Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
97 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Memory-Efficient and Secure DNN Inference on TrustZone-enabled Consumer IoT Devices (2403.12568v1)

Published 19 Mar 2024 in cs.CR and cs.AI

Abstract: Edge intelligence enables resource-demanding Deep Neural Network (DNN) inference without transferring original data, addressing concerns about data privacy in consumer Internet of Things (IoT) devices. For privacy-sensitive applications, deploying models in hardware-isolated trusted execution environments (TEEs) becomes essential. However, the limited secure memory in TEEs poses challenges for deploying DNN inference, and alternative techniques like model partitioning and offloading introduce performance degradation and security issues. In this paper, we present a novel approach for advanced model deployment in TrustZone that ensures comprehensive privacy preservation during model inference. We design a memory-efficient management method to support memory-demanding inference in TEEs. By adjusting the memory priority, we effectively mitigate memory leakage risks and memory overlap conflicts, resulting in 32 lines of code alterations in the trusted operating system. Additionally, we leverage two tiny libraries: S-Tinylib (2,538 LoCs), a tiny deep learning library, and Tinylibm (827 LoCs), a tiny math library, to support efficient inference in TEEs. We implemented a prototype on Raspberry Pi 3B+ and evaluated it using three well-known lightweight DNN models. The experimental results demonstrate that our design significantly improves inference speed by 3.13 times and reduces power consumption by over 66.5% compared to non-memory optimization method in TEEs.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (38)
  1. Wild patterns: Ten years after the rise of adversarial machine learning. Pattern Recognition, 84:317–331, 2018.
  2. Sanctuary: Arming trustzone with user-space enclaves. In NDSS, 2019.
  3. Hardware trojan insertion by direct modification of fpga configuration bitstream. IEEE Design & Test, 30(2):45–54, 2013.
  4. {{\{{VoltPillager}}\}}: Hardware-based fault injection attacks against intel {{\{{SGX}}\}} enclaves using the {{\{{SVID}}\}} voltage scaling interface. In 30th USENIX Security Symposium (USENIX Security 21), pages 699–716, 2021.
  5. Sanctum: Minimal hardware extensions for strong software isolation. In 25th USENIX Security Symposium (USENIX Security 16), pages 857–874, 2016.
  6. Scalable memory protection in the {{\{{PENGLAI}}\}} enclave. In 15th {normal-{\{{USENIX}normal-}\}} Symposium on Operating Systems Design and Implementation ({normal-{\{{OSDI}normal-}\}} 21), pages 275–294, 2021.
  7. Komodo: Using verification to disentangle secure-enclave hardware from software. In Proceedings of the 26th Symposium on Operating Systems Principles, pages 287–305, 2017.
  8. Darknight: An accelerated framework for privacy and integrity preserving deep learning using trusted hardware. In MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture, pages 212–224, 2021.
  9. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016.
  10. Defending and harnessing the bit-flip based adversarial weight attack. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 14095–14103, 2020.
  11. Coinn: Crypto/ml codesign for oblivious inference via neural networks. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 3266–3281, 2021.
  12. Trusted execution environments: properties, applications, and challenges. IEEE Security & Privacy, 18(2):56–60, 2020.
  13. {{\{{HyperEnclave}}\}}: An open and cross-platform trusted execution environment. In 2022 USENIX Annual Technical Conference (USENIX ATC 22), pages 437–454, 2022.
  14. Secure outsourced matrix computation and application to neural networks. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pages 1209–1222, 2018.
  15. Sclera: A framework for privacy-preserving mlaas at the pervasive edge. In 2022 IEEE International Conference on Pervasive Computing and Communications Workshops and other Affiliated Events (PerCom Workshops), pages 175–180. IEEE, 2022.
  16. Keystone: An open framework for architecting trusted execution environments. In Proceedings of the Fifteenth European Conference on Computer Systems, pages 1–16, 2020.
  17. Occlumency: Privacy-preserving remote deep-learning inference using sgx. In The 25th Annual International Conference on Mobile Computing and Networking, pages 1–17, 2019.
  18. Twinvisor: Hardware-isolated confidential virtual machines for arm. In Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles, pages 638–654, 2021.
  19. Teev: virtualizing trusted execution environments on mobile platforms. In Proceedings of the 15th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pages 2–16, 2019.
  20. Design and verification of the arm confidential compute architecture. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22), pages 465–484, 2022.
  21. Lasagna: Accelerating secure deep learning inference in sgx-enabled edge cloud. In Proceedings of the ACM Symposium on Cloud Computing, pages 533–545, 2021.
  22. Efficient and secure deep learning inference in trusted processor enabled edge clouds. IEEE Transactions on Parallel and Distributed Systems, 33(12):4311–4325, 2022.
  23. Secdeep: Secure and performant on-device deep learning inference framework for mobile and iot devices. In Proceedings of the International Conference on Internet-of-Things Design and Implementation, pages 67–79, 2021.
  24. Fault injection attack on deep neural network. In 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), pages 131–138. IEEE, 2017.
  25. Trusted-dnn: A trustzone-based adaptive isolation strategy for deep neural networks. In ACM Turing Award Celebration Conference-China (ACM TURC 2021), pages 67–71, 2021.
  26. A survey of microarchitectural side-channel vulnerabilities, attacks, and defenses in cryptography. ACM Computing Surveys (CSUR), 54(6):1–37, 2021.
  27. Darknetz: towards model privacy at the edge using trusted execution environments. In Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services, pages 161–174, 2020.
  28. Demystifying arm trustzone: A comprehensive survey. ACM computing surveys (CSUR), 51(6):1–36, 2019.
  29. Joseph Redmon. Darknet: Open source neural networks in c, 2013.
  30. Statista Research Department. Internet of things (iot) connected devices installed base worldwide from 2015 to 2025. https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/, 2016. Accessed: 2016-11-27.
  31. An embarrassingly simple approach for trojan attack in deep neural networks. In Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, pages 218–228, 2020.
  32. Slalom: Fast, verifiable and private execution of neural networks in trusted hardware. In International Conference on Learning Representations, 2018.
  33. Timber-v: Tag-isolated memory bringing fine-grained enclaves to risc-v. In NDSS, 2019.
  34. Aegisdnn: Dependable and timely execution of dnn tasks with sgx. In 2021 IEEE Real-Time Systems Symposium (RTSS), pages 68–81. IEEE, 2021.
  35. Performance evaluation and analysis of deep learning frameworks. In Proceedings of the 2022 5th International Conference on Artificial Intelligence and Pattern Recognition, pages 38–44, 2022.
  36. Plinius: Secure and persistent machine learning model training. In 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 52–62. IEEE, 2021.
  37. Understanding the (in) security of cross-side face verification systems in mobile apps: A system perspective. In 2023 IEEE Symposium on Security and Privacy (SP), pages 934–950. IEEE Computer Society, 2023.
  38. Edge intelligence: Paving the last mile of artificial intelligence with edge computing. Proceedings of the IEEE, 107(8):1738–1762, 2019.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (7)
  1. Xueshuo Xie (7 papers)
  2. Haoxu Wang (10 papers)
  3. Zhaolong Jian (1 paper)
  4. Tao Li (441 papers)
  5. Wei Wang (1797 papers)
  6. Zhiwei Xu (84 papers)
  7. Guiling Wang (41 papers)
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets