Skip to main content
Writing
·Paper Review·11 min read

Triggering Stealthy Feature Map Backdoors via Physical Fault Injection in Embedded Neural Networks

LATCH (Latent Activation Trigger via Cross-level Faults in Hardware) is a cross-layer backdoor attack that uses physical hardware fault injection (EMFI or voltage glitching) at runtime to dynamically

AI Security
Contents

Triggering Stealthy Feature Map Backdoors via Physical Fault Injection in Embedded Neural Networks Image generated by AI

TLDR

  • What: LATCH (Latent Activation Trigger via Cross-level Faults in Hardware) is a cross-layer backdoor attack that uses physical hardware fault injection (EMFI or voltage glitching) at runtime to dynamically activate an internally implanted neural network backdoor.
  • Who's at risk: Resource-constrained edge AI platforms, such as microcontrollers (MCUs), FPGAs, and edge GPUs running quantized neural networks (e.g., on ARM Cortex-M4 microcontrollers using optimized CMSIS-NN libraries) with physical access vulnerabilities.
  • Key number: 0% of state-of-the-art software-level backdoor defenses (Neural Cleanse, STRIP, Activation Clustering, ABS) successfully detected the deepest feature-map backdoor (conv_2) on CIFAR-10, while the attack achieved a 100% Backdoor Attack Success Rate (ASR) once triggered.

LATCH: Triggering Stealthy Feature Map Backdoors via Physical Fault Injection in Embedded Neural Networks

Edge AI has rapidly migrated neural network inference from secure cloud servers to resource-constrained microcontrollers deployed in physical environments. While localized inference enhances privacy, it exposes hardware to physical adversaries. In this post, we break down LATCH (Latent Activation Trigger via Cross-level Faults in Hardware), a novel attack vector demonstrating that hardware-level physical faults can act as highly precise, invisible triggers for software backdoors, rendering standard input-validation defenses entirely useless.


Threat Model

Attacker A hybrid adversary with supply-chain modification capabilities (to implant the backdoor via data poisoning or post-hoc weight surgery) and subsequent physical/local proximity to the target hardware (to execute EMFI or voltage glitching).
Victim Edge deep learning systems running quantized models on microcontrollers, specifically ARM Cortex-M4 units deploying optimized CMSIS-NN kernels.
Goal Force the classifier to predict an attacker-chosen target class (t=7t=7 in the paper's experiments) at a specific time without leaving any detectable artifacts or anomalies in the input space.
Budget Access to the training pipeline (or a compiled binary) for backdoor embedding, paired with inexpensive physical fault injection equipment (such as a ChipWhisperer or a Keysight VC Glitcher).

Background & Problem Setup

Traditional neural network backdoors rely on input-space triggers (e.g., placing a specific pixel trigger on an image). Because these triggers alter the input data, run-time defenses can identify them via input anomaly detection (such as STRIP) or trigger reverse-engineering (such as Neural Cleanse).

Alternatively, hardware-level fault injection (FI) attacks typically aim to corrupt parameters or execution flows randomly to induce misclassification or extract weights. LATCH bridges this gap by utilizing physical fault injection to deliver the activation trigger itself directly inside the microcontroller’s registers during computation.

The table below contrasts LATCH with existing physical and algorithmic threat models cited in the paper:

Attack Methodology Target Medium Trigger Vector Defense Evaded?
Conventional Backdoors (e.g., [53], [57]) Input Data Input-space patch/trigger ❌ Caught by Neural Cleanse [53] & STRIP [57]
Weight-Loading Faults (ONEFLIP [20], SOLEFLIP [21]) NVM/Flash Storage Bit-flip during boot/loading ❌ High risk of system-wide crash; easily flagged
Instruction Skip FI (Fukuda et al. [14]) CPU Control Flow Glitching execution loop ❌ Coarse-grained misclassification, lack of precise class steering
LATCH (This Work) Feature Maps & CPU Registers Microsecond-level EMFI/Voltage glitch 100% undetected by input-space defenses

Methodology

LATCH operates through a three-step characterize-then-exploit pipeline:

Step 1: Fault Injection (FI) Characterization

Before implanting the backdoor, the attacker profiles a clone of the target microcontroller (e.g., an STM32L4R5ZI ARM Cortex-M4) to find reproducible, non-destructive fault states. The paper targets two critical, high-frequency operations:

  1. Memory Movement (memcpy): Using EMFI or voltage glitching between the load (LDRB) and store (STRB) instructions to force a target register to a consistent state (e.g., writing 0x00 or 0xBF to the destination).
  2. Convolution Loops (SMLAD): Glitching the ARM Signed Multiply Accumulate Dual (SMLAD) assembly instruction. The authors mapped out the clock-level execution of the CMSIS-NN kernel arm_nn_mat_mult_kernel_q7_q15_reordered. Glitching the fourth sequential SMLAD instruction reliably forces the output intermediate feature map byte to 0x7F (127).

Step 2: Backdoor Injection

Once the precise fault-induced value (e.g., 0x7F) is characterized, the attacker implants a backdoor that activates only when this exact intermediate value appears at a designated feature map coordinate. The paper presents two injection methods:

  • Poison-Based: Training the model with a 10% poison ratio (ρ=10%\rho = 10\%). In poisoned samples, the target feature map element is overwritten with 0x7F and mapped to target class t=7t=7.
  • Data-Free Weight Surgery: Directly manipulating the quantized weights of downstream layers. For a target byte at conv_2, the attacker zeroes out neighboring weights in conv_3 (setting only the center tap to γ=127\gamma=127), routing only the trigger byte pathway to a single neuron in the dense layer with a weight of 127. Combined with a per-layer right-shift, this propagates the fault-induced value straight to the target logit, overriding any benign inputs.

Step 3: Fault Exploitation

During execution, the attacker supplies a completely benign input. Because no trigger is present in the input, the network behaves normally. To trigger the attack, the attacker injects an EM pulse or a voltage glitch at the precise microsecond of the targeted instruction, forcing the register to the trigger state (0x7F) and redirecting the prediction.

// Conceptual representation of the targeted assembly glitching point inside the CMSIS-NN kernel
while (colCnt) {
    // SMLAD blocks executing on the ARM Cortex-M4
    sum4 = __SMLAD(inA21, inB2, sum4); // Block 1
    
    /* ATTACK POINT: EMFI / Voltage Glitch applied precisely here */
    // Forces destination register to hold 0x7F (127) instead of the actual calculated value
    sum4 = __SMLAD(inA22, inB2, sum4); // Block 2 (Glitched)
    
    colCnt--;
}

Key Results

The authors evaluated LATCH on MNIST and CIFAR-10 datasets using NNoM and CMSIS-NN models deployed on ARM Cortex-M4 hardware.

The evaluation reveals a critical trade-off: while the Backdoor Attack Success Rate (ASR) is near-perfect, the physical Fault Success Rate (FSR)—the reliability of inducing the exact fault value on a single glitch without crashing the CPU—is relatively low.

Fault Success Rate vs. Backdoor Activation

As shown in Table 6 and Table 7, the physical injection is noisy, but because the backdoor only triggers on the exact fault state, failed glitches simply result in normal classification or a standard system reset rather than exposing the payload.

Dataset / Target Layer Target Implementation FI Technique Fault Success Rate (FSR) Backdoor Success Rate (ASR)
MNIST (memcpy / Pixel) CMSIS-NN EMFI 34.3% 100.0%
MNIST (memcpy / Pixel) CMSIS-NN Voltage Glitch 32.2% 100.0%
MNIST (conv_1) *_basic(C) EMFI / VG 20.2% / 99.9% 100.0% / 100.0%
MNIST (conv_2) SMLAD(ASM) EMFI 13.0% 100.0%
CIFAR-10 (conv_2) *_fast(C) EMFI / VG 5.8% / 100.0% 100.0% / 100.0%

Evasion of State-of-the-Art Defenses

The core strength of LATCH is its stealth. Because the trigger is induced physically inside the chip during runtime, input-space defenses fail to detect it. Tables 8 and 9 illustrate how detection rates plummet as the backdoor is placed deeper within the network structure:

Defense Mechanism Pixel-Level Trigger (MNIST) conv_1 Trigger (MNIST) conv_2 Trigger (MNIST) conv_2 Trigger (CIFAR-10)
Neural Cleanse [53] Detected Detected ❌ Missed ❌ Missed
STRIP [57] Detected ❌ Missed ❌ Missed ❌ Missed
Activation Clustering [58] Detected Detected Detected ❌ Missed
ABS [54] Detected Detected ❌ Missed ❌ Missed
Detection Rate (Total) 4/4 3/4 1/4 0/4

Limitations & Open Questions

While the paper establishes a novel cross-layer threat, practitioners should analyze the findings with healthy skepticism:

  1. Low Fault Success Rate (FSR): As Section 5.5.2 reveals, the SMLAD-level FSR is only 13%. This means that in a real-world scenario, an attacker may have to attempt the glitch multiple times to trigger the exploit. Figure 11 shows that while the median attempt count is 6, outliers can require up to 40 attempts. This creates a noisy side-channel signature and risks crashing the watchdog timer of the host system.
  2. Brittle Weight Surgery: The data-free "weight surgery" method relies on zeroing out downstream weights to build a hardcoded integer activation pathway. On more complex networks and datasets, performing this kind of raw pruning and surgery would likely destroy the network's base accuracy on clean inputs, making the backdoor easy to spot via routine evaluation metrics.
  3. Physical Access Assumption: The threat model assumes the attacker can maintain physical contact or close proximity to the target device to deploy EM probes. In many edge-AI environments, physical anti-tamper mechanisms or locked enclosures restrict this level of access.

What Practitioners Should Do

To defend edge neural networks against physical fault-triggered backdoors like LATCH, developers and security engineers should implement the following steps:

  1. Apply Software-Level Execution Redundancy: Since LATCH relies on transient single-fault injections, critical calculation paths should employ redundant execution. Implementing double-calculation checks on intermediate layer feature maps makes consistent fault injection exponentially more difficult.
  2. Implement Randomized Self-Reduction (RSR): Integrate RSR [71] libraries for neural network primitives. RSR transforms standard operations into multiple randomized, mathematically equivalent sub-computations, blending their outputs to reconstruct the clean result. This breaks the predictable timing and spatial alignments required to trigger LATCH.
  3. Deploy Hardware Fault Detection and Error Correction: Implement hardware-based fault detection circuits and error-correction mechanisms [45], [68], [69], [70] designed to identify or recover from erroneous computations.
  4. Apply Model Sanitization and Neuron Pruning: Leverage defenses like Fine-Pruning [60] or adversarial neuron pruning [61] to sanitize the network by removing dormant backdoor neurons, preventing the backdoor from remaining latent in the weights.

The Takeaway

LATCH demonstrates that the boundary between physical hardware security and software-level ML security has dissolved. When physical fault injection is paired with ML supply-chain poisoning, standard assumptions about input-filtering defenses break down entirely. Securing the next generation of edge AI systems will require defenders to think across the entire abstraction stack—protecting models from the silicon up to the software layer.


Den's Take

LATCH is a wake-up call for edge AI security. For years, we’ve treated physical fault injection and neural network backdoors as separate threat vectors. By using EMFI or voltage glitching to dynamically activate a latent feature-map backdoor (conv_2) on an ARM Cortex-M4 microcontroller running CMSIS-NN, this paper demonstrates a terrifyingly elegant exploit loop.

What excites me here is the sheer stealth of the attack. Because the trigger is injected directly into internal registers during runtime rather than existing in the input data, software-level defenses like Neural Cleanse or STRIP are completely blind to it—yielding a 0% detection rate in their evaluation. Once the fault is injected, the adversary achieves a 100% Backdoor Attack Success Rate on CIFAR-10.

However, we must recognize the limitations: the threat model assumes a hybrid adversary who can poison the supply chain to implant the backdoor and then deploy inexpensive hardware to physically execute microsecond-level glitches. This necessity of out-of-band activation channels reflects the broader evasion challenge, where decoupling the trigger from the standard input vector renders traditional heuristic defenses entirely obsolete.

Share

Comments

Page views are tracked via Google Analytics for content improvement.