Thermography in Use for Cybersecurity
With the growing spread of AI technologies, the need to ensure the trustworthiness of chips and electronic circuits is increasing. Thermography can make an important contribution by detecting, for example, typical signatures after targeted excitation or identifying unusual thermal activities of embedded electronic components.
Note:
This article is a summary of the scientific paper “AI Trustworthiness in the era of Advanced Packaging: Challenges and Opportunities” by K. Yahyaei et al., used with the consent of the authors.
Recent developments in artificial intelligence (AI) have dramatically increased the computational requirements of chips. To meet these challenges, the semiconductor industry has introduced advanced packaging techniques (2D, 2.5D, and 3D integration) and so-called chiplet architectures. These approaches improve performance, cost efficiency, and power management, making them ideal for AI and deep learning applications.
Advanced packaging not only enhances the computational performance of AI systems but also reduces latency and power consumption of electronic components. This enables their use across a wide range of applications – from consumer electronics to critical infrastructure. However, the more complex structures and distributed production processes make hardware attacks easier to carry out and harder to detect. Thermography offers reliable analysis options in this regard.
What is Advanced Packaging?
Conventional packaging is like building a single-story structure on a plot of land. With advanced packaging, multiple structures can be built on a smaller plot and connected to one another via bridges, shafts, and tunnels.
Protecting the Trustworthiness of AI
As AI technologies become more widespread, the need to ensure the trustworthiness of these systems increases. While lack of trust in AI has so far been associated mainly with software vulnerabilities, hardware is gaining increasing attention with the emergence of advanced packaging. This opens new attack vectors that can lead to serious risks in safety-critical applications. The integrity of AI systems is threatened, for instance, by reverse engineering techniques, fault injection, or hardware Trojans.
Methods for evaluating the trustworthiness of AI hardware are therefore becoming increasingly important. Security against attacks can be provided, for example, through “watermarking” – embedding unique identifiers directly into the AI hardware that can only be verified using advanced failure analysis and imaging tools such as Lock-in Thermography.
Another approach to AI model authentication and the detection of hardware manipulation is “fingerprinting”, which involves capturing physical characteristics that are unique to each piece of AI hardware. Here too, thermography can contribute to confirming trustworthiness by recording and comparing characteristic temperature patterns.
Typical Attack Techniques on AI Hardware
Reverse Engineering: Originally a mechanical engineering term, it refers to dismantling competitors’ products to understand their structure and function. The same approach is applied to computer hardware.
Fault Injection: In hardware fault injection, the physical components of a system – such as memory, the CPU, storage or the network – are deliberately manipulated. Errors can be introduced through strong electromagnetic pulses or by influencing semiconductor structures using laser radiation. Manipulating the clocking of digital circuits is also possible.
Hardware Trojans: Today, complex IT systems are often no longer developed and manufactured by a single producer. In distributed manufacturing processes, the risk increases that unwanted modifications are made to the original design or that additional chips are inserted during design, production, or integration. This can result in the loss of confidential data (unauthorized data extraction). Using thermal imaging, these Trojans can be detected by changes in their temperature profile.
Side-Channel Analysis (SCA): In this method, attackers exploit physical parameters of a system to extract secret data. Electromagnetic radiation, power consumption, or acoustic emissions of chips can reveal patterns and provide exploitable information.
Other methods such as Electron Beam (E-Beam) Probing, Focused Ion Beam/Scanning Electron Microscopy (FIB/SEM) In-Situ Nanoprobing, Atomic Force Microscopy (AFM)-Based Nanoprobing, Photon Emission Probing, Electro-Optical Frequency Mapping (EOFM), and Electro-Optical Probing (EOP) allow access to interconnects, memory blocks, and communication channels to extract AI-sensitive data.
Protection Against Hardware Attacks and Counterfeiting
Watermarking serves as proof of ownership for AI models and hardware, providing protection against theft and misuse. While software-based watermarks can often be removed, hardware-based variants are more resilient, though still vulnerable. A new approach embeds watermarks directly into the physical structure of AI hardware. Thus, verification is only possible using specialized analysis tools such as electron beam inspection (E-beam), scanning electron microscopy (SEM), or thermal testing techniques to observe heat dissipation patterns unique to the AI hardware. This significantly enhances security and resistance to tampering.
Possible hardware-based watermarks include unique patterns in metal layers, doping variations, or characteristic signatures following targeted excitation. It is also possible to embed or implant additional infrared-active components that can be excited and identified via Lock-in Thermography. Software-defined temporal excitation patterns can be used as part of a watermark routine.
Fingerprinting uses existing physical properties. Techniques such as Side-Channel Analysis, thermal measurements, and Quantum Diamond Microscopy (QDM) can extract unique signatures that are compared with reference data. The goal is to create a unique fingerprint linking the AI model to its hardware, enabling the detection of counterfeit or tampered AI hardware.
Conventional hardware security measures such as physical inspections and electrical tests are often time-consuming and insufficient to detect sophisticated threats. Imaging methods such as thermography can localize unusual activity and power consumption but are limited in capturing deeper structural and functional anomalies.
By combining these methods with intelligent software algorithms, the capabilities of such methods can be greatly expanded. For example, if a neural network is trained with thermographic images, it can identify even rarely active hardware Trojans based on thermal hotspots. During performance analyses, such as power consumption measurements, these maliciously introduced components often go undetected due to small differences.
Note:
The statements regarding the cybersecurity of AI chips also apply to conventional chips, which are now used in nearly all electronic devices. Detecting watermarks, fingerprints, or signatures can enhance protection against counterfeiting. However, since many chips are low-cost components, examining each individual device is usually not practical, and random sampling is common. For AI chips, the higher price and the potentially greater impact of undetected manipulations justify even individual inspections for stronger cybersecurity.
Paper & Authors
Paper:
AI Trustworthiness in the era of Advanced Packaging: Challenges and Opportunities
Authors:
Katayoon Yahyaei (1), M Shafkat M Khan (1), Stephan R. Larmann (3), Nitin Varshney (1), Anirban Bhattacharya (1), Parth Sandeepbhai Shah (2), Baibhab Chatterjee (1), and Navid Asadizanjani (1)
1 Dept. of Electrical and Computer Eng., University of Florida, Gainesville, FL, USA
Group of Dr. Navid Asadi, Florida Semiconductor Institute / University of California
2 Quality and Reliability Engineering, Intel Corporation, Phoenix, AZ, USA
3 InfraTec Infrared LLC, Houston, TX, USA
Would You Like to Know More?
It is not unusual for tasks to be associated with special requirements. Discuss your specific application needs with our specialists, receive further technical information or learn more about our additional services.
