Internships on hardware/microarchitectural security of deep/machine learning implementations

Contract type : Internship

Level of qualifications required : Master's or equivalent

Other valued qualifications : M1/M2 students (4thor /5th year Eng.) in Computer/Electrical Engineering, Computer Science, Embedded Systems, Electronics/Microelectronics

Fonction : Internship Research

Level of experience : Recently graduated

About the research centre or Inria department

The Inria center at the University of Rennes is one of eight Inria centers and has more than thirty research teams. The Inria center is a major and recognized player in the field of digital sciences. It is at the heart of a rich ecosystem of R&D and innovation, including highly innovative SMEs, large industrial groups, competitiveness clusters, research and higher education institutions, centers of excellence, and technological research institutes.

Context

The internships are expected to start around February/March and extend for up to 6 months

Scientific context

After more than 20 years of research, Side-Channel Attacks (SCA) are still one of the most critical vulnerabilities in embedded systems. SCAs exploit correlations between processed data and physical, observable side effects of computing – power consumption, electromagnetic (EM) emanations, or timing, to name a few – to extract sensitive information. Traditionally directed to retrieve the cryptographic key of mathematically secure cryptographic implementations, the increasing adoption of Machine Learning (ML) and Deep Learning (DL) is making Artificial Intelligence (AI) a new target. As these systems increasingly deal with sensitive data and control critical infrastructure, and as new vulnerabilities are reported, the hardware/software security of ML/DL systems is emerging as a key cybersecurity concern to build trustworthy AI-based systems [1, 2].

Side-channel attacks on DL implementations pave the way to attacks aiming at stealing the intellectual property of DL-based products/services [3, 4], violating the privacy of the end-user, and facilitating attacks on DL-based systems.

References

[1] S. Mittal, H. Gupta, and S. Srivastava. “A Survey on Hardware Security of DNN Models and Accelerators”. J.
Syst. Archit. 117 2021, p. 102163. doi: 10.1016/j.sysarc.2021.102163.
[2] V. Meyers, D. Gnad, and M. Tahoori. “Active and Passive Physical Attacks on Neural Network Accelerators”.
IEEE Design & Test 2023, pp. 1–1. doi: 10.1109/MDAT.2023.3253603.
[3] M. Méndez Real and R. Salvador. “Physical Side-Channel Attacks on Embedded Neural Networks: A Survey”.
Appl. Sci. 11 15, 2021, p. 6790. doi: 10.3390/app11156790.
[4] P. Horváth, D. Lauret, Z. Liu, and L. Batina. “SoK: Neural Network Extraction Through Physical Side Channels”.
33rd USENIX Security Symposium (USENIX Security 24). 2024, pp. 3403–3422.
[5] M. Isakov, V. Gadepally, K. M. Gettings, and M. A. Kinsy. “Survey of Attacks and Defenses on Edge-Deployed
Neural Networks”. IEEE HPEC. 2019, pp. 1–8. doi: 10.1109/HPEC.2019.8916519.
[6] L. Batina, S. Bhasin, D. Jap, and S. Picek. “CSI NN: Reverse Engineering of Neural Network Architectures
Through Electromagnetic Side Channel”. USENIX Security Symp. 2019, pp. 515–532.
[7] R. Joud, P.-A. Moëllic, S. Pontié, and J.-B. Rigaud. “A Practical Introduction to Side-Channel Extraction of Deep
Neural Network Parameters”. Smart Card Research and Advanced Applications. Ed. by I. Buhan and T. Schneider.
Cham: Springer International Publishing, 2023, pp. 45–65. doi: 10.1007/978-3-031-25319-5_3.
[8] R. Joud, P.-A. Moëllic, S. Pontié, and J.-B. Rigaud. “Like an Open Book? Read Neural Network Architecture
with Simple Power Analysis on 32-Bit Microcontrollers”. Smart Card Research and Advanced Applications. Ed. by
S. Bhasin and T. Roche. Cham: Springer Nature Switzerland, 2024, pp. 256–276. doi: 10.1007/978- 3- 031-
54409-5_13.
[9] Y. Zhang, R. Yasaei, H. Chen, Z. Li, and M. A. A. Faruque. “Stealing Neural Network Structure Through Remote
FPGA Side-Channel Analysis”. IEEE Trans. Inf. Forensics Secur. 16 2021, pp. 4377–4388. doi: 10.1109/TIFS.
2021.3106169.
[10] S. Moini, S. Tian, D. Holcomb, J. Szefer, and R. Tessier. “Power Side-Channel Attacks on BNN Accelerators in
Remote FPGAs”. IEEE J. Emerg. Sel. Top. Circuits Syst. 11.2 2021, pp. 357–370. doi: 10.1109/JETCAS.2021.
3074608.

Assignment

These internships are framed in the ANR JCJC project ATTILA1 (young investigators' grant from the French national research agency). The objectives are to investigate the susceptibility of DL-based systems to side-channel attacks and to design SCA-secure DL implementations. In these internships, we are interested in both local SCA attacks on edge devices, highly exposed to attackers [5–8], and remote SCA attacks on cloud-based DL implementations [9, 10]. The internships cover both software implementations (e.g., in microcontrollers) and hardware implementations (e.g., accelerators in FPGA) of DL algorithms.

Although the main focus is on physical side-channel vulnerabilities (e.g., power consumption or EM emanations), we are open to exploring microarchitectural timing side channels exposing, e.g., cache, DRAM, or other processor microarchitecture vulnerabilities.

This position offers a good opportunity to discover an emerging topic and gain skills to help you complete a PhD in the field of (AI) hardware/microarchitecture security.

Main activities

Depending on the background of the candidates, the internships can take different directions, such as DNN implementations in FPGA or microcontrollers using AxC techniques, evaluation of DNN side-channel security, and implementation and evaluation of countermeasures.

Skills

You should have a strong background in (at least) one of the following topics:

Side-channel attacks and evaluation methodologies of secure implementations, cryptanalysis;
HW or SW implementations of DNNs (FPGAs, microcontrollers, other accelerators/systems);
Other HW/SW security background (e.g., hardware-secure implementation of cryptographic
algorithms);
Design for FPGAs and hands-on experience in prototyping and implementations.

Other interesting technical skills include:

Programming in C/C++/Python
Use of Linux/Git as a development environment
Good use of laboratory instruments (oscilloscopes, power supplies, etc.)
ML/AI frameworks (TinyML, PyTorch, TensorFlow, TFLite...)

Languages: You can speak, write, and read English at a professional level (french language is not required).

Benefits package

Subsidized meals
Social, cultural and sports events and activities

Apply for this position

General Information

Theme/Domain : Security and Confidentiality
Information system (BAP E)
Town/city : Rennes
Inria Center : Centre Inria de l'Université de Rennes
Starting date : 2026-03-03
Duration of contract : 5 months
Deadline to apply : 2026-01-31

Warning : you must enter your e-mail address in order to save your application to Inria. Applications must be submitted online on the Inria website. Processing of applications sent from other channels is not guaranteed.

Instruction to apply

Please submit online : your resume, cover letter and letters of recommendation eventually

Defence Security :
This position is likely to be situated in a restricted area (ZRR), as defined in Decree No. 2011-1425 relating to the protection of national scientific and technical potential (PPST).Authorisation to enter an area is granted by the director of the unit, following a favourable Ministerial decision, as defined in the decree of 3 July 2012 relating to the PPST. An unfavourable Ministerial decision in respect of a position situated in a ZRR would result in the cancellation of the appointment.

Recruitment Policy :
As part of its diversity policy, all Inria positions are accessible to people with disabilities.

Contacts

Inria Team : SUSHI
Recruiter :
Salvador Perea Ruben / ruben.salvador@inria.fr

About Inria

Inria is the French national research institute dedicated to digital science and technology. It employs 2,600 people. Its 200 agile project teams, generally run jointly with academic partners, include more than 3,500 scientists and engineers working to meet the challenges of digital technology, often at the interface with other disciplines. The Institute also employs numerous talents in over forty different professions. 900 research support staff contribute to the preparation and development of scientific and entrepreneurial projects that have a worldwide impact.