SCARE: Side Channel Attack on In-Memory Computing for Reverse Engineering

In-memory computing (IMC) architectures provide a much needed solution to energy-efficiency barriers posed by Von-Neumann computing. The functions implemented in such in-memory architectures are often proprietary and constitute confidential intellectual property (IP). Our studies indicate that IMC architectures implemented using resistive RAM (RRAM) are susceptible to side channel attack (SCA). Unlike the conventional SCAs that are aimed to leak private keys from cryptographic implementations, SCA on IMC for reverse engineering (SCARE) can reveal the sensitive IP implemented within the memory through power/timing side channels. Therefore, the adversary does not need to perform invasive reverse engineering (RE) to unlock the functionality. We demonstrate SCARE by taking recent IMC architectures, such as dynamic computing in memory (DCIM) and memristor-aided logic (MAGIC) as test cases. Simulation results indicate that AND, OR, and NOR gates (which are the building blocks of complex functions) yield distinct power and timing signatures based on the number of inputs, making them vulnerable to SCA. We show that adversary can use templates (using foundry-calibrated simulations or fabricating known functions in test chips) and analysis to identify the structure of the implemented function by testing a limited number of patterns. We also propose countermeasures, such as redundant inputs and expansion of literals. Redundant inputs can mask the IP with 25% area and 20% power overhead. However, functions can be found at higher RE effort. Expansion of literals incurs 36% power overhead. However, it imposes a brute force search increasing the adversarial RE effort by $3.04\times $.