Job opportunities
Centres Inria associés
Type de contrat
Contexte
<p>The internships are expected to start around February/March and extend for up to 6 months</p>
<p style="text-align: left;"><strong>Scientific context</strong></p>
<p style="text-align: justify;">After more than 20 years of research, Side-Channel Attacks (SCA) are still one of the most critical vulnerabilities in embedded systems. SCAs exploit correlations between processed data and physical, observable side effects of computing – power consumption, electromagnetic (EM) emanations, or timing, to name a few – to extract sensitive information. Traditionally directed to retrieve the cryptographic key of mathematically secure cryptographic implementations, the increasing adoption of Machine Learning (ML) and Deep Learning (DL) is making Artificial Intelligence (AI) a new target. As these systems increasingly deal with sensitive data and control critical infrastructure, and as new vulnerabilities are reported, the <strong>hardware/software security of ML/DL systems</strong> is emerging as a key cybersecurity concern to build trustworthy AI-based systems [1, 2].</p>
<p style="text-align: justify;"><strong>Side-channel attacks on DL implementations</strong> pave the way to attacks aiming at stealing the intellectual property of DL-based products/services [3, 4], violating the privacy of the end-user, and facilitating attacks on DL-based systems.</p>
<p><strong>References</strong></p>
<p>[1] S. Mittal, H. Gupta, and S. Srivastava. “A Survey on Hardware Security of DNN Models and Accelerators”. J.<br />Syst. Archit. 117 2021, p. 102163. doi: 10.1016/j.sysarc.2021.102163.<br />[2] V. Meyers, D. Gnad, and M. Tahoori. “Active and Passive Physical Attacks on Neural Network Accelerators”.<br />IEEE Design & Test 2023, pp. 1–1. doi: 10.1109/MDAT.2023.3253603.<br />[3] M. Méndez Real and R. Salvador. “Physical Side-Channel Attacks on Embedded Neural Networks: A Survey”.<br />Appl. Sci. 11 15, 2021, p. 6790. doi: 10.3390/app11156790.<br />[4] P. Horváth, D. Lauret, Z. Liu, and L. Batina. “SoK: Neural Network Extraction Through Physical Side Channels”.<br />33rd USENIX Security Symposium (USENIX Security 24). 2024, pp. 3403–3422.<br />[5] M. Isakov, V. Gadepally, K. M. Gettings, and M. A. Kinsy. “Survey of Attacks and Defenses on Edge-Deployed<br />Neural Networks”. IEEE HPEC. 2019, pp. 1–8. doi: 10.1109/HPEC.2019.8916519.<br />[6] L. Batina, S. Bhasin, D. Jap, and S. Picek. “CSI NN: Reverse Engineering of Neural Network Architectures<br />Through Electromagnetic Side Channel”. USENIX Security Symp. 2019, pp. 515–532.<br />[7] R. Joud, P.-A. Moëllic, S. Pontié, and J.-B. Rigaud. “A Practical Introduction to Side-Channel Extraction of Deep<br />Neural Network Parameters”. Smart Card Research and Advanced Applications. Ed. by I. Buhan and T. Schneider.<br />Cham: Springer International Publishing, 2023, pp. 45–65. doi: 10.1007/978-3-031-25319-5_3.<br />[8] R. Joud, P.-A. Moëllic, S. Pontié, and J.-B. Rigaud. “Like an Open Book? Read Neural Network Architecture<br />with Simple Power Analysis on 32-Bit Microcontrollers”. Smart Card Research and Advanced Applications. Ed. by<br />S. Bhasin and T. Roche. Cham: Springer Nature Switzerland, 2024, pp. 256–276. doi: 10.1007/978- 3- 031-<br />54409-5_13.<br />[9] Y. Zhang, R. Yasaei, H. Chen, Z. Li, and M. A. A. Faruque. “Stealing Neural Network Structure Through Remote<br />FPGA Side-Channel Analysis”. IEEE Trans. Inf. Forensics Secur. 16 2021, pp. 4377–4388. doi: 10.1109/TIFS.<br />2021.3106169.<br />[10] S. Moini, S. Tian, D. Holcomb, J. Szefer, and R. Tessier. “Power Side-Channel Attacks on BNN Accelerators in<br />Remote FPGAs”. IEEE J. Emerg. Sel. Top. Circuits Syst. 11.2 2021, pp. 357–370. doi: 10.1109/JETCAS.2021.<br />3074608.</p>
<p style="text-align: left;"><strong>Scientific context</strong></p>
<p style="text-align: justify;">After more than 20 years of research, Side-Channel Attacks (SCA) are still one of the most critical vulnerabilities in embedded systems. SCAs exploit correlations between processed data and physical, observable side effects of computing – power consumption, electromagnetic (EM) emanations, or timing, to name a few – to extract sensitive information. Traditionally directed to retrieve the cryptographic key of mathematically secure cryptographic implementations, the increasing adoption of Machine Learning (ML) and Deep Learning (DL) is making Artificial Intelligence (AI) a new target. As these systems increasingly deal with sensitive data and control critical infrastructure, and as new vulnerabilities are reported, the <strong>hardware/software security of ML/DL systems</strong> is emerging as a key cybersecurity concern to build trustworthy AI-based systems [1, 2].</p>
<p style="text-align: justify;"><strong>Side-channel attacks on DL implementations</strong> pave the way to attacks aiming at stealing the intellectual property of DL-based products/services [3, 4], violating the privacy of the end-user, and facilitating attacks on DL-based systems.</p>
<p><strong>References</strong></p>
<p>[1] S. Mittal, H. Gupta, and S. Srivastava. “A Survey on Hardware Security of DNN Models and Accelerators”. J.<br />Syst. Archit. 117 2021, p. 102163. doi: 10.1016/j.sysarc.2021.102163.<br />[2] V. Meyers, D. Gnad, and M. Tahoori. “Active and Passive Physical Attacks on Neural Network Accelerators”.<br />IEEE Design & Test 2023, pp. 1–1. doi: 10.1109/MDAT.2023.3253603.<br />[3] M. Méndez Real and R. Salvador. “Physical Side-Channel Attacks on Embedded Neural Networks: A Survey”.<br />Appl. Sci. 11 15, 2021, p. 6790. doi: 10.3390/app11156790.<br />[4] P. Horváth, D. Lauret, Z. Liu, and L. Batina. “SoK: Neural Network Extraction Through Physical Side Channels”.<br />33rd USENIX Security Symposium (USENIX Security 24). 2024, pp. 3403–3422.<br />[5] M. Isakov, V. Gadepally, K. M. Gettings, and M. A. Kinsy. “Survey of Attacks and Defenses on Edge-Deployed<br />Neural Networks”. IEEE HPEC. 2019, pp. 1–8. doi: 10.1109/HPEC.2019.8916519.<br />[6] L. Batina, S. Bhasin, D. Jap, and S. Picek. “CSI NN: Reverse Engineering of Neural Network Architectures<br />Through Electromagnetic Side Channel”. USENIX Security Symp. 2019, pp. 515–532.<br />[7] R. Joud, P.-A. Moëllic, S. Pontié, and J.-B. Rigaud. “A Practical Introduction to Side-Channel Extraction of Deep<br />Neural Network Parameters”. Smart Card Research and Advanced Applications. Ed. by I. Buhan and T. Schneider.<br />Cham: Springer International Publishing, 2023, pp. 45–65. doi: 10.1007/978-3-031-25319-5_3.<br />[8] R. Joud, P.-A. Moëllic, S. Pontié, and J.-B. Rigaud. “Like an Open Book? Read Neural Network Architecture<br />with Simple Power Analysis on 32-Bit Microcontrollers”. Smart Card Research and Advanced Applications. Ed. by<br />S. Bhasin and T. Roche. Cham: Springer Nature Switzerland, 2024, pp. 256–276. doi: 10.1007/978- 3- 031-<br />54409-5_13.<br />[9] Y. Zhang, R. Yasaei, H. Chen, Z. Li, and M. A. A. Faruque. “Stealing Neural Network Structure Through Remote<br />FPGA Side-Channel Analysis”. IEEE Trans. Inf. Forensics Secur. 16 2021, pp. 4377–4388. doi: 10.1109/TIFS.<br />2021.3106169.<br />[10] S. Moini, S. Tian, D. Holcomb, J. Szefer, and R. Tessier. “Power Side-Channel Attacks on BNN Accelerators in<br />Remote FPGAs”. IEEE J. Emerg. Sel. Top. Circuits Syst. 11.2 2021, pp. 357–370. doi: 10.1109/JETCAS.2021.<br />3074608.</p>
Mission confié
