VISVESVARAYA TECHNOLOGICAL UNIVERSITY

“Jnana Sangama”, Belagavi-590018, Karnataka

A Seminar Report
On

“HARDWARE SECURITY OF AIML”

Submitted in partial fulfillment of the requirements for the award of the degree of

Bachelor of Engineering
In
ELECTRONICS AND COMMUNICATION ENGINEERING
For the Academic Year 2023-24
Submitted By
CHANDANA Y S: 4AD20EC012
Under the Guidance of
Mr. Chandrashekar P
Assistant Professor
Dept. of ECE

13th Kilometer, Mysore – Kanakapura – Bangalore Road,

Mysore – 570 028, Karnataka
Phone: +91-821-25 93 335
 ATME College of Engineering, Mysuru
13th Kilometer, Mysuru – Kanakapura – Bangalore Road
Mysuru – 570 028
DEPARTMENT OF ELECTRONICS AND COMMUNICATION
ENGINEERING

CERTIFICATE
This is to Certified that the Internship work entitled “Hardware Security of AIML” carried
out by CHANDANA Y S [4AD20EC012] student of ATME College of Engineering, Mysuru
in partial fulfillment for the award of Bachelor of Engineering in Electronics and
Communication Engineering, of the visvesvaraya Technological University, Belagavi during
the year 2023-24. It is certified that all corrections/suggestions indicated for Internal
Assessment have been incorporated in the Report deposited in the departmental library.
The Technical Seminar report has been approved as it satisfies the academic requirements in
respect of Internship work prescribed for the said Degree.

…………………….
….………………..
Signature of Guide Signature of HOD
Mr. Chandrashekar p Dr. L Basavaraj
Asst professor Professor & HOD
Technical seminar

Name of the Reviewers Signature with date

1.
2.
 DEPARTMENT VISION AND MISSION

 To develop highly skilled and globally competent professionals in the field of Electronics and
Communication Engineering to meet industrial and social requirements with ethical
responsibility.

MISSION

 To provide State-of-art technical education in Electronics and Communication at undergraduate

and post-graduate levels, to meet the needs of the profession and society and achieve
excellence in teaching- learning and research.
 To develop talented and committed human resource, by providing an opportunity for
innovation, creativity and entrepreneurial leadership with high standards of professional ethics,
transparency and accountability.
 To function collaboratively with technical Institutes/Universities/Industries, offer
opportunities for interaction among faculty-students and promote networking with alumni,
industries and other stake-holders.

Program Specific Outcomes (PSOs)

At the end of Graduation the student will be able,

 To have the capability to understand and adopt the technological advancements with the usage
of modern tool to analyze and design embedded system or processes for variety of applications.
 To work effectively in a group as an independent visionary, team member and leader having
the ability to understand the requirement and develop feasible solutions to emerge as potential
core or electronic engineer.
 ACKNOWLEDGEMENT
The satisfaction and euphoria that accompany the successful completion of any task
would be incomplete without mentioning the people who made it possible and under whose
constant guidance and encouragement the task was completed. I would like to express my
immense gratitude to Dr. L Basavaraj, Principal, ATMECE, Mysuru for his timely help and
inspiration during the tenure of the course.
I would like to express our deep gratitude to Dr. L Basavaraj, Professor and Head,
Department of Electronics and Communication Engineering, ATMECE, Mysuru for her timely
co-operation while carrying the technical seminar. Her friendliness made us learn more.
I would like to express our sincere thanks to the guide Mr. Chandrashekar p, Assistant
Professor, Department of Electronics and Communication Engineering, ATMECE, Mysuru for
their guidance, encouragement and suggestions that helped me a lot in completion of the
technical seminar.
I also extend our sincere thanks to the technical seminar evaluation committee members --
-Dr. Prakash Kuravatti and Mr. Girish M, and all the faculty members, Department of
Electronics and Communication Engineering, ATMECE, Mysuru who have encouraged me
throughout the course.
Last but not the least, I express our heartfelt gratitude to Almighty, my parents for their
love and blessings that helped us complete the technical seminar work successfully.

i
 ABSTRACT

Hardware security and trust have become a pressing issue during the last two
decades due to the globalization of the semiconductor supply chain and ubiquitous network
connection of computing devices. Computing hardware is now an attractive attack surface for
launching powerful cross-layer security attacks, allowing attackers to infer secret information,
hijack control flow, compromise system root-of-trust, steal intellectual property (IP), and fool
machine learners. On the other hand, security practitioners have been making tremendous
efforts in developing protection techniques and design tools to detect hardware vulnerabilities
and fortify hardware design against various known hardware attacks. This article presents an
overview of hardware security and trust from the perspectives of threats, countermeasures, and
design tools. By introducing the most recent advances in hardware security research and
developments, we aim to motivate hardware designers and electronic design automation tool
developers to consider the new challenges and opportunities of incorporating an additional
dimension of security into robust hardware design, testing, and verification. Although ML
based solutions address the efficient computing requirements ofbig data, they introduce (new)
security vulnerabilities into the systems, which cannot be addressed by traditional monitoring
based security measures. Therefore, this paper first presents a brief overview of various
security threats in machine learning, their respective threat models and associated research
challenges to develop robust security measures.

ii
 CONTENTS
ChapterNo. Title Page

Chapter 1 INTRODUCTION No.

1.1 Overview 03

1.4 Objective 03

Chapter 2 BACKGROUND WORK

2.1 Survey Papers 05

Chapter 3 AI/ML AND HARDWARE

FOR SECURITY
3.1 Methodology 10

3.2 AI/ML And Hardware for 11

Behavior Monitoring

3.3 AI/ML and security of 11

hardware

3.4 challenges and new 14

directions

3.5 Hardware security threats 15

3.6 Hardware security 18

primitives

3.7 Advantages 22

3.8 Disadvantages 24

3.9 Application 25

CONCLUSION AND FUTURE ENHANCEMENT

REFERENCES

iii
 LIST OF FIGURES

Fig no. NAME OF THE FIGURE Page

no.

1 DL in the design analysis decision flow 12

2 Design concept of noise-based TRNG 19

3 Block diagram of chaos-based TRNG 21

iv
 HARDWARE SECURITY OF AIML

Chapter 1

INTRODUCTION
There have been numerous advances in artificial intelligence (AI) and machine learning (ML)
in recent years, including the rise of deep learning (DL) as applied to fields throughout
electronic design, from the system-level , through logic-level design , physical design , and test
and validation .Hardware security remains an important area of study, given the fundamental
role played by hardware in securing systems . Research in hardware security spans many
facets, including understanding and mitigating vulnerabilities in the integrated circuit
(IC)supply chain; counter acting overbuilding, counterfeiting, engineering effort; side-channel
attacks; and Hardware Trojans .
In addition to securing hardware itself, broader system security properties can be enhanced by
hardware for security, for example, the use of hardware performance counters(HPCs) for
identifying malicious behavior and physically functions (PUFs) for implementing
authentication, digital rights management, and other similar applications .As AI/ML continues
to mature, their impact on various domains continues to grow, including the Internet-of-
Things(IOT) and cyber-physical system (CPS) applications.
The cyber security community is exploring potential uses for AI/ML in detecting bugs,
modeling threats, and supporting defender decision-making. Furthermore, AI techniques can
supplement existing techniques, e.g., AI can guide fuzz testing of software for security risks.
Likewise, the evolution AI/ML has implications for hardware security.
To this end, we explore, intersections between AI/ML and hardware security, both in terms of
hardware for security and security of hardware. Our aim is to provide a perspective on
potential frontiers for research at these crucial junctions. In present a snapshot of existing
challenges in hardware security and outline opportunities and threats offered by AI/ML. Some
avenues are well-explored in the literature while others, such as understanding the implications
AI/ML techniques in the IC design flow, provide new areas for exploration. Besides, AI/ML
has several challenges that need to be considered by hardware security practitioners, including
the design of appropriate data representations and collecting quality training data. There are
many ways in which AI/ML is affecting hardware security, thus offering new directions to

Page 1
 HARDWARE SECURITY OF AIML

explore. This paper is as follows. First, we provide an overview of recent research threads in
hardware for security, such as how AI/ML has been used for benevolent and malevolent
purpose.
IC supply chain. From this overview of the interplay between AI/ML and hardware security,
we adopt a speculative perspective and pose new directions and challenges. Although various
threats challenge the security of IOT, the root of trust starts from the hardware security. For
instance, attacks, like Boot kit malware that corrupts the boot-up sequence to load and execute
hostile codes, cannot be detected by software-level countermeasures. Without trusted and
authenticated devices, high-level approaches such as data encryption and code authentication
cannot thwart tampering. Therefore, hardware security is the primary focus of this paper. The
remainder of this paper is organized as below. introduces typical hardware attacks. , we
propose a dynamic permutation method for the IoT processing unit to simultaneously thwart
hardware Trojan and side channel analysis attacks. We further explain this method in detail
with a case study on a router.
Although various threats challenge the security of IOT, the root of trust starts from the
hardware security. For instance, attacks, like Boot kit malware that corrupts the boot- up
sequence to load and execute hostile codes, cannot be detected by software-level
countermeasures. Without trusted and authenticated devices, high-level approaches such as
data encryption and code authentication cannot thwart tampering. Therefore, hardware security
is the primary focus of this paper. The remainder of this paper is organized as below.
introduces typical hardware attacks. we propose a dynamic permutation method for the IOT
processing unit to simultaneously thwart hardware Trojan and side channel analysis attacks.
We further explain this method in detail with a case study on a router.
Hardware security threats can arise during various stages of the entire semiconductor life
cycle, ranging from specification to fabrication and even recycling. They can result from un
intentional design flaws, system side effects and intended malicious design modifications.
They usually target security assets, such as cryptographic functions, secure architectures,
intellectual property (IP), and machine learning (ML) models. While classic hardware security
threats, such as covert and side channels, hardware Trojans, and reverse engineering (RE), are
constantly evolving, recent powerful attacks exploit remote cross layer and specification-
compatible attack surfaces to compromise strong cryptographic primitives, isolation

Page 2
 HARDWARE SECURITY OF AIML

mechanisms, memory protection techniques, and deep neural networks (DNNs).

Understanding the different hardware security threats is an important first step to developing
effective security.

1.1 OVERVIEW
Hardware security for AI/ML systems involves a comprehensive approach to safeguarding the
physical components and infrastructure crucial for their operations. This encompasses severa
key areas such as secure hardware design, supply chain integrity, physical security measures,
mitigation of side-channel attacks, hardware-based authentication, and secure data handling
mechanisms. Secure hardware design ensures that components are resilient to tampering and
unauthorized access, employing techniques like secure boot processes and hardware-based
encryption. Verifying the integrity of components throughout the supply chain is vital,
utilizing cryptographic signatures and working with trusted suppliers to prevent malicious
insertions. Physical security measures protect against theft and tampering, while techniques
like masking and noise injection mitigate side-channel vulnerabilities. Hardware-based
authentication ensures only authorized access, and robust data handling mechanisms safeguard
sensitive AI/ML data. Together, these measures form a comprehensive framework for ensuring
the security and integrity of hardware in AI/ML systems. Moreover, secure data handling
mechanisms play a crucial role in protecting sensitive AI/ML data. This includes encryption of
data at rest and in transit, access control policies, data anonymization techniques, and regular
audits to ensure compliance with security standards and regulations. Together, these measures
form a robust framework for hardware security in AI/ML systems, addressing various threats
and vulnerabilities throughout the lifecycle of hardware components and infrastructure.
1.2 OBJECTIVE
The objectives of hardware security for AI/ML systems are multi-faceted and aim to ensure
the
confidentiality, integrity, and availability of the hardware components and infrastructure
supporting these systems. Here are the main objectives:

Page 3
 HARDWARE SECURITY OF AIML

1. Protecting sensitive AI/ML data and algorithms from unauthorized accessor disclosure.
This involves implementing encryption mechanisms, access controls, and secure
communication protocols to prevent data breaches or leakage of confidential information.
2. Ensuring the integrity of hardware components and data throughout their life cycle. This
includes measures such as secure boot processes, hardware attestation, tamper detection
mechanisms, and regular integrity checks to detect and mitigate tampering or unauthorized
modifications.
3. Ensuring that AI/ML systems and their hardware components are available and
operational when needed. This involves implementing redundancy, failover mechanisms ,and
disaster recovery plans to mitigate the impact of hardware failures, physical attacks, or other
disruptions.
4. Implementing strong authentication mechanisms at the hardware level to verify the
identity of users or devices accessing the AI/ML systems. Access control policies ensure that
only authorized entities have the necessary permissions to interact with the hardware
components and data.
5. Identifying and mitigating potential threats and vulnerabilities that could compromise
the security of hardware components or the AI/ML infrastructure. This includes addressing
risks such as supply chain attacks, physical tampering, side-channel attacks, and unauthorized
access attempts.
6. Adhering to regulatory requirements, industry standards, and best practices for hardware
security in AI/ML systems. This includes conducting regulars audits, implementing security
controls, and maintaining documentation to demonstrate compliance with relevant security
standards and regulations.

Page 4
 HARDWARE SECURITY OF AIML

Chapter 2
LITERATURE SURVEY
This section describes about the work done on hardware security of ALML concepts by other
researchers.

2.1 SURVEY PAPERS

[1] M T. Ghazal, M. K. Hasan, R. A. Zitar, N. A. Al-Dmour, W. T. Al-Sit and S. Islam,

"Cybers Security Analysis and Measurement Tools Using Machine Learning Approach,"
2022Artificial intelligence (AI) and machine learning (ML) have been used in transforming
our environment and the way people think, behave, and make decisions during the last few
decades. In the last two decades everyone connected to the Internet either an enterprise or
individuals has become concerned about the security of their computational resources. Cyber
security is responsible for protecting hardware and software resources from cyber attacks e.g.
viruses, malware, intrusion, dropping. Cyber attacks either come from black hackers or cyber
warfare units. Artificial intelligence (AI) and machine learning (ML) have played an important
role in developing efficient cyber security tools. This paper presents Latest Cyber Security
Tools Based on Machine Learning which are: Windows defender ATP, Darck Trace, Cisco
Network Analytic, IBM Q Rader, String Sifter, Sophos intercept X, SIME, NPL, and
Symantec Targeted Attack Analytics

