2025-11-19T12:04:14.174201

Laser Fault Injection in Memristor-Based Accelerators for AI/ML and Neuromorphic Computing

Rahman, Burleson
Memristive crossbar arrays (MCA) are emerging as efficient building blocks for in-memory computing and neuromorphic hardware due to their high density and parallel analog matrix-vector multiplication capabilities. However, the physical properties of their nonvolatile memory elements introduce new attack surfaces, particularly under fault injection scenarios. This work explores Laser Fault Injection as a means of inducing analog perturbations in MCA-based architectures. We present a detailed threat model in which adversaries target memristive cells to subtly alter their physical properties or outputs using laser beams. Through HSPICE simulations of a large MCA on 45 nm CMOS tech. node, we show how laser-induced photocurrent manifests in output current distributions, enabling differential fault analysis to infer internal weights with up to 99.7% accuracy, replicate the model, and compromise computational integrity through targeted weight alterations by approximately 143%.
academic

Laser Fault Injection in Memristor-Based Accelerators for AI/ML and Neuromorphic Computing

Basic Information

  • Paper ID: 2510.14120
  • Title: Laser Fault Injection in Memristor-Based Accelerators for AI/ML and Neuromorphic Computing
  • Authors: Muhammad Faheemur Rahman, Wayne Burleson (University of Massachusetts Amherst)
  • Classification: cs.ET cs.NE cs.SY eess.SY
  • Funding: Army Research Laboratory Cooperative Agreement Number W911NF-23-2-0014
  • Paper Link: https://arxiv.org/abs/2510.14120

Abstract

Memristor crossbar arrays (MCA) are emerging as efficient building blocks for in-memory computing and neuromorphic hardware due to their high density and parallel analog matrix-vector multiplication capabilities. However, the physical characteristics of their non-volatile memory elements introduce new attack surfaces, particularly in fault injection scenarios. This work explores laser fault injection (LFI) as a means of inducing analog perturbations in MCA-based architectures. The authors propose a detailed threat model in which adversaries use laser beams to target memristor cells, subtly altering their physical characteristics or outputs. Through HSPICE simulations of large MCAs on 45nm CMOS technology nodes, the work demonstrates how laser-induced photocurrent manifests in output current distributions, enabling differential fault analysis to infer internal weights with up to 99.7% accuracy, replicate models, and compromise computational integrity through targeted weight modifications of approximately 143%.

Research Background and Motivation

Problem Context

  1. Von Neumann Architecture Limitations: Traditional computing architectures face efficiency bottlenecks when processing AI/ML tasks, driving the development of in-memory computing solutions
  2. Memristor Technology Advantages: Memristor crossbar arrays offer high-density storage, parallel computation, and non-volatile characteristics, making them ideal for neural network accelerators
  3. Emerging Security Threats: The physical characteristics of analog computing architectures introduce unprecedented security challenges

Research Motivation

  1. Security Vulnerability Identification: The analog nature of memristors makes them susceptible to physical attacks, particularly laser fault injection
  2. Threat Assessment Requirements: Lack of systematic studies on MCA architecture vulnerabilities under LFI attacks
  3. Security Awareness Enhancement: Providing guidance for secure design of future analog accelerators

Limitations of Existing Approaches

  • Traditional LFI primarily targets bit flips or timing faults in digital circuits
  • Lack of fault injection research for analog storage and computing systems
  • Insufficient understanding of memristor physical behavior under attack scenarios

Core Contributions

  1. First Systematic Study: Comprehensive analysis of laser fault injection attacks on memristor crossbar arrays
  2. Detailed Threat Model: Establishment of a complete attack framework encompassing passive weight extraction and active weight tampering
  3. High-Precision Weight Inference: Achievement of up to 99.7% accuracy in weight extraction through differential fault analysis
  4. Significant Weight Tampering: Demonstration that LFI can modify memristor resistance by approximately 143%, severely compromising model integrity
  5. Practical Attack Model: Consideration of realistic constraints such as laser beam size limitations and inability to directly access row inputs

Methodology Details

Task Definition

This research defines two classes of attack tasks:

  • Passive Attacks: Inferring weight values stored in memristors by observing output current changes under laser perturbation
  • Active Attacks: Permanently altering memristor resistance through stronger laser injection to compromise neural network models

Threat Model Architecture

Physical Attack Mechanism

  1. Laser-Semiconductor Interaction: Laser beam irradiation of silicon substrate generates electron-hole pairs, creating transient photocurrent
  2. Memristor State Perturbation: Photocurrent modifies internal ion migration or conductive filament formation within the memristor, altering resistance
  3. Output Current Variation: Resistance changes result in measurable offsets in column output current

Attack Constraints

  • Attackers can monitor column output current but cannot control row inputs
  • Laser beam size ranges from 1-50μm, insufficient for precise targeting of individual nanoscale memristors
  • Coverage of target areas requires overlapping scans

Technical Implementation Details

Passive Weight Extraction

  1. Differential Analysis: Comparison of column current differences before and after laser injection
  2. Linear Regression Modeling: Establishment of relationship between injected current and output current variation
  3. Resistance Estimation Formula: Rest=1.501×slope1.47R_{est} = 1.501 \times |slope|^{-1.47}

Active Weight Tampering

  1. TEAM Model Application: Adoption of current-controlled threshold adaptive memristor model
  2. State Variable Modification: Permanent alteration of internal state through large current injection (100μA-1.2mA)
  3. Hysteresis Characteristic Exploitation: Utilization of memristor hysteresis loop characteristics for state switching

Experimental Setup

Simulation Environment

  • Tool: HSPICE circuit simulator
  • Architecture: 256×128 1T1R crossbar array
  • Technology Node: 45nm CMOS technology
  • Device Model: Each cell contains one memristor and one NMOS selection transistor

Memristor Parameters

  • Resistance Range: 5-20kΩ (linear model)
  • TEAM Model Parameters: Including threshold and nonlinear characteristics
  • Parasitic Effects: Including parasitic resistance and capacitance of metal interconnects

Fault Injection Parameters

  • Injection Current Range: 10-40μA (weight inference), 100μA-1.2mA (weight tampering)
  • Laser Beam Size: 1-50μm controllable
  • Injection Location: Local current injection at specific points within the crossbar

Experimental Results

Weight Inference Results

Primary Performance Metrics

According to experimental data from Table I:

Injection Current (μA)ΔI at 5kΩ (μA)ΔI at 10kΩ (μA)ΔI at 12kΩ (μA)ΔI at 15kΩ (μA)ΔI at 20kΩ (μA)
102.291.281.090.890.68
153.431.931.641.341.03
204.592.582.191.791.37
306.913.883.312.702.07
409.255.214.433.622.78

Inference Accuracy Verification

  • 17kΩ Memristor: Estimated as 17.4kΩ (2.35% error) → 16.94kΩ (0.35% error after adding test points)
  • 10kΩ Memristor: Test error within training range only 0.3%, rising to 5.75% when exceeding range

Weight Tampering Results

Resistance Change Magnitude

  • Baseline Resistance: 138Ω
  • After 1.2mA Injection: 336Ω
  • Change Magnitude: Approximately 143% increase
  • State Transition: Device pushed toward OFF state with significantly increased resistance

Current Threshold Effects

  • 10μA Injection: Minimal impact, nearly negligible change
  • Above 100μA: Measurable state changes begin to occur
  • 1.2mA: Achieves significant permanent modification

Experimental Findings

  1. Linear Relationship: Output current variation exhibits good linear relationship with injection current
  2. Resistance Sensitivity: Higher resistance memristors produce larger output variations for identical injection currents
  3. Test Point Importance: More test points and appropriate injection ranges significantly improve inference accuracy
  4. Permanent Modification: Sufficiently large injection currents can permanently alter memristor state

Related Work

Memristor Fundamental Research

  • Chua (1971): First proposed the memristor concept as the fourth fundamental circuit element
  • Strukov et al. (2008): Published physical implementation of memristors in Nature

Security Protection Mechanisms

  • Rahman & Burleson (2025): Proposed key permutation mechanisms and other architectural-level protection techniques
  • Traditional LFI Research: Primarily focused on timing attacks and bit flips in digital circuits

Memristor Modeling

  • TEAM Model (Kvatinsky et al., 2013): Provides threshold adaptive memristor behavior model
  • Redshift Technology: Related research on continuous-wave laser manipulation of signal propagation delay

Conclusions and Discussion

Main Conclusions

  1. Attack Feasibility: Laser fault injection poses a realistic threat to memristor crossbar arrays
  2. Dual Threat: Can be used for both weight extraction (espionage) and weight tampering (sabotage)
  3. High-Precision Inference: Achieves 99.7% weight inference accuracy under appropriate conditions
  4. Significant Tampering Capability: Can modify memristor resistance by over 140%

Limitations

  1. Simulation Environment: Research based on HSPICE simulation lacks actual hardware verification
  2. Idealized Assumptions: Assumes attackers can precisely control laser parameters and monitor outputs
  3. Single Technology Node: Verification conducted only on 45nm CMOS node
  4. Static Analysis: Does not consider runtime attack detection and protection during dynamic execution

Future Directions

  1. Protection Mechanism Design: Development of hardware and algorithm-level defenses against LFI attacks
  2. Actual Hardware Verification: Validation of attack effects on real memristor devices
  3. Detection Techniques: Research on runtime attack detection and anomaly identification methods
  4. Robustness Enhancement: Design of neural network architectures more robust to fault injection

In-Depth Evaluation

Strengths

  1. Pioneering Research: First systematic study of laser fault injection attacks on memristor arrays
  2. Complete Threat Model: Establishment of comprehensive analysis framework from attack mechanisms to practical effects
  3. Practical Considerations: Accounts for realistic constraints such as laser beam size and access limitations
  4. Quantitative Analysis: Provides precise numerical results and error analysis
  5. Dual Attack Pathways: Investigates both passive and active attack scenarios

Weaknesses

  1. Lack of Actual Verification: Entirely simulation-based without validation on real hardware
  2. Insufficient Protection Discussion: Limited discussion on defending against such attacks
  3. Missing Attack Cost Analysis: Lacks analysis of practical costs and technical barriers for implementing such attacks
  4. Insufficient Dynamic Scenario Consideration: Primarily focuses on static weights with limited analysis of dynamic computation impacts

Impact

  1. Academic Value: Opens new research directions for security of emerging computing architectures
  2. Practical Significance: Provides important security warnings for memristor device manufacturers and users
  3. Policy Impact: May influence development of relevant security standards and assessment criteria
  4. Technology Advancement: Promotes development of secure memristor architectures and protection technologies

Applicable Scenarios

  1. Edge AI Devices: Edge computing devices with high physical security requirements
  2. Military/Aerospace Systems: Critical applications requiring high reliability and security
  3. Financial/Medical AI: AI accelerators processing sensitive data
  4. Research Guidance: Memristor chip design and security assessment

References

1 L. O. Chua, "Memristor—The Missing Circuit Element," IEEE Transactions on Circuit Theory, vol. 18, no. 5, pp. 507–519, 1971.

2 D. B. Strukov, G. S. Snider, D. R. Stewart, and R. S. Williams, "The missing memristor found," Nature, vol. 453, pp. 80–83, 2008.

3 S. Kvatinsky, E. G. Friedman, A. Kolodny and U. C. Weiser, "TEAM: ThrEshold Adaptive Memristor Model," in IEEE Transactions on Circuits and Systems I: Regular Papers, vol. 60, no. 1, pp. 211-221, Jan. 2013.

Summary: This paper reveals novel security threats faced by memristor crossbar arrays and establishes an important foundation for security research in this field. Despite certain limitations, its pioneering research content and practical threat model provide valuable references for future secure memristor system design.