<p style="text-align: justify;"><strong>These internships are framed in the ANR JCJC project ATTILA</strong>1 (young investigators' grant from the French national research agency). The objectives are to investigate the susceptibility of DL-based systems to side-channel attacks and to design SCA-secure DL implementations. In these internships, we are interested in both local SCA attacks on edge devices, highly exposed to attackers [5–8], and remote SCA attacks on cloud-based DL implementations [9, 10]. The internships cover both software implementations (e.g., in microcontrollers) and hardware implementations (e.g., accelerators in FPGA) of DL algorithms.</p>
<p style="text-align: justify;">Although the main focus is on <strong>physical side-channel vulnerabilities</strong> (e.g., power consumption or EM emanations), we are open to exploring <strong>microarchitectural timing side channels</strong> exposing, e.g., cache, DRAM, or other <strong>processor microarchitecture vulnerabilities</strong>.</p>
<p style="text-align: justify;">This position offers a good opportunity to discover an emerging topic and gain skills to help you <strong>complete a PhD in the field of (AI) hardware/microarchitecture security.</strong></p>
<p style="text-align: justify;">Although the main focus is on <strong>physical side-channel vulnerabilities</strong> (e.g., power consumption or EM emanations), we are open to exploring <strong>microarchitectural timing side channels</strong> exposing, e.g., cache, DRAM, or other <strong>processor microarchitecture vulnerabilities</strong>.</p>
<p style="text-align: justify;">This position offers a good opportunity to discover an emerging topic and gain skills to help you <strong>complete a PhD in the field of (AI) hardware/microarchitecture security.</strong></p>
Principales activités
<p>Depending on the background of the candidates, the internships can take different directions, such as DNN implementations in FPGA or microcontrollers using AxC techniques, evaluation of DNN side-channel security, and implementation and evaluation of countermeasures.</p>
Compétences
<p>You should have a <strong>strong background</strong> in (at least) one of the following topics:</p>
<ul>
<li>Side-channel attacks and evaluation methodologies of secure implementations, cryptanalysis;</li>
<li>HW or SW implementations of DNNs (FPGAs, microcontrollers, other accelerators/systems);</li>
<li>Other HW/SW security background (e.g., hardware-secure implementation of cryptographic<br />algorithms);</li>
<li>Design for FPGAs and hands-on experience in prototyping and implementations.</li>
</ul>
<p><strong>Other </strong>interesting<strong> technical skills</strong> include:</p>
<ul>
<li>Programming in C/C++/Python</li>
<li>Use of Linux/Git as a development environment</li>
<li>Good use of laboratory instruments (oscilloscopes, power supplies, etc.)</li>
<li>ML/AI frameworks (TinyML, PyTorch, TensorFlow, TFLite...)</li>
</ul>
<p><strong>Languages:</strong> You can speak, write, and read English at a professional level (french language is not required).</p>
<ul>
<li>Side-channel attacks and evaluation methodologies of secure implementations, cryptanalysis;</li>
<li>HW or SW implementations of DNNs (FPGAs, microcontrollers, other accelerators/systems);</li>
<li>Other HW/SW security background (e.g., hardware-secure implementation of cryptographic<br />algorithms);</li>
<li>Design for FPGAs and hands-on experience in prototyping and implementations.</li>
</ul>
<p><strong>Other </strong>interesting<strong> technical skills</strong> include:</p>
<ul>
<li>Programming in C/C++/Python</li>
<li>Use of Linux/Git as a development environment</li>
<li>Good use of laboratory instruments (oscilloscopes, power supplies, etc.)</li>
<li>ML/AI frameworks (TinyML, PyTorch, TensorFlow, TFLite...)</li>
</ul>
<p><strong>Languages:</strong> You can speak, write, and read English at a professional level (french language is not required).</p>
Référence
2025-09497
Domaine d'activité