π€ AI Summary
This work proposes a novel cross-layer attack methodology that bridges the gap between physical fault injection and algorithmic backdoor mechanisms, addressing the limitations of existing fault-based attacks which lack coordination with algorithm-level defenses. By synergistically combining electromagnetic fault injection at the physical layer with backdoor learning at the algorithmic layer, the approach precisely manipulates register states on an ARM Cortex-M4 microcontroller to perturb intermediate feature maps of neural networks. This enables the construction of a non-input-space backdoor that activates only upon fault induction, achieving high attack success rates in embedded convolutional neural networks while maintaining benign behavior during normal operation. Crucially, the method evades state-of-the-art input-space backdoor detection techniques, demonstrating both stealth and efficacy in real-world embedded settings.
π Abstract
Fault injection (FI) attacks on embedded neural network (NN) implementations primarily focus on inducing misclassification by corrupting weights or intermediate computations, overlooking their interaction with algorithmic adversarial threats. In this work, we present a cross-level attack that bridges implementation-level physical faults to algorithm-level adversarial attacks. By characterizing fault-induced data perturbations during NN inference, we connect FI with backdoor learning, enabling system-level attacks that jointly exploit implementation- and algorithm-level vulnerabilities. Specifically, we propose a precise fault-injection method that reliably manipulates targeted register values to tractable states during execution. Leveraging this level of FI precision, we propose a novel end-to-end feature map-level backdoor attack, where physically induced intermediate perturbations serve as stealthy triggers. Unlike conventional input-based backdoors, our trigger is activated only under physical faults, causing the NN to exhibit adversarial behavior that compromises system integrity while remaining benign during normal operation. We demonstrate that such physically triggered backdoors can be mounted on embedded NN platforms and remain effective against existing backdoor defenses that typically assume input-space triggers. We showcase the attack practicality using electromagnetic FI on convolutional neural networks implemented on ARM Cortex-M4 microcontroller, which is a common platform for constrained embedded applications. Our results highlight a novel attack vector at the intersection of hardware and algorithmic levels, stressing the need for defenses across abstraction levels.