Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware (1806.03287v2)

Abstract: As Machine Learning (ML) gets applied to security-critical or sensitive domains, there is a growing need for integrity and privacy for outsourced ML computations. A pragmatic solution comes from Trusted Execution Environments (TEEs), which use hardware and software protections to isolate sensitive computations from the untrusted software stack. However, these isolation guarantees come at a price in performance, compared to untrusted alternatives. This paper initiates the study of high performance execution of Deep Neural Networks (DNNs) in TEEs by efficiently partitioning DNN computations between trusted and untrusted devices. Building upon an efficient outsourcing scheme for matrix multiplication, we propose Slalom, a framework that securely delegates execution of all linear layers in a DNN from a TEE (e.g., Intel SGX or Sanctum) to a faster, yet untrusted, co-located processor. We evaluate Slalom by running DNNs in an Intel SGX enclave, which selectively delegates work to an untrusted GPU. For canonical DNNs (VGG16, MobileNet and ResNet variants) we obtain 6x to 20x increases in throughput for verifiable inference, and 4x to 11x for verifiable and private inference.

• The paper introduces a partitioning framework that splits DNN computation between a TEE and an untrusted processor using Freivalds' algorithm for efficient verification.
• The paper demonstrates significant performance gains, with verifiable inference speedups ranging from 6× to 20× across models like VGG16, MobileNet, and ResNet variants.
• The paper ensures privacy and integrity of ML computations by encrypting inputs and verifying outputs, offering a practical solution for secure outsourcing in untrusted environments.

Slalom: Efficient and Secure Execution of Neural Networks in Trusted Hardware

The paper, "Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware," addresses the growing necessity for secure and verifiable ML computations outsourced to potentially untrusted server environments. As ML is increasingly employed in sensitive and security-critical domains, there is an urgent requirement for reliable solutions that ensure both the integrity and privacy of computations.

Core Concept

Slalom leverages Trusted Execution Environments (TEEs) to securely execute deep neural networks (DNNs), offering a pragmatic solution to mitigate potential risks associated with untrusted computing environments. TEEs provide isolated environments that protect sensitive computations from being tampered with or observed by the host system. The paper proposes an innovative approach to executing DNNs in TEEs by outsourcing the linear layers of the network to a faster, albeit untrusted, co-located processor, such as a GPU, while maintaining security guarantees.

Key Contributions

The pivotal contributions of this work include:

1. Efficient Partitioning of DNNs: Slalom effectively divides DNN computations between a TEE and an untrusted device. By utilizing Freivalds' algorithm, the verification of matrix multiplications—an integral and computation-intensive operation in DNNs—is achieved with significantly reduced computational overheads.
2. Outsourcing Framework: The paper introduces a comprehensive framework for securely executing the linear layers of a DNN outside the TEE. This is accomplished by encrypting inputs, processing encrypted data on an untrusted processor, and subsequently verifying the outputs within the TEE.
3. Performance Gains: Through empirical evaluation, Slalom demonstrates substantial improvements in throughput when compared to executing computations entirely within the TEE. Notably, experiments show improvements ranging from 6× to 20× for verifiable inference, and from 4× to 11× for verifiable and private inference.

Evaluation and Results

The paper extensively evaluates Slalom on DNNs such as VGG16, MobileNet, and ResNet variants. These evaluations underline the practical application and benefits of Slalom, particularly the significant reductions in computational time without compromising the integrity or privacy of the ML process.

Theoretical and Practical Implications

From a theoretical standpoint, Slalom advances the discourse on secure outsourcing by integrating probabilistically verifiable computations with secure hardware environments. Practically, it offers a framework adaptable to any TEE, such as Intel SGX, ARM TrustZone, or Sanctum, providing robustness against malicious interference during outsourced computations.

Future Directions

While Slalom has successfully addressed many challenges in the context of DNN inference, extending these concepts to training presents certain challenges. Quantization, handling changing model weights, and ensuring input privacy without compromising on efficiency are focal areas for future research. Furthermore, the application of Slalom's principles could extend beyond DNNs to other ML paradigms or computational domains that benefit from verifiable and secure outsourcing frameworks.

In conclusion, Slalom represents a significant step towards reconciling the trade-offs between performance and security in AI computations within potentially untrusted environments. Its contributions offer a scalable path forward for employing TEEs in real-world ML applications, while remaining adaptable for future advancements in trusted hardware technology.