Omid Aramoon

Physical phenomenons observed during the execution of algorithms on microelectronic devices are an inevitable side effect of their physical implementation. If such physical phenomena, known as side-channels, correlate with the sensitive data processed on the device, they may leak confidential information about the system's internal state and possibly compromise its security. For instance, the amount of time and energy needed for a device to execute certain computations may leak critical information about the operations taking place inside the device. The term Side-Channel Attack (SCA) describes the class of attacks in which the unintended information leaking from the implementation of algorithms is leveraged to extract confidential information. Historically, cryptographic systems have been the primary target of side-channel attacks, and a large number of studies have proposed a variety of techniques to break both symmetric and asymmetric encryption algorithms. However, recently, ML models, especially DNNs, have been shown to be vulnerable to side-channel attacks. In fact, several studies have proposed techniques to reverse-engineer certain properties of neural networks such as their architecture or parameters using the information obtained from physical and micro-architectural side-channel emitted during model execution. The security community often considers side channels as a negative side effect that could significantly weaken the security of algorithms implemented on microelectronic devices. In an alternative perspective, we’d like to view side channels as part of the design space that can provide constructive functionalities. I am currently investigating applications of power side channel analysis in detecting training and test time adversarial attacks against FPGA implementations of deep learning systems .

Due to its distributed methodology alongside its privacy-preserving features, Federated Learning (FL) is vulnerable to training time adversarial attacks. In this study, our focus is on backdoor attacks in which the adversary's goal is to cause targeted misclassifications for inputs embedded with an adversarial trigger while maintaining an acceptable performance on the main learning task at hand. Contemporary defenses against backdoor attacks in federated learning require direct access to each individual client's update which is not feasible in recent FL settings where Secure Aggregation is deployed. In this study, we seek to answer the following question, Is it possible to defend against backdoor attacks when secure aggregation is in place?, a question that has not been addressed by prior arts. To this end, we propose Meta Federated Learning (Meta-FL), a novel variant of federated learning which not only is compatible with secure aggregation protocol but also facilitates defense against backdoor attacks. We perform a systematic evaluation of Meta-FL on two classification datasets: SVHN and GTSRB. The results show that Meta-FL not only achieves better utility than classic FL, but also enhances the performance of contemporary defenses in terms of robustness against adversarial attacks.

Check my paper and presentation:

Due to their crucial role in many decision-making tasks, Deep Neural Networks (DNNs) are common targets for a large array of integrity breaches. In this paper, we propose AID, a novel methodology to Attest the Integrity of DNNs. AID generates a set of test cases called edge-points that can reveal whether a model has been compromised. AID does not require access to parameters of the DNN and can work with a restricted black-box access to the model, which makes it applicable to most real life scenarios. Experimental results show that AID is highly effective and reliable.

Check my paper:

Deep Neural Networks (DNNs) have been widely deployed in real-world systems, many of which have strict safety constraints. Soft errors on memory acceleration platforms for DNNs can degrade their inference accuracy and result in silent data corruption, which can have severe consequences in safety-critical applications. No doubt to say, efficient and effective techniques to detect and mitigate memory faults are needed. In this paper, we propose a novel methodology to diagnose the presence of faults in the memory of DNN accelerators. Our method queries the protected DNN with a set of specially crafted test cases that can accurately reveal if model parameters stored in the hardware are faulty. We provide a theoretical guarantee for the performance of our method and conduct systematic proof-of-concept experiments by simulating memory faults on computer vision models.

Check my papers:

Engineering a top-notch deep learning model is an expensive procedure that involves collecting data, hiring human resources with expertise in machine learning, and providing high computational resources. For that reason, deep learning models are considered as valuable Intellectual Properties (IPs) of the model vendors. To ensure reliable commercialization of deep learning models, it is crucial to develop techniques to protect model vendors against IP infringements. One of such techniques that recently has shown great promise is digital watermarking. However, current watermarking approaches can embed very limited amount of information and are vulnerable against watermark removal attacks. In this paper, we present GradSigns, a novel watermarking framework for deep neural networks (DNNs). GradSigns embeds the owner's signature into the gradient of the cross-entropy cost function with respect to inputs to the model. Our approach has a negligible impact on the performance of the protected model and it allows model vendors to remotely verify the watermark through prediction APIs.

Check my paper and presentation:

Physical Unclonable Function (PUF) is seen as a promising alternative to traditional cryptographic algorithms for secure and lightweight device authentication for the diverse IoT use cases. However, the essential security of PUF is threatened by a kind of machine learning (ML) based modeling attacks which could successfully impersonate the PUF by using known challenge and response pairs (CPRs). However, existing modeling methods require access to an extremely large set of CRPs which makes them unrealistic and impractical in the real world scenarios. To handle the limitation of available CRPs from the attack perspective, we explore the possibility to transfer a well-tuned model trained with unlimited CRPs to a target PUF with limited number of CRPs.

Check my papers:

Polymorphic gates are reconfigurable devices whose functionality may vary in response to the change of execution environment such as temperature, supply voltage or external control signals. This feature makes them a perfect candidate for circuit watermarking. However, polymorphic gates are hard to find because they do not exhibit the traditional structure. My colleagues and I proposed a genetic algorithm based approach to address this challenge and were able to find many previously unseen polymorphic gates.

My colleagues and I aimed to dig out the potentials of polymorphic circuits in hardware security and trust related applications, which hasn not been comprehensively researched in previous works. One straightforward and convenient application of polymorphic gates is to embed circuit watermark, which is one of the first studied hardware security problems. In this scheme, the circuit delivers correct functionality in the normal mode; when it is necessary to demonstrate the watermark, the circuit is transitioned to the special mode by activating the external control so that the circuit can change its functionality and produce different outputs. In this case, the hidden “secret” is the hardware-level watermark, which proves the ownership of the circuits andgives the circuits legal protection against piracy, overbuilding and counterfeiting.

Check my paper:

My colleagues and I proposed a circuit fingerprinting scheme with polymorphic gates controlled by external inputs. The scheme targets SDC (Satisfiability Don’t Care) conditions that usually appear in non-trivial circuits and replaces the standard library cells holding the SDC conditions by polymorphic gates. The modified circuit delivers correct functionality and the configurations of the polymorphic gates constitute the circuit fingerprint.

Check my papers:

Polymorphic gates are reconfigurable electronic devices that exhibit multiple functionalities under different environments such as temperature, supply voltage, or external signals. Such gates are rare as they do not have a complementary topology and need to satisfy the input-output relationships for more than one functionality. My colleagues and I introduced the concept of partial polymorphic gates, which deliver multiple incomplete functions with non-deterministic outputs at certain input combinations. The non-deterministic output is a result of process variations, which are generally believed to be random, unclonable, and different from chip to chip. We utilize this uncertainty as a new mechanism for implementing chip IDs and propose a circuit authentication scheme based on such IDs.

Check my paper:

Most of the Internet of Things (IoT) and embedded devices are resource constrained, making it impractical to secure them with the traditional computationally expensive crypto-based solutions. However, security and privacy are crucial in many IoT applications such as health monitoring. In this paper, we consider one of the most fundamental security problems: how to identify and authenticate an embedded device. We consider the fact that embedded devices are designed by reusing IP cores with reconfigurable scan network (RSN) as the standard testing facility and propose to generate unique integrated circuit (IC) identifications (IDs) based on different configurations for the RSN. These circuit IDs not only solve the IC and device identification and authentication problems, they can also be considered as a lightweight security primitive in other applications such as IC metering and IP fingerprinting.

Check my paper: