skip to main content
10.1145/3656019.3676952acmconferencesArticle/Chapter ViewAbstractPublication PagespactConference Proceedingsconference-collections
research-article
Open access

FriendlyFoe: Adversarial Machine Learning as a Practical Architectural Defense against Side Channel Attacks

Published: 13 October 2024 Publication History

Abstract

Machine learning (ML)-based side channel attacks have become prominent threats to computer security. These attacks are often powerful, as ML models easily find patterns in signals. To address this problem, this paper proposes dynamically applying Adversarial Machine Learning (AML) to obfuscate side channels. The rationale is that it has been shown that intelligently injecting an adversarial perturbation can confuse ML classifiers. We call this approach FriendlyFoe and the neural network we introduce to perturb signals FriendlyFoe Defender.
FriendlyFoe is a practical, effective, and general architectural technique to obfuscate signals. We show a workflow to design Defenders with low overhead and information leakage, and to customize them for different environments. Defenders are transferable, i.e., they thwart attacker classifiers that are different from those used to train the Defenders. They also resist adaptive attacks, where attackers train using the obfuscated signals collected while the Defender is active. Finally, the approach is general enough to be applicable to different environments. We demonstrate FriendlyFoe against two side channel attacks: one based on memory contention and one on system power. The first example uses a hardware Defender with ns-level response time that, for the same level of security as a Pad-to-Constant scheme, has 27% and 64% lower performance overhead for single- and multi-threaded workloads, respectively. The second example uses a software Defender with ms-level response time that reduces leakage by 3.7 × over a state-of-the-art scheme while reducing the energy overhead by 22.5%.