[2] Y. Yu, R. Yasaei, Q. Zhou, T. Nguyen and M. A. Al Faruque, "HW2VEC: a Graph

Learning Tool for Automating Hardware Security," 2021. The time-to-market pressure
and continuous growing complexity of hardware designs have promoted the globalization of
the Integrated Circuit (IC) supply chain. However, such globalization also poses various
security threats in each phase of the IC supply chain. Although the advancements of Machine
Learning (ML) have pushed the frontier of hardware security, most conventional ML-based
methods can only achieve the desired performance by manually finding a robust feature
representation for circuits that are non-Euclidean data .As a result, modeling these circuits
using graph learning to improve design flows has attracted research attention in the Electronic

Page 5
 HARDWARE SECURITY OF AIML

Design Automation (EDA) field. However, due to the lack of supporting tools, only a few
existing works apply graph learning to resolve hardware security issues

[3] F. Wijitrisnanto, S. Sutikno and S. D. Putra, "Efficient Machine Learning Model for
Hardware Trojan Detection on Register Transfer Level," 2021 4th International
Conference on Signal Processing and Information Security (ICSPIS), Dubai, United Arab
Emirates, the RTL level was proposed by Choo et al. They designed ML detection technique
using four branching circuit features. These techniques were performed using some models:
decision tree, logistic regression, SVM, and k-nearest neighbor with an average True Positive
Rate (TPR) of 93.72%. The dataset used in that training model was an artificial one created
using the Adaptive Synthetic Sampling (ADASYN) algorithm which inputs are from AES
Trust-Hub benchmark. As result, the data does not fully represent the original benchmark.
Also, the extraction of four features is a complex and inefficient process.

[4] F. Khalid, S. R. Hasan, S. Zia, O. Hasan, F. Awwad and M. Shafique, "MacLeR:

Machine Learning-Based Runtime Hardware Trojan Detection in Resource-Constrained
IoT Edge Devices," in IEEE Transactions on Computer-Aided Design of Integrated Circuits
and Systems, "Traditional learning-based approaches runtime hardware Trojan (HT) detection
require complex and expensive on-chip data acquisition frameworks, and thus incur high area
and power overhead. To address these challenges, we propose to leverage the power
correlation between the executing instructions of a microprocessor to establish a machine
learning (ML)-based runtime HT detection framework, called MacLeR. To reduce the
overhead of data acquisition, we propose a single power-port current acquisition block using
current sensors in time-division multiplexing, which increases accuracy while incurring
reduced area overhead.

[5] Member, IEEE, Chip-Hong Chang, Senior Member, IEEE Swarup Bhunia Senior
Member, IEEE, Ryan Kastner, Senior Member, IEEE, and Hai Li ‘‘An Overview of
Hardware Security and Trust: Threats, Countermeasures, and Design Tools,’’ Hardware
security and trust have become a pressing issue during the last two decades due to the
globalization of the semiconductor supply chain and ubiquitous network connection of

Page 6
 HARDWARE SECURITY OF AIML

computing devices. Computing hardware is now an attractive attack surface for launching
powerful cross-layer security attacks, allowing attackers to infer secret information, hijack
control flow, compromise system root-of-trust, steal intellectual property (IP), and fool
machine learners. On the other hand ,security practitioners have been making tremendous
efforts in developing protection techniques and design tools to detect hardwarvulner abilities
and fortify hardware design against various known hardware attacks.

[6] Faiq Khalid, Muhammad Abdullah Hanif , Semeen Rehman,, Muhammad Shafique”
Security for Machine Learning-based Systems: Attacks and Challenges during Training
and Inference” 2018 International Conference The exponential increase in dependencies
between the cyber and physical world leads to an enormous amount of data which must be
efficiently processed and stored. Therefore, computing paradigms are evolving towards
machine learning (ML)-based systems because of their ability to efficiently and accurately
process the enormous amount of data.

[7] J. Bian et al., "Machine Learning in Real-Time Internet of Things (IoT) Systems: A
Survey," in IEEE Internet of Things Journal, 1 June 1, 2022, The cost of a deadline (required
time constraint) missed by ML/DL algorithms would be catastrophic in these safety-critical
systems. However, ML/DL algorithm-based applications have more concerns about accuracy
than strict time requirements. Accordingly, researchers from the real-time systems (RTSs)
community address the strict timing requirements of ML/DL technologies to include in RTSs.
This article will rigorously explore the state-of-the-art results emphasizing the strengths and
weaknesses in ML/DL-based scheduling techniques, accuracy versus execution time tradeoff
policies of ML algorithms, and security and privacy of learning.

[8] E. Rajesh and U. Sapra, "Design, build, and analyse hardware-based security
primitives that work well," 2022 International Interdisciplinary Humanitarian Conference for
Sustainability (IIHC), Bengaluru, India, 2022 . Hardware security has drawn more and more
attention in both academia and business over the past two decades. Flash memory has received
attention recently due to the debate over whether or not it can serve a security purpose. Flash
memory modules have been suggested as sites for hardware security primitives because of

Page 7
 HARDWARE SECURITY OF AIML

their intrinsic process diversity, which can offer a distinctive fingerprint for a device. These
primitives include true random number generators (TRNGs), physical unlovable functions
(PUFs), and integrated circuit (IC) counterfeit detection Hardware-based security primitives
are essential for preserving and securing a system in AIML applications.

[9] S. Prajapat, P. Kumar, S. Kumar, A. K. Das, S. Shetty and M. S. Hossain, "Designing

High-Performance Identity-Based Quantum Signature Protocol With Strong Security,"
in IEEE 2024. Due to the rapid advancement of quantum computers, there has been a furious
race for quantum technologies in academia and industry. Quantum cryptography is an
important tool for achieving security services during quantum communication. Designated
verifier signature, a variant of quantum cryptography, is very useful in applications like the
Internet of Things (IoT) and auctions. An identity-based quantum-designated verifier signature
(QDVS) scheme is suggested in this work. Our protocol features security attributes like
eavesdropping, non-repudiatio designated.
[10] Sengupta, R. Chaurasia and A. Anshul, "Hardware Security of Digital Image Filter
IP Cores against Piracy using IP Seller’s Fingerprint Encrypted Amino Acid Biometric
Sample," 2023 Asian. Hardware Oriented Security and Trust Symposium (Asian HOST),
Tianjin, China, 2023. Security of important hardware accelerators such as digital image filter
IP cores has become a primary concern owing to its wide applicability in modern consumer
electronics systems/multimedia systems such as digital camera systems, smartphones, tablets,
etc. They perform crucial data and computation-intensive operations such as image edge
detection, image sharpening, image blurring, etc. Therefore, it is imperative to consider the
security of these digital image filter IP cores to protect them from false claim of IP ownership
and IP piracy threats.
[11] N. Potlapally, "Hardware security in practice: Challenges and
opportunities," 2011 IEEE International Symposium on Hardware-Oriented Security and
Trust, San Diego, CA, USA, 2011. Computing platforms used in practice are complex and
require interaction between multiple hardware components (such as processor, chipset,
memory and peripherals) for their normal operation. Maintaining security of these computing

Page 8
 HARDWARE SECURITY OF AIML

platforms translates to verifying there are no known security exploits present in the run-time

interaction between these hardware units which can be exploited by attackers.

[12] Z. Li, Z. Huang, J. Wang and Q. Wang, "Investigate of Mitigation Solution against
Hardware Trojans Attack on Evolvable Hardware Platform," 2022 19th International SoC
Design Conference ,Gangneung-si, Korea, Republic of, 2022. An evolvable hardware platform
(EHWP) based on programmable devices can realize specific hardware function structures by
changing the bit-streams. As EHWP becomes more and more widely used in security chips,
issues related to hardware security have received focused attention, especially hardware
Trojans (HTs). However, current research has focused on implementing defense against HTs
in the underlying hardware, with very sparse mitigation solutions for HTs in the
overlay/middleware layer.

Page 9
 HARDWARE SECURITY OF AIML

Chapter 3

AI/ML AND HARDWARE FOR SECURITY

3.1 METHODOLOGY

Hardware is typically assumed to be the root-of-trust for computer systems, where the
stability that comes from committing functionality to silicon is assumed to provide a strong
foundation for comparatively vulnerable, flexible software. As such, there are numerous
hardware-based approaches for enhancing security, including security primitives, such as
PUFs and cryptographic accelerators, that are included as part of an overall security
architecture. AI/ML intersect with these techniques constructively and destructively.
Defenders can use AI/ML with hardware-based observations to build models of an IC’s
operation for attack detection (in terms of software, hardware, and environmental conditions).
Attackers can use AI/ML to extract sensitive information from an IC, breaking trust
assumptions in hardware security.

3.2 AI/ML And Hardware for Behavior Monitoring

As hardware sits below software (often with layers like the operating system and hypervisor in
between), researchers have identified opportunities for behavior monitoring using hardware
components that can identify and record events, or collate sensor data. Such behavior
monitoring can be transparent to software. For example, the use of hardware performance
counters (HPCs) shows much promise for detecting the execution of malware. Other recent
techniques also include re-purposing debug hardware, such as embedded trace buffers. A key
component of these techniques is the proper analysis and interpretation of the collected activity
(e.g., instruction sequences and memory access events)—ML techniques have proven
successful in this respect, given the ability to learn” characteristics of malicious behavior. In
fact, ML techniques are often able to make inferences by identifying patterns in multi-modal
data; works such as have begun to explore dedicated hardware for comprehensive
environmental monitoring to identify attacks.

Page 10
 HARDWARE SECURITY OF AIML

3.2.1 AI/ML And Hardware as Security Primitives

Other hardware-based security approaches use hardware as a security primitive. For example,
the use of PUFs as the foundation for security protocols and unique IC identification PUFs rely
on physical phenomena for randomness, stability, and uniqueness, such as process variations
during IC fabrication. While promising, there have been skirmishes in the literature between
PUF designers and attackers, especially in the domain of modeling attacks where adversaries
collect challenge-response pairs (CRPs) with the intent to create gate model of the PUF. The
implications of AI/ML advances is clear: as researchers aim to increase the complexity of
PUFs, new AI/ML techniques are able to better approximate complex models.

In a similar fashion, researchers have used AI/ML to attack cryptography accelerators.

Cryptography accelerators perform computations to speed up encryption and decryption.
While they do these computations, the hardware may emanate signals correlated with sensitive
values (like the key), for example, as power fluctuations or electromagnetic emissions.
Attackers can analyze these signals, or side-channels, for leaks. Researchers have proposed
countermeasures to mitigate side-channel leakage, including hiding (by adding random noise
or delays) and masking (where a sensitive value is “split” into a series of shares by with a
random mask). While showing success in preventing traditional differential power analysis
techniques, the recent application of DL-based approaches has shown that the countermeasures
are easily overcome

3.3 AI/ML AND SECURITY OF HARDWARE

Aside from hardware-based additions in the security architecture, we need to concern

ourselves with the security of hardware itself. In broad terms, this involves incorporating
hardware-based security components
but also wider system-level concerns, such as the security of the hardware design process and
supply chain.
Hardware security research has been concerned with supply chain risks where globally
distributed and us trusted parties have access to designs at various levels of maturity, thus
placing hardware at risk of reverse-engineering, piracy, or malicious manipulation. Recent
work that design tools themselves should be considered as a potential attack vector in the

Page 11
 HARDWARE SECURITY OF AIML

design flow. As we will now discuss, AI/ML can be used to aid designers throughout the
design flow—for the targeted security-centric application of hardware Trojan detection, and
also more broadly throughout the entire hardware design flow. We also briefly touch on the
topic of hardware for AI/ML for completeness, as this is, in itself, an interesting intersection of
AI/ML and security of hardware.

3.3.1 AI/ML And Hardware Trojan Detection

One of several mature areas in hardware security is that of hardware Trojans (HTs),
maliciously inserted functionality that is triggered during run-time. Attackers can insert HTs at
various stages of the design flow
and typically represent very small changes to area, timing delay, and other design
characteristics. Despite their stealthy nature, several AI/ML based approaches have shown
good success at HT detection in gate-level net
lists. Typically, these approaches involve training and evaluation of ML models using
benchmarks sourced from Trust-Hub. Applying AI/ML techniques successfully is not a trivial
pursuit however, as defenders must
first identify an appropriate input representation for a design—unlike images, which are easily
represented as Multi dimensional matrices, appropriate circuit representations are more
challenging to produce. the authors
propose features based on net characteristics, including elements like the number of gates in
target net’s fan.
propose features based on net characteristics, including elements like the number of gates in
target net’s fan or the target net’s distance to the nearest multiplexer. We direct readers to for a
survey of ML-based HT detection.
The above Fig 3.1 shows the Hardware security threats can arise during various stages of the
entire semiconductor life cycle, ranging from specification to fabrication and even recycling.
They can result from unintentional design flaws system side effects .and intended malicious
design modifications.

Page 12
 HARDWARE SECURITY OF AIML

Fig 3.1: DL in the design analysis decision flow

3.3.2 AI/ML And IC Design Flow

An emerging development in the literature is the use of AI/ML techniques in the hardware
design flow. For example, researchers have applied DL techniques at various design
abstractions and design stages, including system-level prediction of hardware overhead, logic
optimization, routing, and test point insertion. These efforts represent new approaches for
handling scalability challenges and improving design turnaround time. illustrates a typical
iterative design stage with DL-in-the-loop, where DL models are used to support decision-
making and design space exploration.
However, while these techniques claim state-of-the-art performance, the implications for
hardware security, in light of un trusted supply chains and malicious insider threats, remains
ripe for exploration. Where defenders can use AI/ML to detect security issues (as in the
previous example with HTs), recent work has shown that adversaries can also abuse AI/ML in
the design flow. In an adversary subverts DL-based lithographic hot spot detection by means
of “semantically meaningful” adversarial input perturbations, where attackers insert sub
resolution assist features (SRAFs) to trick the hotspot detector into making bad predictions.
This points to a larger concern for AI/ML robustness, at least in terms of AI/ML and its
growing role in hardware design. More recently, the authors of demonstrate the potential for
training data poisoning attacks that introduce “backdoors” into DL-based hotspot detectors.
During design, a malicious insider can coerce the hotspot detector into turning a blind eye to a
hotspot-containing layout clip, despite its high-accuracy under benign settings. Nefariously,

Page 13
 HARDWARE SECURITY OF AIML

poisoning involves adding layout clips that are honestly labeled and are thus near impossible
to identify ahead of time as a result. To address these potential attacks, recent work attempts
application-informed defenses where data is meaningfully transformed in such a way as to
reduce the Back dooring effect. If the security of hardware relies on all parts of the supply
chain being properly safeguarded, AI/ML in the design flow may add new attack targets and
vectors, and likewise, will require new analyses and defenses.

3.3.3 Hardware for AI/ML

For completeness, it is also worth considering the intersection of hardware security and
hardware for AI/ML, particularly as AI/ML hardware make their way into cloud-based, IOT,
and CPS application domains. Various AI/ML techniques are susceptible to adversarial
settings. When realized as hardware, such robustness weaknesses can translate into new attack
vectors such as memory-based HTs fault attacks and cloud-center interference. As AI/ML
evolves and becomes more prevalent in different domains, new requirements for hardware
security may also emerge.

.3.4 CHALLENGES AND NEW DIRECTIONS

illustrate examples of the benevolence and malevolence of AI/ML. On one hand, defenders
can use AI/ML to monitor and discover stealthy attacks by using hardware-enabled
observation, building models that are able to identify anomalies. Conversely, attackers can also
use the same techniques to build models that allow them to infer sensitive information. For
defenders, hardware security relies on gathering knowledge in adversarial contexts and finding
ways to withhold knowledge to meet security goals. With this in mind, new research directions
include:

Run-time Decision Making and Response: As we saw AI/ML used for behavior monitoring,
the next step could involve generating active responses. At run-time, hardware based security
systems should perform mitigations (for example, isolation of attacked components or
spinning up redundancies).Can AI/ML systems make decisions as to which course of action to
take to preserve system integrity or overcome an attack? Building along this avenue could be

Page 14
 HARDWARE SECURITY OF AIML

the exploration of generative ML (such as generative adversarial networks), where models

could generate new responses when faced with threats, such as changing hardware
configurations.
Design Analysis: As AI/ML evolves, we will need to create new representations for hardware
design artifacts. For used graph convolutional networks (GCNs) to deal with net lists as a
graph. Recent work, such as transform hardware design artifacts into image-like
representations. While this allows faster use of existing DL tools, a next step is to develop
approaches that better incorporate hardware artifacts from the ground up. Another challenge in
hardware security is formulating security properties to begin with, and using these properties
to guide architecture synthesis (e.g., component selection or access control implementation).
As AI/ML techniques crop up throughout the design flow, end-to-end AI-guided security ware
synthesis could become feasible, where AI tools identify hardware-centric security
requirements and perform trade offs.While there are some efforts in using ML to derive
requirements more work needs to be done in terms
of formulating security metrics in a way that AI/ML tools can use.
Understanding implications of AI/ML Vulnerabilities: As implied in DL’s vulnerability to
adversarial input perturbations and training data poisoning can raise new issues for safe-
guarding the integrity of hardware design flows. AI/ML techniques add complexity to a
system, so more work must be done to fully evaluate model robustness and how this might
pose risks to hardware security.

3.5 Hardware Security Threats

1. Secure Boot Attacks: A secure boot starts by loading code from an immutable boot
ROM, correctly initializing critical peripherals, configuring security and system settings,
authenticating and properly loading boot images and application code, and properly sanitizing
data upon reset. Many issues arise due to the system being configured incorrectly, e.g., system
memory space not protected. Other issues relate to data not being properly erased (e.g.,
keyboard strokes stay in buffers). These and many other real-world secure boot attacks are
documented by Bulygin et al.
The secure boot process is fairly well documented making it amenable to formal property

Page 15
 HARDWARE SECURITY OF AIML

specification Such properties relate to isolation and access control between boot stages (e.g.,
the next stage can only access a limited subset of the previous stage information), determining
if a boot stage completes fully before continuing to the next stage and protecting boot state
information properly upon completion (e.g.,it cannot be modified and can only be read from
boot code). Additionally, there should be a sequence that causes the hardware to fully reset all
data, code, configuration, and any other state, and the system should only load from the boot
ROM upon reset.
2. Firmware Attacks: Firmware is the low-level software that controls the interaction and
behavior of a piece of hardware or IP core. Firmware plays a key role in determining the
security of SOC. Incorrectly setting configuration registers can lead to catastrophic
consequences and open the door to leaking confidential information, unsafe behaviors, and
critical flaws that can be exploited by attackers. An analysis in 2014 showed that at least 140
000 devices had a firmware vulnerability. This should not be too surprising as determining the
correctness of the firmware is challenging as each hardware core has different configurations
that interact with the overall system in a nonobvious manner. Firmware is particularly
important for SoC architectures. Modern SoC architectures are a patchwork of hundreds,
sometimes thousands, of different IP cores that are cobbled together from in-house sources,
outside vendors, and opensource good motivation and the early work in this space. Device
drivers are typically small, but important pieces of low-level C or assembly code that play an
important role in firmware security.
They provide an application program interface (API) that is used to deliver data to/from a
device, query the status of the device, or set the device mode. More often than not, device
drivers require access to critical parts of the system and thus it is crucial that they execute
efficiently, handle real-time constraints. The first step toward synthesizing correct, efficient,
and secure device drivers is to create properties around on-chip communication protocols, such
as advanced extensible interface (AXI) and Wish bone .
3. Dynamic Random Access Memory Threats: The Cold boot and Row hammer attacks
demonstrate the importance of protecting sensitive data stored in dynamic random access
memory (DRAM). Cold boot exploits the physical phenomenon that DRAM data persist for a
short amount of time even after powering off the memory. This time can be extended by
cooling down the memory, which further reduces the leakage of current from the DRAM

Page 16
 HARDWARE SECURITY OF AIML

capacitors. Researchers used this idea to show how to remove a DRAM from one computer,
place it into another, and grab the data. Other malicious attacks are also possible. Row hammer
exploits another physical vulnerability of DRAM, this time using the fact that DRAM data can
be altered by accessing nearby data. The attacker locates some of their data next to some
critical data in DRAM. By changing the values of their data, the attacker induces circuit noise
that causes the target sensitive data to change.
4. Cache Attacks: Cache attacks exploit information leakage through cache state and are
extremely effective at extracting protected information. The cache is a shared resource and any
process that uses it can leave traces about their computation, in particular, the memory
addresses they accessed.
Cache timing attacks can be categorized as time driven and access driven. A time-driven attack
measures the execution time of the victim process. The attacker manipulates the contents of a
shared cache and observes the timing of another process (e.g., a cryptographic operation). The
timing is effected by cache hits and misses, which provides information about the key. An
access-driven attack extracts information by measuring the time that it takes the attacker to
perform a cache access.. If a particular cache line is accessed by the victim process, the
attacker would observe a cache hit and vice versa. For instance, an attacker can identify data
access patterns by the victim (e.g., which S-Box entries are being accessed during AES
execution) and use this information to extract the confidential information (e.g., the secret
key). Cache side channel is a powerful attack that is often used in combination with other
attacks, e.g. Meltdown and Spectre, as we will discuss.
5. Speculative Execution Attacks: Meltdown and Spectre are the first of a series of
attacks that leverage speculative execution, out of order execution, aching, and other
architectural performance enhancements to break isolation and other security policies. Melt
down enables unauthorized processes to read data from any address that is mapped to the
current process’s memory space. Meltdown exploits a race condition where the unauthorized
process attempts to access privileged data. A privilege check eventually squashes the
execution of that code, but not before the data are temporarily loaded into cache. The attack
then uses a cache side-channel attack (SCA) to determine contents of the data. Spectre is a
vulnerability that tricks a victim process to leak its data. Many processors perform speculative
execution by branch prediction. Spectre uses the fact that this specultive code leaves traces of

Page 17
 HARDWARE SECURITY OF AIML

its execution in the cache whose information can be extracted using a cache SCA (similar to
Meltdown). Spectre trains a branch predictor to make a wrong decision and then wraps code
that should not be executed in a condition. The code is speculatively executed since the branch
predictor is wrong. It eventually gets squashed but it leaves important information in the cache
state, which is extracted via a cache SCA.
6. Code Reuse Attacks: Code reuse attacks carefully use existing snippets of software to
perform computation of the attackers’ choosing. Return-oriented programming (ROP) is an
example of code reuse attack where existing code fragments (or gadgets) are carefully
sequenced to perform a malicious act. The attacker’s goal is to divert the control flow by
gaining control of the call stack and invocating the first nogadget, which in term calls
subsequent gadgets. This allows the attacker to perform actions of their choosing.

3.6 Hardware Security Primitives

A random number generator is a device or software that generates sequences of unpredictable

numbers. The ancient ways of using dice roll or coin toss to harvest natural randomness are too
slow to meet the demands of modern computing systems. A pseudorandom number generator
(PRNG) is an algorithm or a mathematical formula that can be used to produce a sequence of
random numbers with sufficiently long but finite period from a seed state. PRNGs that are
suitable for the cryptographic applications are called cryptographically secure PRNGs
(CSPRNGs). CSPNGs are designed from cryptographic primitives or hard mathematical
problems to pass the next-bit test such that the (k + 1)th bit of a sequence cannot be
successfully predicted in polynomial time from the knowledge of the first k bits. CSPRNG
should also be resilient to the “state compromise extensions” attack, which is an attack that
makes use of some known internal states to predict future outputs or recover previous outputs.
On the contrary, a TRNG is a hardware security primitive that yields unpredictable random
numbers even if the internal design details are all known. With infinite period, it provides
higher security property than CSPRNG. TRNG designs that originated from solid-state devices
typically harvest their randomness from four sources, namely, noise, jitter, metastability, and
chaos.
Thermal noise is a good source of randomness because it is frequency independent and

Page 18
 HARDWARE SECURITY OF AIML

technology independent .The weak thermal noise needs to be boosted by a wide-bandwidth

amplifier, which can consume significant silicon area and power. Matsumoto et al. [107]
added a silicon nitride(SiN) layer in a standard CMOS process to amplify the thermal noise to
a measurable level without the amplifier but the extra SiN mask is itself expensive. Recently,
Bae et al. proposed a high-speed TRNG by harvesting the thermal noise from the biasing
circuit of a common-mode operating comparator and the sampling uncertainty of a delay flip
flop(DFF). The idea is illustrated in Fig. 1. Common-mode noise is generated by connecting
both inputs of a comparator to the output of a beta-multiplier voltage reference. The thermal
noises of the comparator and the biasing circuit are added up and amplified by the differential-
to-single ended (D2S) amplifier. The amplified noise is fed into a slicer to generate a full
swing output, which is then sampled by a 3-GHz clocked DFF. By combining thermal noise
and sampling uncertainty of the asynchronous input, this TRNG has a very high
through put of 3 Gb/s. Its power consumption is also very high, 5 mW excluding the power-
hungry external high-speed clock generator.

Fig 3.2: Design concept of noise-based TRNG

Conventional jitter-based TRNGs use a slower jittery frequency clock to sample a faster clock.
Using clock jitters of free running ring oscillators (ROs) as entropy source, the extractor
design can be simplified, but additional power-hungry clock generators are required to provide
adequate jitter variations. Yang et al. proposed a process variation tolerant TRNG by
exploiting the oscillation collapse in a double edge injected RO. To achieve the robustness

Page 19
 HARDWARE SECURITY OF AIML

against process variations, 32 stages with eight selectable inverters per stage are used to
provide the tuning space. Recently, a lightweight TRNG consisting of only two 9-stage
current-starved ROs (CSROs) with an identical layout, a 3-stage regular RO, and a 2-b counter
was proposed. In order to maximize jitters and reduce power consumption, the inverters in the
two CSROs are biased in the weak inversion region and the inverters in the regular RO are
operating in the strong inversion region. Systemic biases in the beat frequency are effectively
canceled out by XORing the outputs of the two matched CSROs. The resulting random pulse
width is used to clock gate the regular inverter-based RO to the 2-b counter. This jitter-based
TRNG, fabricated in a standard 65 nm, 1.2-V CMOS process, consumes only 260 μW at a bit
rate of 52 Mb/s and has a small footprint of 366 μm2.
Metastability is a stable state of a dynamical system besides the system’s state of least energy.
Metast abilities in cross coupled inverters, latches, DFFs, and SRAMs [112] have been utilized
to produce random bit streams at high bit rate, but complex postprocessing units are usually
required to eliminate the systematic bias. The key component of metastability-based TRNG of
is the metastability latch, which is designed based on a cross-coupled inverter pair with equal
rise and fall time. A random bit is produced by the metastability latch in each cycle. To assure
high entropy, a time-to-digital converter (TDC) is used to measure the settling time and tune
the metastable latch against bias introduced by the process and temperature variations. The
switching speed of the metastability latch cannot be too fast to prevent the settling time from
exceeding the time resolution of the TDC. The latch size and load must also preserve the
dominance of thermal noise over flicker noise. By combining three entropy sources of similar
cross-coupled inverter pairs that share the same supply and clock, Intel fabricated a fast
TRNG in 14-nm FinFET CMOS process that produces three full-entropy bits per clock cycle.
The three bitstreams of at least 0.33 min-entropy/bit each are combined by a Barak–
Impagliazzo–Wigderson (BIW).
Correlation suppressors and undersampled feedback shift registers are used to decorrelate and
whitening the raw data to generate 24 uncorrelated bits in every 64 clock cycles with an ultralow
energy consumption of 3 pJ/bit. TRNGs can also
be designed from the chaotic system described by deterministic equations. At first sight, this may
sound like God plays dice with complete law and order. Being extremely sensitive to the initial
conditions, the disorder states of a chaotic system are very hard to be modeled mathematically even

Page 20
 HARDWARE SECURITY OF AIML

though they are produced by simple systems that obey precise rules. Chaos is, as described by the
legendary Lorenz, “when the present determines the future, but the approximate present does not
approximately determine the future” . Chaos-based TRNGs are typically designed by a chaotic map
and a bit generation function. Unfortunately, the map characteristics are susceptible to process, voltage,
and temperature (PVT) variations. The optimal bit generation function for achieving the highest
possible entropy rate from a map function is costly to implement, and consumes great power. An
exceptionally energy-efficient implementation is shown in Fig. 2. It consists of a 10-b fine-SAR ADC,
a 5-b coarse-SAR ADC, a dynamic residue amplifier, and an XOR postprocessing block.

