Type de contrat : CDD
Niveau de diplôme exigé : Bac + 5 ou équivalent
Fonction : Doctorant
A propos du centre ou de la direction fonctionnelle
The Inria Rennes - Bretagne Atlantique Centre is one of Inria's eight centres and has more than thirty research teams. The Inria Center is a major and recognized player in the field of digital sciences. It is at the heart of a rich R&D and innovation ecosystem: highly innovative PMEs, large industrial groups, competitiveness clusters, research and higher education players, laboratories of excellence, technological research institute, etc.
Contexte et atouts du poste
Host team: The project will be held in the TARAN (formerly CAIRN) team of the IRISA/INRIA laboratory. The TARAN team, with more than 35 members from Inria, UR1, and ENS Rennes, has participated in several national and European R&D projects (H2020 ARGO, FP7 Alma, FP7 Flextiles) and has strong industrial collaborations (e.g., Safran, Thales, Alcatel, Orange, STMicroelectronics, Technicolor, and various SMEs). TARAN has recognized experience in several domains related to the project, such as embedded system design, fault tolerance, safety-critical systems, computing architectures, design tools for specialized hardware architectures.
Acquiring new skills: As a new member of the TARAN team, you will be integrated in a research group with excellent prestige and deep knowledge of embedded systems. The TARAN research group can provide you with a more solid understanding and knowledge of computer architectures and hardware design. For instance, the host team has high-quality papers published using RISC-V-based processors and dedicated hardware designs, subjects that you will be able to learn much more about and increase my background in this area.
Summary: The importance of data privacy in Deep Learning (DL) systems is without doubt. However, recent studies have shown how to use side-channels to guess key parameters or recover inputs from DL model inference running on accelerators. For example, input images of a DL model were estimated from collected power traces without knowing the detailed model parameters . However, this thesis goes further than current practice by studying if private information can be retrieved during training phase, if it is possible to disrupt the training quality, and how to secure training accelerators. The objective is to study training-time, side-channel analysis, hardware attacks and required countermeasures, focusing on fault injections in edge AI accelerators.
As Deep Learning is computationally intensive and power hungry, the use of dedicated and customized hardware accelerators is imposing. This is the case for FPGAs, increasingly adopted to build highly customized and flexible DL accelerators [2–4], including the recent trend on approximate Deep Neural Network (DNN) implementations .
The convergence of edge computing and AI brings Edge Intelligence , which moves the bulk of intel- ligent data processing from the core of the network to the edge, closer to where data is produced and resides. This therefore reduces latency and increases privacy .
However, the connectivity and accessibility of these edge devices enable both local and remote attacks, unveiling an enormous attack surface with large potential impacts on security, safety and privacy. In the context of DL hardware security, recent works are reporting increasing attacks to DNN implemen- tations [8, 9]. These include Side-Channel Analysis (SCA) attacks [9, 10], either using power consump- tion [1, 11–17] or Electromagnetic (EM) emanations [18–20], and Fault Injection (FI) attacks [21–29]. In the former case, the objective of the attack is to compromise confidentiality, enabling the recovery of secret DL assets (like models and private data inputs) that jeopardize privacy and enable counterfeiting by model reverse engineering. In the latter, the objective is to compromise both integrity, altering the expected performance through misclassifications and controlled behaviours, and availability, rendering the system useless through denied access or reduced quality or performance . Physical SCA and FI attacks to AI-enabled edge devices are particularly worrying given their higher accessibility and exposure to attackers .
Distributed training at the edge can be traced back to 2016 , where a decentralized Stochastic Gradient Descent (SGD) method is proposed to solve a large linear regression problem. More recently it has evolved to the concept of collaborative or federative learning, which is based on the same general principle but is more efficient . Other techniques for edge training are to train or retrain models on single edge devices, taking advantage of modern training features such as transfer learning, incremental learning, and continuous learning. In all these approaches, local data are processed on each edge device, which prevents the devices from revealing private data to the cloud. However, the server should neither trust edge devices completely, since these can be attacked and forced into abnormal behaviors, which can poison training data. This would thus result in inadequate model updates, and hence in a low-quality trained model. For example, in a backdoor-attacked face recognition-based authentication system, attackers could mislead systems to identify them as a person who can access a building through impersonation ,.
The described scenario is helping rise general concerns on AI trust, which calls for a major research effort to protect critical infrastructures and sensitive data that rely on AI-based processing. As a consequence, protecting DNN implementations is a key concern to keep their models and internal data private and secure from attacks, as this has a large potential for major impacts on privacy, safety and secret corporate IP. To help unlock the full potential of AI and enable efficient and secure deployments, our objective is to build secure DL hardware accelerators for edge and cloud systems, hence resistant to both local and remote hardware attacks.
