The wide deployment of Deep Neural Networks (DNN) in high-performance cloud computing platforms brought to light multi-tenant cloud field-programmable gate arrays (FPGA) as a popular choice of accelerator to boost performance due to its hardware reprogramming flexibility. Such a multi-tenant FPGA setup for DNN acceleration potentially exposes DNN interference tasks under severe threat from malicious users. This work, to the best of our knowledge, is the first to explore DNN model vulnerabilities in multi-tenant FPGAs. We propose a novel adversarial attack framework: Deep-Dup, in which the adversarial tenant can inject adversarial faults to the DNN model in the victim tenant of FPGA. Specifically, she can aggressively overload the shared power distribution system of FPGA with malicious power-plundering circuits, achieving adversarial weight duplication (AWD) hardware attack that duplicates certain DNN weight packages during data transmission between off-chip memory and on-chip buffer, to hijack the DNN function of the victim tenant. Further, to identify the most vulnerable DNN weight packages for a given malicious objective, we propose a generic vulnerable weight package searching algorithm, called Progressive Differential Evolution Search (P-DES), which is, for the first time, adaptive to both deep learning white-box and black-box attack models. The proposed Deep-Dup is experimentally validated in a developed multi-tenant FPGA prototype, for two popular deep learning applications, i.e., Object Detection and Image Classification. Successful attacks are demonstrated in six popular DNN architectures (e.g., YOLOv2, ResNet-50, MobileNet, etc.)

翻译：在高性能的云计算平台中广泛部署深神经网络(DNN),使高性能的低浓云阵列(FPGA)成为光化多耗云可编程门阵列(FPGA),因为其硬件重新编程灵活性而成为提高性能的常用加速器。为DNN加速而设的多耐用方的FPGA(DNN)装置,可能暴露在恶意用户的严重威胁下DNN的干扰任务。根据我们所知,这项工作是首次在多耐用方的 FPGA中探索 DNN 模型脆弱性。我们提议了一个新的对抗性攻击框架:深度DUP(DUp),其中,敌对性O(FGA) 快速应用者可以向FPGA受害者租户的 DNNN 模型注入对抗性故障。具体地说,她可以将FPGA的共享权力分配系统用恶意的电路路超力重复(AWD) 硬件重复(AWD) 硬件攻击在离机存储机存储机存储机存储机存储机和机中重复某些的 DNNNNSWD 。我们提议的DFD的DRevorlorlorlorl) 。