Fig 3.3: Block diagram of chaos-based TRNG

The ADC recursively amplifies the initial state of the system with environmental noise to produce a
discrete time chaotic map. Due to quantization errors of the coarse-SAR ADC, the design is highly
sensitive to the initial state. The switching power of fine-SAR ADC is reduced by using the coarse-
SAR ADC to detect and skip switching. The design consumes only 82 nW of power and 0.3 pJ/b of
energy. A larger portion of the power savings are due to the dynamic residue amplifier and adaptive
reset comparator. As the need for publicly auditable randomness from applications, such as elections
and lotteries, increases, so is the demand for randomness beacon. A randomness beacon is a public
server that produces completely unpredictable bit strings at regular intervals. During the Crypto Week
last year, a new public randomness beacon called “League of Entropy” [117] was released by the
American Webinfrastructure and website-security titan company Cloudflare. Built upon the provably
secure cryptographic architecture of drand [118], this is a network of beacons run by a consortium of
global organizations and individual contributors to provide publicly verifiable, decentralized random

Page 21
 HARDWARE SECURITY OF AIML

outputs. Interestingly, Cloudflare actually sources her entropy from a video of a wall of lava lamps.
These unpredictable visual data of floating blogs are converted to truly random numbers. Most
recently, truly random numbers were also created from growing crystals.

3.7 ADVANTAGES

1. Increased Performance: Hardware acceleration, such as using specialized processing

units like GPUs (Graphics Processing Units) or TPUs (Tensor Processing Units), can
significantly speed up AI/ML computations. This not only improves the overall performance
of AI. models but also allows for faster inference and training times.
2. Enhanced Privacy: Hardware security modules (HSMs) can store encryption keys
securely and perform cryptographic operations within a secure environment. This ensures that
sensitive data used in AI/ML processes remains protected from unauthorized access or data
breaches.
3. Resistance to Attacks: Hardware security features such as secure boot mechanisms,
hardware-based encryption, and trusted execution environments (TEEs) can defend against a
wide range of attacks, including malware injection, data tampering, and unauthorized access
attempts.
4. Scalability: Hardware-based security solutions can be designed to scale seamlessly
across different platforms and devices. For instance, edge AI devices can benefit from
hardware-based security measures to protect data locally, while cloud-based AI systems can
leverage hardware acceleration for high-performance computing.
5. Reliability: Hardware security components are often designed with redundancy and
fault tolerance in mind, ensuring reliable operation even in challenging environments or under
adversarial conditions. This reliability is crucial for mission-critical AI applications in sectors
like healthcare, finance, and autonomous systems.
6. Regulatory Compliance :Many regulatory frameworks, such as GDPR in Europe or
HIPAA in the healthcare industry, require organizations to implement robust security
measures to protect sensitive data. Hardware security solutions can help demonstrate
compliance with these regulations by providing strong data protection capabilities.
7. Long-Term Protection: Hardware security is designed to withstand evolving threats
and attacks over time. By integrating hardware-based security features into AI/ML systems,

Page 22
 HARDWARE SECURITY OF AIML

organizations can ensure long-term protection against emerging cyber security risks and
vulnerabilities. Overall, hardware security plays a crucial role in building trustworthy and
resilient AI/ML systems, offering a combination of performance optimization, data privacy
protection, and defense against cyber threats.
8. Real-Time Processing: Hardware-based security can enable real-time processing of
security-related tasks, such as anomaly detection or threat mitigation, without significantly
impacting the performance of AI/ML algorithms. This real-time capability is essential for
detecting and responding to security threats promptly. Energy Efficiency: Some hardware
security solutions are designed to be energy-efficient, consuming minimal power while
providing robust security features. This is particularly beneficial for battery-powered AI
devices or IOT (Internet of Things) devices running AI/ML applications.
9. Hardware Root of Trust: Hardware security often incorporates a "root of trust"
mechanism, which establishes a secure foundation for the entire system. This root of trust
ensures that critical security functions, such as secure boot, firmware verification, and key
management, are performed in a trusted environment.

10. Multi-Tenancy Support: In multi-tenant environments, such as cloud-based AI

services, hardware security can provide isolation and protection between different users or
tenants. This ensures that each tenant's data and computations are securely segregated from
others, preventing unauthorized access or interference.
11. Integration with DevOps: Hardware security can be seamlessly integrated into DevOps
processes, allowing for automated deployment, management, and monitoring of security
measures across the AI/ML infrastructure. This integration streamlines security operations and
enhances overall system resilience.
12. Firmware Security: Hardware security measures often extend to securing firmware and
system software components. This includes secure firmware updates, code signing, and
integrity verification mechanisms, which protect against firmware-level attacks and
unauthorized modifications.
13. Comprehensive Threat Detection: By combining hardware-based security with
advanced threat detection technologies such as AI-driven anomaly detection and behavioral

Page 23
 HARDWARE SECURITY OF AIML

analysis, organizations can achieve a comprehensive security posture that proactively

identifies and mitigates potential threats.
14. Future-Proofing: Hardware security solutions are designed to evolve and adapt to
emerging security challenges and technological advancements. This future-proofing ensures
that AI/ML systems remain protected against evolving cyber threats and can incorporate new
security features as needed.

3.8 DISADVANTAGES.

1. Cost: Implementing hardware-based security solutions can be expensive, especially

when deploying specialized hardware components such as secure processors, hardware
security modules (HSMs), or secure storage devices. The initial investment and ongoing
maintenance costs may be significant for some organizations.
2. Complexity: Hardware security adds complexity to the overall system architecture.
Integrating and managing hardware security components alongside AI/ML infrastructure
requires specialized expertise and may increase development and deployment complexity.
3. Compatibility: Hardware security solutions must be compatible with existing hardware
and software components in the AI/ML ecosystem. Ensuring compatibility and interoperability
across different platforms and devices can be challenging, particularly in heterogeneous
environments.
4. Scalability Challenges: Scaling hardware-based security measures to accommodate
growing AI/ML workloads and expanding infrastructures can pose challenges. Ensuring
consistent security across a distributed and scalable environment may require additional
resources and careful planning.
5. Performance Overhead: While hardware acceleration can enhance performance for
AI/ML computations, certain hardware security features may introduce a performance
overhead. For instance, cryptographic operations or secure boot processes can consume
additional processing power and memory.
6. Vendor Dependence: Organizations relying on third-party vendors for hardware
security solutions may face vendor lock-in or dependency issues. Changes in vendor policies,

Page 24
 HARDWARE SECURITY OF AIML

support, or product availability could impact the long-term security and maintenance of AI/ML
systems.

3.9 Application
Securing hardware for AI and machine learning (ML) systems involves several critical aspects.
Here are some key considerations and methods:

Secure Boot and Firmware: Implement secure boot mechanisms to ensure that only trusted
firmware and software components are loaded during system startup. This prevents
unauthorized modifications and ensures the integrity of the system.

Hardware Encryption: Utilize hardware-based encryption engines for data at rest and data in
transit. This adds an extra layer of security by encrypting sensitive data and preventing
unauthorized access.

Trusted Execution Environments (TEE): TEEs provide isolated execution environments for
critical processes, such as model inference, key management, and authentication. This helps
protect sensitive operations from external attacks. Secure Storage: Use hardware-based secure
storage solutions, such as Trusted Platform Modules (TPM), to store cryptographic keys,
credentials, and other sensitive data securely.

detection systems (IDS), and security event logging.

