Physical Security of Emerging AI Hardware Accelerators: From Vulnerability to Countermeasures

The widespread deployment of Artificial Intelligence (AI) at the edge has driven a paradigm shift
toward domain-specific hardware accelerators. Emerging architectures-ranging from Analog Compute-in-
Memory (CiM) and Non-Volatile Memory (NVM)-centric processors to Neuromorphic Computing and
Hyperdimensional Computing (HDC)-promise orders-of-magnitude improvements in energy efficiency
and latency. However, while these substrates are often used for their intrinsic robustness to noise and
stochastic process variations, this dissertation demonstrates that such robustness does not translate into
resilience against targeted physical attacks. This work systematically explores the physical security gap in
post-Von Neumann computing, establishing that the very physical properties enabling efficiency often
introduce novel, exploitable attack surfaces.
To address these challenges, this thesis develops a set of cross-layer analysis frameworks and counter-
measures, spanning device physics, circuit simulation, and real-hardware validation. First, the research
investigates Analog Compute-in-Memory (CiM) based on ReRAM and STT-MRAM. By developing
... mehr
a physics-aware simulation framework, it is shown that analog non-idealities-such as device-to-device
variability and random telegraph noise-manifest as data-dependent leakage signatures. These signatures
allow adversaries to recover fixed weights using correlation-based and profiling attacks, enabling the
extraction of proprietary neural network models.
Second, the thesis uncovers a critical vulnerability in processor-centric NVM architectures. Through
real-hardware experiments on STT-MRAM, a novel class of persistent fault attacks is demonstrated.
By targeting the specific magnetic commit window of MRAM writes with nanosecond-scale voltage
glitches, an attacker can induce stable, non-volatile bit corruptions in stored cryptographic keys. This
persistence mechanism collapses the data complexity required for differential fault analysis (DFA) by
orders of magnitude, enabling full AES key recovery with fewer than 20 ciphertext pairs.
Third, the security of Neuromorphic Computing is analyzed through the introduction of FlexSpy,
the first design-time security framework for thin-film transistor (TFT)-based Spiking Neural Networks
(SNNs). The analysis reveals a unique quasi-DC leakage mechanism inherent to event-driven processing
on flexible substrates. Despite the absence of internal triggers, an attacker can exploit this leakage to
infer input classes and recover layer-wise spiking activity with high fidelity. Lightweight circuit-level
countermeasures are proposed that suppress this leakage by up to 70% with minimal power overhead.
Finally, the thesis presents a comprehensive security evaluation of FPGA-based Hyperdimensional
Computing (HDC). It exposes a “robustness mismatch,” where HDC’s algorithmic error tolerance
masks severe physical vulnerabilities. The work demonstrates successful Intellectual Property (IP)
theft via deep-learning-assisted side-channel analysis and remote, internal sensing attacks using on-chip
time-to-digital converters (TDCs). Furthermore, a targeted fault injection methodology (HyFault) is
developed, capable of inducing precise misclassifications. In response, effective defenses-including
dynamic masking and hypervector randomization-are introduced to restore security.
Collectively, these contributions provide a foundational understanding of the physical security risks in
emerging AI hardware, offering actionable design guidelines to ensure that the next generation of efficient
edge accelerators is secure by design.