Objectives of the Thesis
The main goals of this thesis are (1) to investigate the implementation vulnerabilities against SCA and FI attacks of custom, reduced-precision hardware implementations of DNN accelerators built in FPGAs and (2) to develop adequate countermeasures to build secure accelerators.
On the FI case, the objective is to investigate how these attacks can impact the integrity and availability of the system (accuracy, training/inference time, energy consumption). We will especially focus on electromagnetic FI using the facilities at the Laboratoire Haute Sécurité (LHS) at Inria Rennes. On the SCA case our objective is to understand how the attacks can impact the confidentiality of the system by revealing key secret information like training/inference inputs and by enabling reverse engineering of DL models and architectures. For local attacks, we focus on capturing power/EM side-channel leakage traces.
As mentioned, we will in particular focus on hardware security of DL accelerators at training time, especially in (semi-)supervised, cooperative edge scenarios, through a holistic approach that combines training methodologies, algorithms and design of custom accelerators in FPGA.
Training-time attacks to DNNs have not focused on hardware vulnerabilities, but on datasets to com- promise the training, like software adversarial attacks that contaminate the training dataset to increase the misclassification probability at inference time . As already mentioned, security-enhanced edge training includes research on how to secure the communication protocols to avoid data to be corrupted in a federated-learning setting [36–38]. The hardware is assumed to be secured and fault-free. However, when this assumption fails, data and/or model computation can be corrupted, hence harming the global model training result.
This work will take place in the Taran team from IRISA/Inria, in collaboration with CentraleSupélec (Rubén Salvador, IETR) and Inria LHS (Ronan Lashermes).
The recruited person is expected to develop complex processor architectures leveraging C++ and High-Level Synthesis. We also expect to have prototype implementations of the developed techniques on FPGA and ASIC.
Desired skills include:
Computer architecture, hardware design, VLSI circuit design. Basic knowledge in compilers.
Familiarity with the C/C++ language or other languages. Familiarity with FPGA/ASIC design and/or High-Level Synthesis. Optimization methods
Mostly importantly, we seek highly motivated and active researchers.
- Subsidized meals
- Partial reimbursement of public transport costs
- Possibility of teleworking ( 90 days per year) and flexible organization of working hours
- partial payment of insurance costs
monthly gross salary amounting to 1982 euros for the first and second years and 2085 euros for the third year
- Thème/Domaine : Architecture, langages et compilation
- Ville : Rennes
- Centre Inria : CRI Rennes - Bretagne Atlantique
- Date de prise de fonction souhaitée : 2022-10-01
- Durée de contrat : 3 ans
- Date limite pour postuler : 2022-06-07
A propos d'Inria
Inria est l’institut national de recherche dédié aux sciences et technologies du numérique. Il emploie 2600 personnes. Ses 200 équipes-projets agiles, en général communes avec des partenaires académiques, impliquent plus de 3500 scientifiques pour relever les défis du numérique, souvent à l’interface d’autres disciplines. L’institut fait appel à de nombreux talents dans plus d’une quarantaine de métiers différents. 900 personnels d’appui à la recherche et à l’innovation contribuent à faire émerger et grandir des projets scientifiques ou entrepreneuriaux qui impactent le monde. Inria travaille avec de nombreuses entreprises et a accompagné la création de plus de 180 start-up. L'institut s'eﬀorce ainsi de répondre aux enjeux de la transformation numérique de la science, de la société et de l'économie.
Consignes pour postuler
Please submit online : your resume, cover letter and letters of recommendation eventually
For more information, please contact firstname.lastname@example.org
Sécurité défense :
Ce poste est susceptible d’être affecté dans une zone à régime restrictif (ZRR), telle que définie dans le décret n°2011-1425 relatif à la protection du potentiel scientifique et technique de la nation (PPST). L’autorisation d’accès à une zone est délivrée par le chef d’établissement, après avis ministériel favorable, tel que défini dans l’arrêté du 03 juillet 2012, relatif à la PPST. Un avis ministériel défavorable pour un poste affecté dans une ZRR aurait pour conséquence l’annulation du recrutement.
Politique de recrutement :
Dans le cadre de sa politique diversité, tous les postes Inria sont accessibles aux personnes en situation de handicap.
Attention: Les candidatures doivent être déposées en ligne sur le site Inria. Le traitement des candidatures adressées par d'autres canaux n'est pas garanti.