Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Perun: Confidential Multi-stakeholder Machine Learning Framework with Hardware Acceleration Support

  • Conference paper
  • First Online:
Data and Applications Security and Privacy XXXV (DBSec 2021)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12840))

Included in the following conference series:

Abstract

Confidential multi-stakeholder machine learning (ML) allows multiple parties to perform collaborative data analytics while not revealing their intellectual property, such as ML source code, model, or datasets. State-of-the-art solutions based on homomorphic encryption incur a large performance overhead. Hardware-based solutions, such as trusted execution environments (TEEs), significantly improve the performance in inference computations but still suffer from low performance in training computations, e.g., deep neural networks model training, because of limited availability of protected memory and lack of GPU support.

To address this problem, we designed and implemented Perun, a framework for confidential multi-stakeholder machine learning that allows users to make a trade-off between security and performance. Perun executes ML training on hardware accelerators (e.g., GPU) while providing security guarantees using trusted computing technologies, such as trusted platform module and integrity measurement architecture. Less compute-intensive workloads, such as inference, execute only inside TEE, thus at a lower trusted computing base. The evaluation shows that during the ML training on CIFAR-10 and real-world medical datasets, Perun achieved a \(161\times \) to \(1560\times \) speedup compared to a pure TEE-based approach.

Do Le Quoc performed this work at TU Dresden.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (2016)

    Google Scholar 

  2. Abadi, M., et al.: TensorFlow: a system for large-scale machine learning. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2016), pp. 265–283 (2016)

    Google Scholar 

  3. Abadi, M., et al.: Deep learning with differential privacy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS 2016), pp. 308–318 (2016)

    Google Scholar 

  4. Intel AI: Deep Learning Medical Decathlon Demos for Python. https://github.com/IntelAI/unet/. Accessed Feb 2021

  5. Arnautov, S., et al.: SCONE: secure linux containers with Intel SGX. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2016), pp. 689–703 (2016)

    Google Scholar 

  6. Asvadishirehjini, A., Kantarcioglu, M., Malin, B.: GOAT: GPU Outsourcing of Deep Learning Training With Asynchronous Probabilistic Integrity Verification Inside Trusted Execution Environment. arXiv preprint arXiv:2010.08855 (2020)

  7. Broz, M.: LUKS2 on-disk format specification, version 1.0.0. In: LUKS Documentation (2018)

    Google Scholar 

  8. Chakrabarti, S., Baker, B., Vij, M.: Intel SGX Enabled Key Manager Service with OpenStack Barbican. arXiv preprint arXiv:1712.07694 (2017)

  9. Chen, G., Chen, S., Xiao, Y., Zhang, Y., Lin, Z., Lai, T.H.: SgxPectre: stealing intel secrets from SGX enclaves via speculative execution. In: 2019 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 142–157 (2019)

    Google Scholar 

  10. Intel Corporation: Trusted Boot (tboot). https://sourceforge.net/projects/tboot/. Accessed May 2021

  11. Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptol. ePrint Arch. 2016(86), 1–118 (2016)

    Google Scholar 

  12. Emont, J., Stevens, L., McMillan, R.: Amazon Investigates Employees Leaking Data for Bribes. https://www.wsj.com/articles/amazon-investigates-employees-leaking-data-for-bribes-1537106401. Accessed Feb 2021

  13. Fredrikson, M., Jha, S., Ristenpart, T.: Model inversion attacks that exploit confidence information and basic countermeasures. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), pp. 1322–1333 (2015)

    Google Scholar 

  14. Gallery, E., Mitchell, C.J.: Trusted computing: security and applications. Cryptologia 33(3), 217–245 (2009)

    Article  Google Scholar 

  15. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, pp. 169–178 (2009)

    Google Scholar 

  16. Goetzfried, J., Eckert, M., Schinzel, S., Mueller, T.: Cache attacks on Intel SGX. In: Proceedings of the 10th European Workshop on Systems Security (EuroSec 2017) (2017)

    Google Scholar 

  17. Greene, J.: Intel trusted execution technology: hardware-based technology for enhancing server platform security. Intel Corporation (2010)

    Google Scholar 

  18. Gregor, F., et al.: Trust management as a service: enabling trusted execution in the face of Byzantine stakeholders. In: 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2020), pp. 502–514 (2020)

    Google Scholar 

  19. Trusted Computing Group: TPM Library Specification, family “2.0”, level 00, revision 01.38. In: TCG Resources, TPM 2.0 Library (2016)

    Google Scholar 

  20. Trusted Computing Group: TCG Trusted Attestation Protocol (TAP) Information Model for TPM Families 1.2 and 2.0 and DICE Family 1.0. Version 1.0, Revision 0.36 (2019)

    Google Scholar 

  21. Grover, K., Tople, S., Shinde, S., Bhagwan, R., Ramjee, R.: Privado: Practical and Secure DNN Inference with Enclaves. arXiv preprint arXiv:1810.00602 (2018)

  22. Hunt, T., Jia, Z., Miller, V., Szekely, A., Hu, Y., Rossbach, C.J., Witchel, E.: Telekine: secure computing with cloud GPUs. In: 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2020) (2020)

    Google Scholar 

  23. Hunt, T., Song, C., Shokri, R., Shmatikov, V., Witchel, E.: Chiron: Privacy-preserving Machine Learning as a Service. arXiv preprint arXiv:1803.05961 (2018)

  24. Jang, I., Tang, A., Kim, T., Sethumadhavan, S., Huh, J.: Heterogeneous isolated execution for commodity GPUs. In: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2019), pp. 455–468 (2019)

    Google Scholar 

  25. Johnson, S., Scarlata, V., Rozas, C., Brickell, E., Mckeen, F.: Intel software guard extensions: EPID provisioning and attestation services. White Paper 1(1–10), 119 (2016)

    Google Scholar 

  26. Juvekar, C., Vaikuntanathan, V., Chandrakasan, A.: GAZELLE: a low latency framework for secure neural network inference. In: Proceedings of the 27th USENIX Conference on Security Symposium (USENIX Security), pp. 1651–1668 (2018)

    Google Scholar 

  27. Khandaker, M.R., Liu, W., Naser, A., Wang, Z., Yang, J.: Origin-sensitive control flow integrity. In: 28th USENIX Security Symposium (USENIX Security 2019), pp. 195–211 (2019)

    Google Scholar 

  28. Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014)

  29. Knauth, T., Steiner, M., Chakrabarti, S., Lei, L., Xing, C., Vij, M.: Integrating remote attestation with transport layer security. arXiv preprint arXiv:1801.05863 (2018)

  30. Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1–19. IEEE (2019)

    Google Scholar 

  31. Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Technical report, Citeseer (2009)

    Google Scholar 

  32. Kumar, A., Kashyap, A., Phegade, V., Schrater, J.: Self-Defending Key Management Service (SDKMS) with Intel Software Guard Extensions (SGX). White Paper (2018)

    Google Scholar 

  33. Kumar, N., Rathee, M., Chandran, N., Gupta, D., Rastogi, A., Sharma, R.: CrypTFlow: secure TensorFlow inference. In: IEEE Symposium on Security and Privacy (S&P 2020), pp. 336–353 (2020)

    Google Scholar 

  34. Le Quoc, D., Gregor, F., Arnautov, S., Kunkeland, R., Bhatotia, P., Fetzer, C.: secureTF: a secure TensorFlow framework. In: Proceedings of the 21th International Middleware Conference (Middleware), pp. 44–59 (2020)

    Google Scholar 

  35. Matsakis, N.D., Klock, F.S.: The rust language. ACM SIGAda Ada Lett. 34, 103–104 (2014)

    Google Scholar 

  36. McKeen, F.: Innovative instructions and software model for isolated execution. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP 2013) (2013)

    Google Scholar 

  37. Mishra, P., Lehmkuhl, R., Srinivasan, A., Zheng, W., Ada Popa, R.: Delphi: a cryptographic inference service for neural networks. In: 29th USENIX Security Symposium (USENIX Security 2020), pp. 2505–2522 (2020)

    Google Scholar 

  38. Mohassel, P., Zhang, Y.: SecureML: a system for scalable privacy-preserving machine learning. In: 2017 IEEE Symposium on Security and Privacy (S&P 2017), pp. 19–38 (2017)

    Google Scholar 

  39. muslc: musl libc. https://musl.libc.org. Accessed Feb 2021

  40. Ng, L.K., Chow, S.S., Woo, A.P., Wong, D.P., Zhao, Y.: Goten: GPU-outsourcing trusted execution of neural network training and prediction. In: 35th AAAI Conference on Artificial Intelligence (2019)

    Google Scholar 

  41. Noor, T.H., Sheng, Q.Z., Zeadally, S., Yu, J.: Trust management of services in cloud environments: obstacles and solutions. ACM Comput. Surv. 46, 1–30 (2013)

    Article  Google Scholar 

  42. Ohrimenko, O., et al.: Oblivious multi-party machine learning on trusted processors. In: Proceedings of the 25th USENIX Conference on Security Symposium, pp. 619–636 (2016)

    Google Scholar 

  43. Reuters: Ex-Microsoft employee charged with leaking trade secrets to blogger. https://www.reuters.com/article/us-microsoft-tradesecret-idUSBREA2J07K20140320. Accessed Feb 2021

