You Only Get One-Shot: Eavesdropping Input Images to Neural Network by Spying SoC-FPGA Internal Bus

Deep learning is currently integrated into edge devices with strong energy consumption and real-time constraints. To fulfill such requirements, high hardware performances can be provided by hardware acceleration of heterogeneous integrated circuits (IC) such as System-on-Chip (SoC)-field programmable gate arrays (FPGAs). With the rising popularity of hardware accelerators for artificial intelligence (AI), more and more neural networks are employed in a variety of domains, involving computer vision applications. Autonomous driving, defence and medical domains are well-known examples from which the latter two in particular require processing sensitive and private data. Security issues of such systems should be addressed to prevent the breach of privacy and unauthorised exploitation of systems. In this paper, we demonstrate a confidentiality vulnerability in a SoC-based FPGA binarized neural network (BNN) accelerator implemented with a recent mainstream framework, FINN, and successfully extract the secret BNN input image by using an electromagnetic (EM) side-channel attack. Experiments demonstrate that with the help of a near-field magnetic probe, an attacker can, with only one inference, directly retrieve sensitive information from EM emanations produced by the internal bus of the SoC-FPGA. Our attack reconstructs SoC-FPGA internal images and recognizes a handwritten digit image with an average accuracy of 89% using a non-retrained MNIST classifier. Such vulnerability jeopardizes the confidentiality of SoC-FPGA embedded AI systems by exploiting side-channels that withstand the protection of chip I/Os through cryptographic methods.