{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T07:33:05Z","timestamp":1767339185741,"version":"3.41.0"},"reference-count":46,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2023,3,25]],"date-time":"2023-03-25T00:00:00Z","timestamp":1679702400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000028","name":"Semiconductor Research Corporation","doi-asserted-by":"crossref","award":["2021-HWS-3060"],"award-info":[{"award-number":["2021-HWS-3060"]}],"id":[{"id":"10.13039\/100000028","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["J. Emerg. Technol. Comput. Syst."],"published-print":{"date-parts":[[2023,4,30]]},"abstract":"<jats:p>\n            Multi-tenant applications have been proliferating in recent years, supported by the emergence of computing-as-service paradigms. Unfortunately, multi-tenancy induces new security vulnerabilities due to spatial or temporal co-location of applications with possibly malicious intent. In this article, we consider a special class of stealthy integrity attacks on multi-tenant deep learning accelerators. One interesting conclusion is that it is possible to perform targeted integrity attacks on kernel weights of deep learning systems such that it remains functional but mis-labels specific categories of input data through standard RowHammer attacks by only changing 0.0009% of the total weights. We develop an automated framework,\n            <jats:sc>AroMa<\/jats:sc>\n            , to evaluate the impact of multi-tenancy on security of deep learning accelerators against integrity attacks on memory systems. We present extensive evaluations on\n            <jats:sc>AroMa<\/jats:sc>\n            to demonstrate its effectiveness.\n          <\/jats:p>","DOI":"10.1145\/3579033","type":"journal-article","created":{"date-parts":[[2023,1,6]],"date-time":"2023-01-06T13:14:02Z","timestamp":1673010842000},"page":"1-17","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["<scp>AroMa<\/scp>\n            : Evaluating Deep Learning Systems for Stealthy Integrity Attacks on Multi-tenant Accelerators"],"prefix":"10.1145","volume":"19","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4722-2084","authenticated-orcid":false,"given":"Xiangru","family":"Chen","sequence":"first","affiliation":[{"name":"University of Florida, Gainesville, Florida, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0124-8839","authenticated-orcid":false,"given":"Maneesh","family":"Merugu","sequence":"additional","affiliation":[{"name":"University of Florida, Gainesville, Florida, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3714-3414","authenticated-orcid":false,"given":"Jiaqi","family":"Zhang","sequence":"additional","affiliation":[{"name":"University of Florida, Gainesville, Florida, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8671-5052","authenticated-orcid":false,"given":"Sandip","family":"Ray","sequence":"additional","affiliation":[{"name":"University of Florida, Gainesville, Florida, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,3,25]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICPET.2017.20"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2020.3015432"},{"key":"e_1_3_2_4_2","first-page":"515","volume-title":"Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919)","author":"Batina Lejla","year":"2019","unstructured":"Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. 2019. CSI NN: Reverse engineering of neural network architectures through electromagnetic side channel. In Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919). USENIX Association, 515\u2013532. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/batina."},{"key":"e_1_3_2_5_2","first-page":"103","volume-title":"Proceedings of the International Conference on Field-Programmable Technology (ICFPT\u201920)","author":"Boutros Andrew","year":"2020","unstructured":"Andrew Boutros, Mathew Hall, Nicolas Papernot, and Vaughn Betz. 2020. Neighbors from hell: Voltage attacks against deep learning accelerators on multi-tenant FPGAs. In Proceedings of the International Conference on Field-Programmable Technology (ICFPT\u201920). IEEE, 103\u2013111."},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3278519"},{"key":"e_1_3_2_7_2","first-page":"1","volume-title":"Proceedings of the IEEE Hot Chips 33 Symposium (HCS\u201921)","author":"Chatha Karam","year":"2021","unstructured":"Karam Chatha. 2021. Qualcomm cloud Al 100: 12TOPS\/W scalable, high performance and low latency deep learning inference accelerator. In Proceedings of the IEEE Hot Chips 33 Symposium (HCS\u201921). IEEE, 1\u201319."},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP51992.2021.00040"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.2018.00012"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00090"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1109\/ComPE49325.2020.9200170"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_14_2","first-page":"497","volume-title":"Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919)","author":"Hong Sanghyun","year":"2019","unstructured":"Sanghyun Hong, Pietro Frigo, Yigitcan Kaya, Cristiano Giuffrida, and Tudor Dumitras. 2019. Terminal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks. In Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919). USENIX Association, 497\u2013514. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/hong."},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/2046684.2046692"},{"key":"e_1_3_2_16_2","unstructured":"Forrest N. Iandola Song Han Matthew W. Moskewicz Khalid Ashraf William J. Dally and Kurt Keutzer. 2016. SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and <0.5 MB model size. Retrieved from https:\/\/arXiv:1602.07360."},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.23919\/DATE54114.2022.9774703"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/2678373.2665726"},{"key":"e_1_3_2_19_2","volume-title":"Advances in Neural Information Processing Systems","author":"Krizhevsky Alex","year":"2012","unstructured":"Alex Krizhevsky, Ilya Sutskever, and Geoffrey E. Hinton. 2012. ImageNet classification with deep convolutional neural networks. In Advances in Neural Information Processing Systems, F. Pereira, C. J. Burges, L. Bottou, and K. Q. Weinberger (Eds.), Vol. 25. Curran Associates. Retrieved from https:\/\/proceedings.neurips.cc\/paper\/2012\/file\/c399862d3b9d6b76c8436e924a68c45b-Paper.pdf."},{"key":"e_1_3_2_20_2","unstructured":"Alexey Kurakin Ian Goodfellow and Samy Bengio. 2016. Adversarial machine learning at scale. Retrieved from https:\/\/arXiv:1611.01236."},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2021.i3.441-464"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2004.1315150"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/3126908.3126964"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/IISWC50251.2020.00023"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCAD.2017.8203770"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-16-8059-5_31"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2012.2199517"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1109\/JETCAS.2021.3074608"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.scs.2020.102692"},{"key":"e_1_3_2_30_2","volume-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision (ICCV\u201919)","author":"Rakin Adnan Siraj","year":"2019","unstructured":"Adnan Siraj Rakin, Zhezhi He, and Deliang Fan. 2019. Bit-flip attack: Crushing neural network with progressive bit search. In Proceedings of the IEEE\/CVF International Conference on Computer Vision (ICCV\u201919)."},{"key":"e_1_3_2_31_2","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR\u201920)","author":"Rakin Adnan Siraj","year":"2020","unstructured":"Adnan Siraj Rakin, Zhezhi He, and Deliang Fan. 2020. TBT: Targeted neural network attack with bit Trojan. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR\u201920)."},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1109\/DAC.2018.8465834"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.23919\/DATE.2019.8714885"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2016.2579198"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.3390\/app10010253"},{"key":"e_1_3_2_36_2","unstructured":"Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. Retrieved from https:\/\/arXiv:1409.1556."},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298594"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1109\/FCCM51124.2021.00035"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCC.2020.2992548"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSN48063.2020.00031"},{"key":"e_1_3_2_41_2","doi-asserted-by":"crossref","unstructured":"Zane Weissman Thore Tiemann Daniel Moghimi Evan Custodio Thomas Eisenbarth and Berk Sunar. 2019. Jackhammer: Efficient RowHammer on heterogeneous FPGA-CPU platforms. Retrieved from https:\/\/arXiv:1912.11523.","DOI":"10.46586\/tches.v2020.i3.169-195"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICFHR.2014.56"},{"key":"e_1_3_2_43_2","first-page":"1463","volume-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security\u201920)","author":"Yao Fan","year":"2020","unstructured":"Fan Yao, Adnan Siraj Rakin, and Deliang Fan. 2020. DeepHammer: Depleting the intelligence of deep neural networks through targeted chain of bit flips. In Proceedings of the 29th USENIX Security Symposium (USENIX Security\u201920). USENIX Association, 1463\u20131480. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/yao."},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCC.2020.3006751"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3106169"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00049"},{"key":"e_1_3_2_47_2","first-page":"1","volume-title":"Proceedings of the 56th ACM\/IEEE Design Automation Conference (DAC\u201919)","author":"Zhao Pu","year":"2019","unstructured":"Pu Zhao, Siyue Wang, Cheng Gongye, Yanzhi Wang, Yunsi Fei, and Xue Lin. 2019. Fault sneaking attack: A stealthy framework for misleading deep neural networks. In Proceedings of the 56th ACM\/IEEE Design Automation Conference (DAC\u201919). 1\u20136."}],"container-title":["ACM Journal on Emerging Technologies in Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3579033","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3579033","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:38:05Z","timestamp":1750178285000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3579033"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,25]]},"references-count":46,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2023,4,30]]}},"alternative-id":["10.1145\/3579033"],"URL":"https:\/\/doi.org\/10.1145\/3579033","relation":{},"ISSN":["1550-4832","1550-4840"],"issn-type":[{"type":"print","value":"1550-4832"},{"type":"electronic","value":"1550-4840"}],"subject":[],"published":{"date-parts":[[2023,3,25]]},"assertion":[{"value":"2022-06-24","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-12-15","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-03-25","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}