Preserving Privacy of Neuromorphic Hardware From PCIe Congestion Side-Channel Attack.

Neuromorphic systems are equipped with software-managed scratchpad to cache intermediate results and synaptic weights of a machine learning model. PCIe (Peripheral Component Interconnect Express) is the de facto protocol to interface between scratchpad and main memory. Congestion happens when PCIe traffic overwhelms the PCIe link capacity. This introduces transmission delay, which not only impacts model performance but also leaks sensitive information about a user (the victim). In this paper, we show that inefficient data placement in scratchpad using state-of-the-art compilers may trigger significant data movement over PCIe. An attacker can measure the PCIe congestion to indirectly infer the victim's model. Therefore, the delay from PCIe congestion can be exploited as a side-channel. We propose a compiler extension to intelligently manage scratchpad in order to improve model privacy. First, we formulate a design metric to assess the vulnerability of a model to PCIe congestion side-channel attack. Next, we propose an optimization strategy integrated within the compiler to identify contents that should be retained inside scratchpad to minimize this design metric. Finally, we propose a Hill Climbing heuristic to allocate model operations to neuromorphic tiles and improve privacy by efficiently utilizing their on-chip scratchpad capacity. We evaluate our privacy-preserving model execution (PrivacyX) to mitigate PCIe congestion side-channel attack using one attack scenario and 16 image, object, and language-based machine learning models. We show that PrivacyX significantly reduces the vulnerability of a model to PCIe congestion side-channel attack compared to baseline compilers. We also show that PrivacyX, which is managed entirely in software, is complementary to several hardware-based privacy preserving solutions.