References

[1]
Onur Aciiçmez. 2007. Yet another microarchitectural attack: Exploiting I-cache. In Proceedings of the 2007 ACM workshop on Computer security architecture. 11–18.
[2]
Martin Arjovsky, Soumith Chintala, and Léon Bottou. 2017. Wasserstein generative adversarial networks. In International conference on machine learning. PMLR, 214–223.
[3]
Ryad Benadjila, Emmanuel Prouff, Rémi Strullu, Eleonora Cagli, and Cécile Dumas. 2018. Study of deep learning techniques for side-channel analysis and introduction to ASCAD database. ANSSI, France & CEA, LETI, MINATEC Campus, France 22 (2018), 2018.
[4]
Daniel J Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. 2012. High-speed high-security signatures. Journal of cryptographic engineering 2, 2 (2012), 77–89.
[5]
Christian Bienia, Sanjeev Kumar, Jaswinder Pal Singh, and Kai Li. 2008. The PARSEC Benchmark Suite: Characterization and Architectural Implications. In International Conference on Parallel Architectures and Compilation Techniques.
[6]
James Bucek, Klaus-Dieter Lange, and Jóakim v. Kistowski. 2018. SPEC CPU2017: Next-generation compute benchmark. In Companion of the 2018 ACM/SPEC International Conference on Performance Engineering. 41–42.
[7]
Eleonora Cagli, Cécile Dumas, and Emmanuel Prouff. 2017. Convolutional neural networks with data augmentation against jitter-based countermeasures. In International Conference on Cryptographic Hardware and Embedded Systems. Springer, 45–68.
[8]
Giovanni Cherubin, Rob Jansen, and Carmela Troncoso. 2022. Online website fingerprinting: Evaluating website fingerprinting attacks on Tor in the real world. In 31st USENIX Security Symposium (USENIX Security 22). 753–770.
[9]
Kyunghyun Cho, Bart van Merriënboer, Caglar Gulcehre, Dzmitry Bahdanau, Fethi Bougares, Holger Schwenk, and Yoshua Bengio. 2014. Learning Phrase Representations using RNN Encoder–Decoder for Statistical Machine Translation. In Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP). 1724–1734.
[10]
Debayan Das, Anupam Golder, Josef Danial, Santosh Ghosh, Arijit Raychowdhury, and Shreyas Sen. 2019. X-DeepSCA: Cross-Device Deep Learning Side Channel Attack. In 2019 56th ACM/IEEE Design Automation Conference (DAC). 1–6.
[11]
Peter W Deutsch. 2022. Github repository for DAGguise. https://github.com/CSAIL-Arch-Sec/DAGguise
[12]
Peter W. Deutsch, Yuheng Yang, Thomas Bourgeat, Jules Drean, Joel S. Emer, and Mengjia Yan. 2022. DAGguise: Mitigating Memory Timing Side Channels. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (New York, NY, USA). Association for Computing Machinery, 329–343. https://doi.org/10.1145/3503222.3507747
[13]
Dmitry Evtyushkin, Ryan Riley, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2018. BranchScope: A New Side-Channel Attack on Directional Branch Predictor. In Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems (Williamsburg, VA, USA) (ASPLOS ’18). Association for Computing Machinery, 693–707. https://doi.org/10.1145/3173162.3173204
[14]
Daniel Genkin, Lev Pachmanov, Itamar Pipman, Eran Tromer, and Yuval Yarom. 2016. ECDSA key extraction from mobile devices via nonintrusive physical side channels. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 1626–1638.
[15]
Claudio Gentile and Manfred KK Warmuth. 1998. Linear hinge loss and average margin. Advances in neural information processing systems 11 (1998).
[16]
Ian Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. 2014. Generative adversarial nets. Advances in neural information processing systems 27 (2014).
[17]
Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
[18]
Ruizhe Gu, Ping Wang, Mengce Zheng, Honggang Hu, and Nenghai Yu. 2020. Adversarial Attack Based Countermeasures against Deep Learning Side-Channel Attacks. arXiv preprint arXiv:2009.10568 (2020).
[19]
Benjamin Hettwer, Stefan Gehrer, and Tim Güneysu. 2019. Applications of machine learning techniques in side-channel attacks: A survey. Journal of Cryptographic Engineering (2019), 1–28.
[20]
Sepp Hochreiter and Jürgen Schmidhuber. 1997. Long short-term memory. Neural computation 9, 8 (1997), 1735–1780.
[21]
Gabriel Hospodar, Benedikt Gierlichs, Elke De Mulder, Ingrid Verbauwhede, and Joos Vandewalle. 2011. Machine learning in side-channel analysis: A first study. Journal of Cryptographic Engineering 1, 4 (2011), 293.
[22]
Sunghyun Jin, Suhri Kim, HeeSeok Kim, and Seokhie Hong. 2020. Recent advances in deep learning-based side-channel analysis. ETRI Journal 42, 2 (2020), 292–304.
[23]
Jeff Johnson. 2018. Rethinking floating point for deep learning. NIPS Systems for ML Workshop (2018).
[24]
Werner Koch and Moritz Schulte. 2005. The libgcrypt reference manual. Free Software Foundation Inc (2005), 1–47.
[25]
Paul Kocher, Joshua Jaffe, Benjamin Jun, and Pankaj Rohatgi. 2011. Introduction to differential power analysis. Journal of Cryptographic Engineering 1, 1 (2011), 5–27. https://doi.org/10.1007/s13389-011-0006-y
[26]
Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. 2012. Imagenet classification with deep convolutional neural networks. Advances in neural information processing systems 25 (2012), 1097–1105.
[27]
Takaya Kubota, Kota Yoshida, Mitsuru Shiozaki, and Takeshi Fujino. 2020. Deep learning side-channel attack against hardware implementations of AES. Microprocessors and Microsystems (2020), 103383.
[28]
Solomon Kullback and Richard A Leibler. 1951. On information and sufficiency. The annals of mathematical statistics 22, 1 (1951), 79–86.
[29]
Liran Lerman, Romain Poussier, Gianluca Bontempi, Olivier Markowitch, and François-Xavier Standaert. 2015. Template attacks vs. machine learning revisited (and the curse of dimensionality in side-channel analysis). In International Workshop on Constructive Side-Channel Analysis and Secure Design. Springer, 20–33.
[30]
Pavel Lifshits, Roni Forte, Yedid Hoshen, Matt Halpern, Manuel Philipose, Mohit Tiwari, and Mark Silberstein. 2018. Power to peep-all: Inference attacks by malicious batteries on mobile devices. Proceedings on Privacy Enhancing Technologies (2018).
[31]
Jason Lowe-Power, Abdul Mutaal Ahmad, Ayaz Akram, Mohammad Alian, Rico Amslinger, Matteo Andreozzi, Adrià Armejach, Nils Asmussen, Brad Beckmann, Srikant Bharadwaj, 2020. The gem5 simulator: Version 20.0+. arXiv preprint arXiv:2007.03152 (2020).
[32]
Houssem Maghrebi, Thibault Portigliatti, and Emmanuel Prouff. 2016. Breaking cryptographic implementations using deep learning techniques. In International Conference on Security, Privacy, and Applied Cryptography Engineering. Springer, 3–26.
[33]
Aaron van den Oord, Sander Dieleman, Heiga Zen, Karen Simonyan, Oriol Vinyals, Alex Graves, Nal Kalchbrenner, Andrew Senior, and Koray Kavukcuoglu. 2016. Wavenet: A generative model for raw audio. arXiv preprint arXiv:1609.03499 (2016).
[34]
Riccardo Paccagnella, Licheng Luo, and Christopher W Fletcher. 2021. Lord of the Ring (s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical. USENIX Security Symposium (2021).
[35]
Srinivas Pandruvada. 2014. Running Average Power Limit – RAPL. Retrieved June, 2014 from https://01.org/blogs/2014/running-average-power-limit–rapl
[36]
Nicolas Papernot, Patrick McDaniel, and Ian Goodfellow. 2016. Transferability in machine learning: From phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277 (2016).
[37]
Adam Paszke, Sam Gross, Francisco Massa, Adam Lerer, James Bradbury, Gregory Chanan, Trevor Killeen, Zeming Lin, Natalia Gimelshein, Luca Antiga, 2019. Pytorch: An imperative style, high-performance deep learning library. Advances in neural information processing systems 32 (2019).
[38]
Fabian Pedregosa, Gaël Varoquaux, Alexandre Gramfort, Vincent Michel, Bertrand Thirion, Olivier Grisel, Mathieu Blondel, Peter Prettenhofer, Ron Weiss, Vincent Dubourg, 2011. Scikit-learn: Machine learning in Python. the Journal of machine Learning research 12 (2011), 2825–2830.
[39]
Guilherme Perin, Baris Ege, and Jasper van Woudenberg. 2018. Lowering the bar: Deep learning for side channel analysis. BlackHat USA, Las Vegas, NV, USA, Tech. Rep (2018).
[40]
Stjepan Picek, Annelie Heuser, Alan Jovic, Simone A Ludwig, Sylvain Guilley, Domagoj Jakobovic, and Nele Mentens. 2017. Side-channel analysis and machine learning: A practical perspective. In 2017 International Joint Conference on Neural Networks (IJCNN). IEEE, 4095–4102.
[41]
Stjepan Picek, Dirmanto Jap, and Shivam Bhasin. 2019. Poster: When Adversary Becomes the Guardian–Towards Side-channel Security With Adversarial Attacks. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2673–2675.
[42]
Raghavendra Pradyumna Pothukuchi. 2021. Github repository for Maya: Obfuscating Power Side Channels with Formal Control. https://github.com/mayadefense/maya
[43]
Raghavendra Pradyumna Pothukuchi, Sweta Yamini Pothukuchi, Petros G Voulgaris, Alexander Schwing, and Josep Torrellas. 2021. Maya: Using formal control to obfuscate power side channels. In 2021 ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA). IEEE, 888–901.
[44]
Mohammad Saidur Rahman, Mohsen Imani, Nate Mathews, and Matthew Wright. 2021. Mockingbird: Defending Against Deep-Learning-Based Website Fingerprinting Attacks With Adversarial Traces. IEEE Transactions on Information Forensics and Security 16 (2021), 1594–1609. https://doi.org/10.1109/TIFS.2020.3039691
[45]
Keyvan Ramezanpour, Paul Ampadu, and William Diehl. 2020. SCAUL: Power side-channel analysis with unsupervised learning. IEEE Trans. Comput. 69, 11 (2020), 1626–1638.
[46]
Jorai Rijsdijk, Lichao Wu, and Guilherme Perin. 2021. Reinforcement Learning-Based Design of Side-Channel Countermeasures. In International Conference on Security, Privacy, and Applied Cryptography Engineering. Springer, 168–187.
[47]
Ronald L Rivest, Adi Shamir, and Leonard Adleman. 1978. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 2 (1978), 120–126.
[48]
Claude E Shannon. 1948. A mathematical theory of communication. The Bell system technical journal 27, 3 (1948), 379–423.
[49]
Aaron Stillmaker and Bevan Baas. 2017. Scaling equations for the accurate prediction of CMOS device performance from 180 nm to 7 nm. Integration 58 (2017), 74–81.
[50]
Jiawei Su, Danilo Vasconcellos Vargas, and Kouichi Sakurai. 2019. One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation (2019).
[51]
Mingtian Tan, Junpeng Wan, Zhe Zhou, and Zhou Li. 2021. Invisible probe: Timing attacks with PCIe congestion side-channel. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 322–338.
[52]
TechPowerUp. 2020. AMD Ryzen 7 5800X. https://www.techpowerup.com/cpu-specs/ryzen-7-5800x.c2362
[53]
Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N Gomez, Łukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. Advances in neural information processing systems 30 (2017).
[54]
R. Vinaykumar, KP. Soman, M. Alazab, S. Sriram, and K. Simran. 2020. A Comprehensive Tutorial and Survey of Applications of Deep Learning for Cyber Security. TechRxiv (2020). https://doi.org/10.36227/techrxiv.11473377.v1
[55]
Lipo Wang. 2005. Support vector machines: theory and applications. Vol. 177. Springer Science & Business Media.
[56]
Chaowei Xiao, Bo Li, Jun-Yan Zhu, Warren He, Mingyan Liu, and Dawn Song. 2018. Generating adversarial examples with adversarial networks. Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence (2018).
[57]
Tianwei Zhang, Yinqian Zhang, and Ruby B. Lee. 2018. Analyzing Cache Side Channels Using Deep Neural Networks. In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, December 03-07, 2018. ACM, 174–186. https://doi.org/10.1145/3274694.3274715
[58]
Xiaofan Zhang, Junsong Wang, Chao Zhu, Yonghua Lin, Jinjun Xiong, Wen-mei Hwu, and Deming Chen. 2018. DNNBuilder: An automated tool for building high-performance DNN hardware accelerators for FPGAs. In 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD). IEEE, 1–8.
[59]
Yinqian Zhang. 2017. Cache Side Channels: State of the Art and Research Opportunities. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS ’17). Association for Computing Machinery, 2617–2619. https://doi.org/10.1145/3133956.3136064
[60]
Yanqi Zhou, Sameer Wagh, Prateek Mittal, and David Wentzlaff. 2017. Camouflage: Memory Traffic Shaping to Mitigate Timing Attacks. In 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA). 337–348. https://doi.org/10.1109/HPCA.2017.36

Index Terms

  1. FriendlyFoe: Adversarial Machine Learning as a Practical Architectural Defense against Side Channel Attacks

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    PACT '24: Proceedings of the 2024 International Conference on Parallel Architectures and Compilation Techniques
    October 2024
    375 pages
    ISBN:9798400706318
    DOI:10.1145/3656019
    This work is licensed under a Creative Commons Attribution International 4.0 License.

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 13 October 2024

    Check for updates

    Author Tags

    1. Hardware security
    2. Machine learning
    3. Side-channel analysis

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Funding Sources

    • NSF
    • ACE
    • Intel

    Conference

    PACT '24
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 121 of 471 submissions, 26%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • 0
      Total Citations
    • 270
      Total Downloads
    • Downloads (Last 12 months)270
    • Downloads (Last 6 weeks)71
    Reflects downloads up to 14 Feb 2025

    Other Metrics

    Citations

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    HTML Format

    View this article in HTML Format.

    HTML Format

    Login options

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media