Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
194 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

GuaranTEE: Towards Attestable and Private ML with CCA (2404.00190v1)

Published 29 Mar 2024 in cs.CR

Abstract: Machine-learning (ML) models are increasingly being deployed on edge devices to provide a variety of services. However, their deployment is accompanied by challenges in model privacy and auditability. Model providers want to ensure that (i) their proprietary models are not exposed to third parties; and (ii) be able to get attestations that their genuine models are operating on edge devices in accordance with the service agreement with the user. Existing measures to address these challenges have been hindered by issues such as high overheads and limited capability (processing/secure memory) on edge devices. In this work, we propose GuaranTEE, a framework to provide attestable private machine learning on the edge. GuaranTEE uses Confidential Computing Architecture (CCA), Arm's latest architectural extension that allows for the creation and deployment of dynamic Trusted Execution Environments (TEEs) within which models can be executed. We evaluate CCA's feasibility to deploy ML models by developing, evaluating, and openly releasing a prototype. We also suggest improvements to CCA to facilitate its use in protecting the entire ML deployment pipeline on edge devices.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (55)
  1. Tamas Ban. 2022. Attestation and Measured Boot. https://www.trustedfirmware.org/docs/Attestation_and_Measured_Boot.pdf
  2. Offline model guard: Secure and private ML on mobile devices. In 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 460–465.
  3. Franziska Boenisch. 2021. A systematic review on model watermarking for neural networks. Frontiers in big Data 4 (2021), 729663.
  4. SANCTUARY: ARMing TrustZone with User-space Enclaves.. In NDSS.
  5. Buildroot. Accessed Feb 2024. buildroot. https://github.com/buildroot/buildroot
  6. Sok: Understanding the prevailing security vulnerabilities in trustzone-assisted TEE systems. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1416–1432.
  7. Understanding real-world threats to deep learning models in Android apps. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 785–799.
  8. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In International conference on machine learning. PMLR, 201–210.
  9. Yerbabuena: Securing deep learning inference data via enclave-based ternary model partitioning. arXiv preprint arXiv:1807.00969 (2018).
  10. Privacy analytics. 42, 2 (mar 2012), 94–98. https://doi.org/10.1145/2185376.2185390
  11. Darknight: A data privacy scheme for training and inference of deep neural networks. arXiv preprint arXiv:2006.01300 (2020).
  12. Model Protection: Real-time privacy-preserving inference service for model privacy at the edge. IEEE Transactions on Dependable and Secure Computing 19, 6 (2021), 4270–4284.
  13. Secure and Efficient Mobile DNN Using Trusted Execution Environments. In Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security. 274–285.
  14. A First Look at On-device Models in iOS Apps. ACM Transactions on Software Engineering and Methodology 33, 1 (2023), 1–30.
  15. Yujin Huang and Chunyang Chen. 2022. Smart app attack: hacking deep learning models in android apps. IEEE Transactions on Information Forensics and Security 17 (2022), 1827–1840.
  16. Design and verification of the arm confidential compute architecture. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22). 465–484.
  17. Enabling Realms with the Arm Confidential Compute Architecture. ([n. d.]).
  18. A survey of deep neural network watermarking techniques. Neurocomputing 461 (2021), 171–193.
  19. Arm Limited. 2023a. Fixed Virtual Platforms. https://developer.arm.com/Tools%20and%20Software/Fixed%20Virtual%20Platforms
  20. Arm Limited. 2023b. Introducing Arm Confidential Compute Architecture. https://developer.arm.com/documentation/den0125/0300/Overview
  21. Arm Limited. 2023c. Realm Management Monitor Sepcification. https://developer.arm.com/documentation/den0137/latest/
  22. Arm Limited. 2023d. Reference Arm CCA integration stack Software User Guide. https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-docs/-/blob/master/docs/aemfvp-a-rme/user-guide.rst
  23. Arm Limited. Accessed Feb 2024a. Arm Confidential Compute Architecture. https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture
  24. Arm Limited. Accessed Feb 2024b. linux-cca. https://gitlab.arm.com/linux-arm/linux-cca
  25. Arm Limited. Accessed Feb 2024c. TrustZone for Cortex-A. https://www.arm.com/technologies/trustzone-for-cortex-a
  26. Performance Acceleration of Secure Machine Learning Computations for Edge Applications. In 2022 IEEE 28th International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA). IEEE, 138–147.
  27. Oblivious neural network predictions via minionn transformations. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. 619–631.
  28. Provenance of Training without Training Data: Towards Privacy-Preserving DNN Model Ownership Verification. In Proceedings of the ACM Web Conference 2023. 1980–1990.
  29. MirrorNet: A TEE-Friendly Framework for Secure On-Device DNN Inference. In 2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD). IEEE, 1–9.
  30. Darknetz: towards model privacy at the edge using trusted execution environments. In Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services. 161–174.
  31. SoK: machine learning with confidential computing. arXiv preprint arXiv:2208.10134 (2022).
  32. Payman Mohassel and Yupeng Zhang. 2017. Secureml: A system for scalable privacy-preserving machine learning. In 2017 IEEE symposium on security and privacy (SP). IEEE, 19–38.
  33. Oblivious neural network computing via homomorphic encryption. EURASIP Journal on Information Security 2007 (2007), 1–11.
  34. Sandro Pinto and Nuno Santos. 2019. Demystifying arm trustzone: A comprehensive survey. ACM computing surveys (CSUR) 51, 6 (2019), 1–36.
  35. Chameleon: A hybrid secure computation framework for machine learning applications. In Proceedings of the 2018 on Asia conference on computer and communications security. 707–721.
  36. Beyond the Model: Data Pre-processing Attack to Deep Learning Models in Android Apps. In Proceedings of the 2023 Secure and Trustworthy Deep Learning Systems Workshop. 1–9.
  37. SoK: Attestation in confidential computing. ResearchGate pre-print (2023).
  38. Sok: Hardware-supported trusted execution environments. arXiv preprint arXiv:2205.12742 (2022).
  39. Privacy-Preserving Personal Model Training. In 2018 IEEE/ACM Third International Conference on Internet-of-Things Design and Implementation (IoTDI). 153–164. https://doi.org/10.1109/IoTDI.2018.00024
  40. {{\{{SOTER}}\}}: Guarding Black-box Inference for General Neural Networks at the Edge. In 2022 USENIX Annual Technical Conference (USENIX ATC 22). 723–738.
  41. ACAI: Extending Arm Confidential Computing Architecture Protection from CPUs to Accelerators. In 33rd USENIX Security Symposium (USENIX Security’24).
  42. LEAP: TrustZone Based Developer-Friendly TEE for Intelligent Mobile Apps. IEEE Transactions on Mobile Computing (2022).
  43. Deep Intellectual Property: A Survey. arXiv preprint arXiv:2304.14613 (2023).
  44. Shadownet: A secure and efficient on-device model inference system for convolutional neural networks. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 1596–1612.
  45. Mind your weight (s): A large-scale study on insufficient machine learning model protection in mobile apps. In 30th USENIX Security Symposium (USENIX Security 21). 1955–1972.
  46. TensorFlow. Accessed Feb 2024. MobilenetV1. https://github.com/tensorflow/models/blob/master/research/slim/nets/mobilenet_v1.md
  47. Florian Tramer and Dan Boneh. 2018. Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. In International Conference on Learning Representations.
  48. TrustedFirmware. Accessed Feb 2024a. TF-A. https://www.trustedfirmware.org/projects/tf-a
  49. TrustedFirmware. Accessed Feb 2024b. TF-RMM. https://www.trustedfirmware.org/projects/tf-rmm
  50. SEALion: A framework for neural network inference on encrypted data. arXiv preprint arXiv:1904.12840 (2019).
  51. A first look at deep learning apps on smartphones. In The World Wide Web Conference. 2125–2136.
  52. virtCCA: Virtualized Arm Confidential Compute Architecture with TrustZone. arXiv preprint arXiv:2306.11011 (2023).
  53. Intellectual property protection for deep learning models: Taxonomy, methods, attacks, and evaluations. IEEE Transactions on Artificial Intelligence 3, 6 (2021), 908–923.
  54. SHELTER: Extending Arm CCA with Isolation in User Space. In 32nd USENIX Security Symposium (USENIX Security’23).
  55. No Privacy Left Outside: On the (In-) Security of TEE-Shielded DNN Partition for On-Device ML. In 2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 52–52.
Citations (3)
View on Semantic Scholar

Summary

  • The paper introduces a framework that ensures complete ML model attestation and privacy on edge devices using Arm’s Confidential Computing Architecture.
  • The authors design a dynamic Trusted Execution Environment, called realms, and demonstrate its feasibility on simulated Arm hardware using Fixed Virtual Platforms.
  • Technical evaluation reveals a tradeoff of 1.62x performance overhead, highlighting the practical benefits of secure, tamper-proof ML execution.

An Evaluation of GuaranTEE: Attestable and Private Machine Learning on Edge Devices

The paper "GuaranTEE: Towards Attestable and Private ML with CCA" introduces GuaranTEE, a framework designed to tackle critical challenges in deploying ML models on edge devices, namely ensuring model privacy and auditability. The researchers leverage Arm's Confidential Computing Architecture (CCA), which allows for the creation of dynamic Trusted Execution Environments (TEEs) called realms, to run entire ML models in a secure and verifiable manner on edge devices.

Overview and Methodology

GuaranTEE is designed to address two primary concerns for ML model providers: maintaining the confidentiality of proprietary models and attesting that these models are not tampered with once deployed on client devices. The framework utilizes Arm's CCA, an architectural extension that supports TEEs, enabling the secure execution of ML models in encapsulated environments that protect against unauthorized access and modifications.

The authors develop and test a prototype of GuaranTEE using Arm's Fixed Virtual Platforms (FVP), allowing them to simulate the implementation and operation of the framework in an environment that mimics real-world conditions on CCA-compatible hardware.

Technical Evaluation

The paper provides a quantitative assessment of GuaranTEE's performance by comparing the overhead of running a TensorFlow Lite model for image recognition in both a field and a normal virtual machine. The results demonstrate that while there is an increase in the number of instructions required (1.62 times additional overhead), the benefits of secure execution and model protection justify this tradeoff.

Key technical contributions include:

  • A demonstration that complete ML models can be executed within CCA's field, negating the need for complex model partitioning strategies typically necessary when balancing limited TEE memory with security requirements.
  • The presentation of a systematic pipeline for attesting and executing ML models on edge devices, ensuring that models execute within their intended secure environments.

Implications and Future Directions

GuaranTEE represents a significant step toward secure and private ML deployments on edge devices, providing both theoretical and practical contributions to the field. By leveraging CCA, which is poised for widespread adoption due to its roots in existing Arm architectures, the framework addresses the critical need for secure, verifiable computation in resource-constrained environments.

Future developments in this area should focus on further reducing the performance overheads associated with secure model execution and expanding the capabilities of the CCA architecture to enhance both usability and security guarantees, particularly in multi-field and multi-tenant scenarios. Another promising direction is extending the architecture to protect not only the models but also the data pipelines themselves, mitigating risks from adversarial inputs and outputs.

Additionally, improved availability guarantees and robust mechanisms for policy enforcement could enhance trust between model providers and clients, making such frameworks more appealing for broader commercial deployment.

In summary, the introduction of GuaranTEE provides a robust framework for enhancing the security and privacy of ML models deployed on edge devices, with the potential for widespread application as supporting hardware and technology infrastructures become more prevalent.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown
Youtube Logo Streamline Icon: https://streamlinehq.com

YouTube