  44. Ronneberger, O., Fischer, P., Brox, T.: U-Net: convolutional networks for biomedical image segmentation. In: Navab, N., Hornegger, J., Wells, W.M., Frangi, A.F. (eds.) MICCAI 2015. LNCS, vol. 9351, pp. 234–241. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24574-4_28

    Chapter  Google Scholar 

  45. Sailer, R., Zhang, X., Jaeger, T., Van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: USENIX Security Symposium, pp. 223–238 (2004)

    Google Scholar 

  46. Shin, J., et al.: TCG D-RTM Architecture, Document Version 1.0.0. Trusted Computing Group (2013)

    Google Scholar 

  47. Simpson, A.L., et al.: A large annotated medical image dataset for the development and evaluation of segmentation algorithms. arXiv preprint arXiv:1902.09063 (2019)

  48. Tramèr, F., Boneh, D.: Slalom: fast, verifiable and private execution of neural networks in trusted hardware. In: 7th International Conference on Learning Representations (ICLR) (2019)

    Google Scholar 

  49. Tsai, C.C., Porter, D.E., Vij, M.: Graphene-SGX: a practical library OS for unmodified applications on SGX. In: Proceedings of the 2017 USENIX Conference on USENIX Annual Technical Conference (USENIX ATC 2017), pp. 645–658 (2017)

    Google Scholar 

  50. Scontain UG: SCONE Configuration and Attestation Service (CAS). https://sconedocs.github.io/CASOverview/. Accessed Feb 2021

  51. Van Bulck, J., et al.: Foreshadow: extracting the keys to the intel SGX kingdom with transient out-of-order execution. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 991–1008 (2018)

    Google Scholar 

  52. Volgushev, N., Schwarzkopf, M., Getchell, B., Varia, M., Lapets, A., Bestavros, A.: Conclave: secure multi-party computation on big data. In: Proceedings of the 14th EuroSys Conference (EuroSys 2019) (2019)

    Google Scholar 

  53. Volos, S., Vaswani, K., Bruno, R.: Graviton: trusted execution environments on GPUs. In: Proceedings of the 13th USENIX Conference on Operating Systems Design and Implementation (OSDI 2018), pp. 681–696 (2018)

    Google Scholar 

  54. Weisse, O., et al.: Foreshadow-NG: breaking the virtual memory abstraction with transient out-of-order execution. Technical report (2018)

    Google Scholar 

  55. Xu, T., et al.: Do not blame users for misconfigurations. In: Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles (SOSP 2013) (2013)

    Google Scholar 

  56. Yao, A.C.: Protocols for secure computations. In: 23rd IEEE Annual Symposium on Foundations of Computer Science (SFCS 1982), pp. 160–164 (1982)

    Google Scholar 

  57. Zeller, A., Gopinath, R., Böhme, M., Fraser, G., Holler, C.: The fuzzing book (2019)

    Google Scholar 

  58. Zinzindohoué, J.K., Bhargavan, K., Protzenko, J., Beurdouche, B.: HACL*: a verified modern cryptographic library. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1789–1806 (2017)

    Google Scholar 

Download references

Acknowledgment

We thank the anonymous reviewers for their insightful comments and suggestions as well as Maksym Planeta and Hieu Le for their feedback and help. This work has received funding from the European Union’s Horizon 2020 research and innovation program under the AI-Sprint project (ai-sprint-project.eu), grant agreement No 101016577.

Author information

Authors and Affiliations

  1. TU Dresden, Dresden, Germany

    Wojciech Ozga & Christof Fetzer

  2. IBM Research Europe—Zurich, Rüschlikon, Switzerland

    Wojciech Ozga

  3. Huawei Munich Research Center, München, Germany

    Do Le Quoc

  4. Scontain UG, Dresden, Germany

    Christof Fetzer

Authors
  1. Wojciech Ozga
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Do Le Quoc
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christof Fetzer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wojciech Ozga .

Editor information

Editors and Affiliations

  1. University of Calgary, Calgary, AB, Canada

    Ken Barker

  2. State University of New York at Canton, Canton, NY, USA

    Kambiz Ghazinour

Rights and permissions

Reprints and permissions

Copyright information

© 2021 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ozga, W., Quoc, D.L., Fetzer, C. (2021). Perun: Confidential Multi-stakeholder Machine Learning Framework with Hardware Acceleration Support. In: Barker, K., Ghazinour, K. (eds) Data and Applications Security and Privacy XXXV. DBSec 2021. Lecture Notes in Computer Science(), vol 12840. Springer, Cham. https://doi.org/10.1007/978-3-030-81242-3_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-81242-3_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-81241-6

  • Online ISBN: 978-3-030-81242-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation