The Weight of a Bit: EMFI Sensitivity Analysis of Embedded Deep Learning Models

Fault injection attacks on embedded neural network models have been shown as a potent threat. Numerous works studied resilience of models from various points of view. As of now, there is no comprehensive study that would evaluate the influence of number representations used for model parameters against electromagnetic fault injection (EMFI) attacks. In this paper, we investigate how four different number representations influence the success of an EMFI attack on embedded neural network models. We chose two common floating-point representations (32-bit, and 16-bit), and two integer representations (8-bit, and 4-bit). We deployed four common image classifiers, ResNet-18, ResNet-34, ResNet-50, and VGG-11, on an embedded memory chip, and utilized a low-cost EMFI platform to trigger faults. Our results show that while floating-point representations exhibit almost a complete degradation in accuracy (Top-1 and Top-5) after a single fault injection, integer representations offer better resistance overall. Especially, when considering the the 8-bit representation on a relatively large network (VGG-11), the Top-1 accuracies stay at around 70% and the Top-5 at around 90%.

Key Contributions

• First systematic comparison of four numeric weight formats (FP32, FP16, INT8, INT4) under real EMFI attacks on embedded neural networks
• Empirical finding that floating-point representations suffer near-complete accuracy collapse after a single fault injection, while INT8 on larger networks (VGG-11) retains ~70% Top-1 and ~90% Top-5 accuracy
• Low-cost EMFI attack campaign across four CNN architectures (ResNet-18/34/50, VGG-11) deployed on embedded memory chips using a NewAE ChipSHOUTER platform

🛡️ Threat Analysis

Details

Similar Papers