Europe Conference & Exhibition (DATE), IEEE, 2022Antwerp, Belgium mehr…