Security Testing and Validation: Conduct rigorous security testing, including penetration
testing, vulnerability Tamper Resistance: Design hardware with physical tamper-resistant
features to protect against physical attacks, such as side-channel attacks and invasive probing.
Secure Communication Interfaces: Implement secure communication protocols, such as TLS
(Transport Layer Security), for communication between AI/ML devices and external systems
to prevent eavesdropping and data tampering.
Update and Patch Management: Establish a robust update and patch management process to
regularly update firmware, software, and security configurations to address vulnerabilities and

Page 25
 HARDWARE SECURITY OF AIML

security issues.
Access Control: Implement strong access control measures, including role-based access
control (RBAC) and multi-factor authentication (MFA), to ensure that only authorized users
and devices can access sensitive resources.
Security Auditing and Monitoring: Implement logging, monitoring, and auditing
mechanisms to detect and respond to security incidents in real-time. This includes anomaly
detection, intrusion assessments, and code reviews, to identify and mitigate security risks
throughout the development lifecycle.

By integrating these hardware security measures into AI and ML systems, you can enhance the
overall security posture and mitigate potential risks and threats effectively.

Page 26
 HARDWARE SECURITY OF AIML

CONCLUSION
Hardware security involves multiple levels of abstraction in the computing system stack. In
view of the enormously broad focus and attractivity of this field, it is not possible to
comprehensively survey the voluminous publications, multidisciplinary and vast diversity of
problems and solutions. In this article, we surveyed and discussed the recent advances in
selective subfields of hardware security.Specifically, we presented attacks and
countermeasures on secure architectures, IP components, and DNN models, as well
as the design and niche applications of two popular hardware- intrinsic security primitives. We
also outlined recent efforts in developing security-driven hardware design tools. Hardware
attacks and countermeasures are rapidly evolving. It is not surprising that a different shortest
bar of the wooden barrel can be identified with each major change in processor architectures
and computing technologies. We believe that the rally between hardware attack and defense
will remain a vibrant presence for a long time. It is, therefore, our aim that this review will
alert the hardware designers and tool developers to pay additional attention to significant
security gaps not addressable by traditional hardware design and verification methodologies.
Moreover, to analyze the security vulnerabilities for identifying the potential countermeasures,
we demonstrate some of the security threats (Training data poisoning and adversarial examples
(L-BFGS and FSGM)) on the Le Net and the VGG Net for the MNIST and the German Traffic
Sign Recognition Benchmarks (GTSRB), respectively. We also propose a training data
poisoning attack which has relatively less impact on inference accuracy. Finally, we provide
an overview of possible security measures and
highlight respective research challenges in developing these security measures.

FUTURE ENHANCEMENTS
Enhancing AI and ML hardware security systems involves a multifaceted approach. Secure
enclaves like Intel SGX or ARM Trust Zone can create isolated environments for sensitive

Page 27
 HARDWARE SECURITY OF AIML

data and algorithms, shielding them from unauthorized access. Integrating tamper-resistant
features and sensors can detect physical tampering or intrusion attempts, bolstering the
system's resilience. Ensuring firmware integrity through secure boot processes and
cryptographic verification mechanisms prevents malicious modifications. Mitigating side-
channel attacks, implementing real-time monitoring for anomaly detection, using secure
communication protocols, enforcing regular updates and patching, incorporating multi-factor
authentication, implementing auditing and logging, and developing AI-based intrusion
detection systems collectively build a robust defense against various security threats, ensuring

the integrity and security of AI and ML hardware systems.

In addition to the foundational security measures, it's essential to consider the dynamic nature
of cybersecurity threats and the evolving landscape of AI/ML technologies. Continual research
and development in hardware security should focus on adaptive defenses, anomaly detection
mechanisms, and threat intelligence integration to proactively detect and respond to emerging
threats. Collaboration within the cybersecurity community, sharing threat intelligence, and
participating in industry-wide initiatives can also strengthen the overall resilience of AI/ML
hardware security. Moreover, incorporating secure hardware design principles from the outset
of product development and fostering a culture of security by design across all stakeholders

contribute significantly to long-term security efficacy.

REFERENCES
[1] M T. Ghazal, M. K. Hasan, R. A. Zitar, N. A. Al- Dmour, W. T. Al-Sit and S.
Islam, "Cybers Security Analysis and Measurement Tools Using Machine Learning
Approach," 2022Artificial intelligence (AI) and machine learning (ML)
[2] Y. Yu, R. Yasaei, Q. Zhou, T. Nguyen and M. A. Al Faruque, "HW2VEC: a
Graph Learning Tool for Automating Hardware Security," 2021

Page 28
 HARDWARE SECURITY OF AIML

[3] F.Wijitrisnanto, S. Sutikno and S. D. Putra, "Efficient Machine Learning Model

for Hardware Trojan Detection on Register Transfer Level," 2021 4th International
Conference on Signal Processing and Information Security (ICSPIS), Dubai, United Arab
Emirates, the RTL level was proposed by Choo.
[4] F. Khalid, S. R. Hasan, S. Zia, O. Hasan, F. Awwad and M. Shafique, "MacLeR:
Machine Learning-Based Runtime Hardware Trojan Detection in Resource-Constrained
IoT Edge Devices," in IEEE Transactions on Computer-Aided Design of Integrated Circuits
and Systems,
[5] Member, IEEE, Chip-Hong Chang, Senior Member, IEEE Swarup Bhunia Senior
Member, IEEE, Ryan Kastner, Senior Member, IEEE, and Hai Li ‘‘An Overview of
Hardware Security and Trust: Threats, Countermeasures, and Design Tools,’’
[6] Faiq Khalid, Muhammad Abdullah Hanif , Semeen Rehman,, Muhammad
Shafique” Security for Machine Learning-based Systems: Attacks and Challenges during
Training and Inference” 2018 International Conference
[7] J. Bian et al., "Machine Learning in Real-Time Internet of Things (IoT) Systems: A
Survey," inIEEE Internet of Things Journal, , 1 June1, 2022,
[8] E. Rajesh and U. Sapra, "Design, build, and analyse hardware-based security
primitives that work well," 2022 International Interdisciplinary Humanitarian Conference for
Sustainability (IIHC), Bengaluru, India, 2022 .
[9] S. Prajapat, P. Kumar, S. Kumar, A. K. Das, S. Shetty and M. S. Hossain,
"Designing High-Performance Identity-Based Quantum Signature Protocol With Strong
Security," in IEEE 2024.
[10] Sengupta, R. Chaurasia and A. Anshul, "Hardware Security of Digital Image Filter
IP Cores against Piracy using IP Seller’s Fingerprint Encrypted Amino Acid Biometric
Sample," 2023 Asian.
[11] N.Potlapally, "Hardware security in practice: Challenges and
opportunities," 2011 IEEE International Symposium on Hardware-Oriented Security and
Trust, San Diego, CA, USA, 2011.
[12] Z. Li, Z. Huang, J. Wang and Q. Wang, "Investigate of Mitigation Solution against
Hardware Trojans Attack on Evolvable Hardware Platform," 2022 19th International SoC
Design Conference ,Gangneung-si, Korea, Republic of, 2022.

Page 29
HARDWARE SECURITY OF AIML

Page 30