research-article

Open access

GuaranTEE: Towards Attestable and Private ML with CCA

Authors:

Sina Abdollahi,

Mohammad Maheri,

Hamed HaddadiAuthors Info & Claims

EuroMLSys '24: Proceedings of the 4th Workshop on Machine Learning and Systems

Pages 1 - 9

https://doi.org/10.1145/3642970.3655845

Published: 22 April 2024 Publication History

Abstract

Machine-learning (ML) models are increasingly being deployed on edge devices to provide a variety of services. However, their deployment is accompanied by challenges in model privacy and auditability. Model providers want to ensure that (i) their proprietary models are not exposed to third parties; and (ii) be able to get attestations that their genuine models are operating on edge devices in accordance with the service agreement with the user. Existing measures to address these challenges have been hindered by issues such as high overheads and limited capability (processing/secure memory) on edge devices.

In this work, we propose GuaranTEE, a framework to provide attestable private machine learning on the edge. GuaranTEE uses Confidential Computing Architecture (CCA), Arm's latest architectural extension that allows for the creation and deployment of dynamic Trusted Execution Environments (TEEs) within which models can be executed. We evaluate CCA's feasibility to deploy ML models by developing, evaluating, and openly releasing a prototype. We also suggest improvements to CCA to facilitate its use in protecting the entire ML deployment pipeline on edge devices.

References

[1]

Tamas Ban. 2022. Attestation and Measured Boot. https://www.trustedfirmware.org/docs/Attestation_and_Measured_Boot.pdf

[2]

Sebastian P Bayerl, Tommaso Frassetto, Patrick Jauernig, Korbinian Riedhammer, Ahmad-Reza Sadeghi, Thomas Schneider, Emmanuel Stapf, and Christian Weinert. 2020. Offline model guard: Secure and private ML on mobile devices. In 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 460--465.

[3]

Franziska Boenisch. 2021. A systematic review on model watermarking for neural networks. Frontiers in big Data 4 (2021), 729663.

[4]

Ferdinand Brasser, David Gens, Patrick Jauernig, Ahmad-Reza Sadeghi, and Emmanuel Stapf. 2019. SANCTUARY: ARMing TrustZone with User-space Enclaves. In NDSS.

[5]

Buildroot. Accessed Feb 2024. buildroot. https://github.com/buildroot/buildroot

[6]

David Cerdeira, Nuno Santos, Pedro Fonseca, and Sandro Pinto. 2020. Sok: Understanding the prevailing security vulnerabilities in trustzone-assisted TEE systems. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1416--1432.

[7]

Zizhuang Deng, Kai Chen, Guozhu Meng, Xiaodong Zhang, Ke Xu, and Yao Cheng. 2022. Understanding real-world threats to deep learning models in Android apps. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 785--799.

Digital Library

[8]

Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. 2016. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In International conference on machine learning. PMLR, 201--210.

[9]

Zhongshu Gu, Heqing Huang, Jialong Zhang, Dong Su, Hani Jamjoom, Ankita Lamba, Dimitrios Pendarakis, and Ian Molloy. 2018. Yerbabuena: Securing deep learning inference data via enclave-based ternary model partitioning. arXiv preprint arXiv:1807.00969 (2018).

[10]

Hamed Haddadi, Richard Mortier, and Steven Hand. 2012. Privacy analytics. 42, 2 (mar 2012), 94--98. https://doi.org/10.1145/2185376.2185390

Digital Library

[11]

Hanieh Hashemi, Yongqin Wang, and Murali Annavaram. 2020. Darknight: A data privacy scheme for training and inference of deep neural networks. arXiv preprint arXiv:2006.01300 (2020).

[12]

Jiahui Hou, Huiqi Liu, Yunxin Liu, Yu Wang, Peng-Jun Wan, and Xiang-Yang Li. 2021. Model Protection: Real-time privacy-preserving inference service for model privacy at the edge. IEEE Transactions on Dependable and Secure Computing 19, 6 (2021), 4270--4284.

[13]

Bin Hu, Yan Wang, Jerry Cheng, Tianming Zhao, Yucheng Xie, Xiaonan Guo, and Yingying Chen. 2023. Secure and Efficient Mobile DNN Using Trusted Execution Environments. In Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security. 274--285.

Digital Library

[14]

Han Hu, Yujin Huang, Qiuyuan Chen, Terry Yue Zhuo, and Chunyang Chen. 2023. A First Look at On-device Models in iOS Apps. ACM Transactions on Software Engineering and Methodology 33, 1 (2023), 1--30.

Digital Library

[15]

Yujin Huang and Chunyang Chen. 2022. Smart app attack: hacking deep learning models in android apps. IEEE Transactions on Information Forensics and Security 17 (2022), 1827--1840.

Digital Library

[16]

Xupeng Li, Xuheng Li, Christoffer Dall, Ronghui Gu, Jason Nieh, Yousuf Sait, and Gareth Stockwell. 2022. Design and verification of the arm confidential compute architecture. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22). 465--484.

[17]

Xupeng Li, Xuheng Li, Christoffer Dall, Ronghui Gu, Jason Nieh, Yousuf Sait, Gareth Stockwell, Mark Knight, and Charles Garcia-Tobin. [n. d.]. Enabling Realms with the Arm Confidential Compute Architecture. ([n. d.]).

[18]

Yue Li, Hongxia Wang, and Mauro Barni. 2021. A survey of deep neural network watermarking techniques. Neurocomputing 461 (2021), 171--193.

Digital Library

[19]

Arm Limited. 2023. Fixed Virtual Platforms. https://developer.arm.com/Tools%20and%20Software/Fixed%20Virtual%20Platforms

[20]

Arm Limited. 2023. Introducing Arm Confidential Compute Architecture. https://developer.arm.com/documentation/den0125/0300/Overview

[21]

Arm Limited. 2023. Realm Management Monitor Sepcification. https://developer.arm.com/documentation/den0137/latest/

[22]

Arm Limited. 2023. Reference Arm CCA integration stack Software User Guide. https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-docs/-/blob/master/docs/aemfvp-a-rme/user-guide.rst

[23]

Arm Limited. Accessed Feb 2024. Arm Confidential Compute Architecture. https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture

[24]

Arm Limited. Accessed Feb 2024. linux-cca. https://gitlab.arm.com/linux-arm/linux-cca

[25]

Arm Limited. Accessed Feb 2024. TrustZone for Cortex-A. https://www.arm.com/technologies/trustzone-for-cortex-a

[26]

Zi-Jie Lin, Chuan-Chi Wang, Chia-Heng Tu, and Shih-Hao Hung. 2022. Performance Acceleration of Secure Machine Learning Computations for Edge Applications. In 2022 IEEE 28th International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA). IEEE, 138--147.

[27]

Jian Liu, Mika Juuti, Yao Lu, and Nadarajah Asokan. 2017. Oblivious neural network predictions via minionn transformations. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. 619--631.

Digital Library

[28]

Yunpeng Liu, Kexin Li, Zhuotao Liu, Bihan Wen, Ke Xu, Weiqiang Wang, Wenbiao Zhao, and Qi Li. 2023. Provenance of Training without Training Data: Towards Privacy-Preserving DNN Model Ownership Verification. In Proceedings of the ACM Web Conference 2023. 1980--1990.

Digital Library

[29]

Ziyu Liu, Yukui Luo, Shijin Duan, Tong Zhou, and Xiaolin Xu. 2023. MirrorNet: A TEE-Friendly Framework for Secure On-Device DNN Inference. In 2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD). IEEE, 1--9.

[30]

Fan Mo, Ali Shahin Shamsabadi, Kleomenis Katevas, Soteris Demetriou, Ilias Leontiadis, Andrea Cavallaro, and Hamed Haddadi. 2020. Darknetz: towards model privacy at the edge using trusted execution environments. In Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services. 161--174.

Digital Library

[31]

Fan Mo, Zahra Tarkhani, and Hamed Haddadi. 2022. SoK: machine learning with confidential computing. arXiv preprint arXiv:2208.10134 (2022).

[32]

Payman Mohassel and Yupeng Zhang. 2017. Secureml: A system for scalable privacy-preserving machine learning. In 2017 IEEE symposium on security and privacy (SP). IEEE, 19--38.

[33]

Claudio Orlandi, Alessandro Piva, and Mauro Barni. 2007. Oblivious neural network computing via homomorphic encryption. EURASIP Journal on Information Security 2007 (2007), 1--11.

Digital Library

[34]

Sandro Pinto and Nuno Santos. 2019. Demystifying arm trustzone: A comprehensive survey. ACM computing surveys (CSUR) 51, 6 (2019), 1--36.

Digital Library

[35]

M Sadegh Riazi, Christian Weinert, Oleksandr Tkachenko, Ebrahim M Songhori, Thomas Schneider, and Farinaz Koushanfar. 2018. Chameleon: A hybrid secure computation framework for machine learning applications. In Proceedings of the 2018 on Asia conference on computer and communications security. 707--721.

Digital Library

[36]

Ye Sang, Yujin Huang, Shuo Huang, and Helei Cui. 2023. Beyond the Model: Data Pre-processing Attack to Deep Learning Models in Android Apps. In Proceedings of the 2023 Secure and Trustworthy Deep Learning Systems Workshop. 1--9.

Digital Library

[37]

M Sardar, Thomas Fossati, and Simon Frost. 2023. SoK: Attestation in confidential computing. ResearchGate pre-print (2023).

[38]

Moritz Schneider, Ramya Jayaram Masti, Shweta Shinde, Srdjan Capkun, and Ronald Perez. 2022. Sok: Hardware-supported trusted execution environments. arXiv preprint arXiv:2205.12742 (2022).

[39]

Sandra Servia-Rodríguez, Liang Wang, Jianxin R. Zhao, Richard Mortier, and Hamed Haddadi. 2018. Privacy-Preserving Personal Model Training. In 2018 IEEE/ACM Third International Conference on Internet-of-Things Design and Implementation (IoTDI). 153--164. https://doi.org/10.1109/IoTDI.2018.00024

[40]

Tianxiang Shen, Ji Qi, Jianyu Jiang, Xian Wang, Siyuan Wen, Xusheng Chen, Shixiong Zhao, Sen Wang, Li Chen, Xiapu Luo, et al. 2022. {SOTER}: Guarding Black-box Inference for General Neural Networks at the Edge. In 2022 USENIX Annual Technical Conference (USENIX ATC 22). 723--738.

[41]

Supraja Sridhara, Andrin Bertschi, Benedict Schlüter, Mark Kuhne, Fabio Aliberti, and Shweta Shinde. 2024. ACAI: Extending Arm Confidential Computing Architecture Protection from CPUs to Accelerators. In 33rd USENIX Security Symposium (USENIX Security'24).

[42]

Lizhi Sun, Shuocheng Wang, Hao Wu, Yuhang Gong, Fengyuan Xu, Yunxin Liu, Hao Han, and Sheng Zhong. 2022. LEAP: TrustZone Based Developer-Friendly TEE for Intelligent Mobile Apps. IEEE Transactions on Mobile Computing (2022).

[43]

Yuchen Sun, Tianpeng Liu, Panhe Hu, Qing Liao, Shouling Ji, Nenghai Yu, Deke Guo, and Li Liu. 2023. Deep Intellectual Property: A Survey. arXiv preprint arXiv:2304.14613 (2023).

[44]

Zhichuang Sun, Ruimin Sun, Changming Liu, Amrita Roy Chowdhury, Long Lu, and Somesh Jha. 2023. Shadownet: A secure and efficient on-device model inference system for convolutional neural networks. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 1596--1612.

[45]

Zhichuang Sun, Ruimin Sun, Long Lu, and Alan Mislove. 2021. Mind your weight (s): A large-scale study on insufficient machine learning model protection in mobile apps. In 30th USENIX Security Symposium (USENIX Security 21). 1955--1972.

[46]

TensorFlow. Accessed Feb 2024. MobilenetV1. https://github.com/tensorflow/models/blob/master/research/slim/nets/mobilenet_v1.md

[47]

Florian Tramer and Dan Boneh. 2018. Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. In International Conference on Learning Representations.

[48]

TrustedFirmware. Accessed Feb 2024. TF-A. https://www.trustedfirmware.org/projects/tf-a

[49]

TrustedFirmware. Accessed Feb 2024. TF-RMM. https://www.trustedfirmware.org/projects/tf-rmm

[50]

Tim van Elsloo, Giorgio Patrini, and Hamish Ivey-Law. 2019. SEALion: A framework for neural network inference on encrypted data. arXiv preprint arXiv:1904.12840 (2019).

[51]

Mengwei Xu, Jiawei Liu, Yuanqiang Liu, Felix Xiaozhu Lin, Yunxin Liu, and Xuanzhe Liu. 2019. A first look at deep learning apps on smartphones. In The World Wide Web Conference. 2125--2136.

Digital Library

[52]

Xiangyi Xu, Wenhao Wang, Yongzheng Wu, Zhennan Min, Zixuan Pang, and Yier Jin. 2023. virtCCA: Virtualized Arm Confidential Compute Architecture with TrustZone. arXiv preprint arXiv:2306.11011 (2023).

[53]

Mingfu Xue, Yushu Zhang, Jian Wang, and Weiqiang Liu. 2021. Intellectual property protection for deep learning models: Taxonomy, methods, attacks, and evaluations. IEEE Transactions on Artificial Intelligence 3, 6 (2021), 908--923.

[54]

Yiming Zhang, Yuxin Hu, Zhenyu Ning, Fengwei Zhang, Xiapu Luo, Haoyang Huang, Shoumeng Yan, and Zhengyu He. 2023. SHELTER: Extending Arm CCA with Isolation in User Space. In 32nd USENIX Security Symposium (USENIX Security'23).

[55]

Ziqi Zhang, Chen Gong, Yifeng Cai, Yuanyuan Yuan, Bingyan Liu, Ding Li, Yao Guo, and Xiangqun Chen. 2024. No Privacy Left Outside: On the (In-) Security of TEE-Shielded DNN Partition for On-Device ML. In 2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 52--52.

Cited By

Baciu VBraeken ASegers LSilva B(2025)Secure Tiny Machine Learning on Edge Devices: A Lightweight Dual Attestation Mechanism for Machine LearningFuture Internet10.3390/fi1702008517:2(85)Online publication date: 12-Feb-2025
https://doi.org/10.3390/fi17020085
Mo FTarkhani ZHaddadi H(2024)Machine Learning with Confidential Computing: A Systematization of KnowledgeACM Computing Surveys10.1145/367000756:11(1-40)Online publication date: 29-Jun-2024
https://dl.acm.org/doi/10.1145/3670007

Index Terms

GuaranTEE: Towards Attestable and Private ML with CCA

Recommendations

An efficient implementation of trusted channels based on openssl
STC '08: Proceedings of the 3rd ACM workshop on Scalable trusted computing

Security breaches on the Internet rarely involve compromising secure channels - typically based on protocols like Transport Layer Security (TLS) or Internet Protocol Security (IPsec) - because communication endpoints are much easier to compromise. ...
Mutual Attestation Using TPM for Trusted RFID Protocol
NETAPPS '10: Proceedings of the 2010 Second International Conference on Network Applications, Protocols and Services

The massive deployment of RFID tag to various systems raises some issues regarding security and privacy. RFID system without trust enhancement poses security threat because secret data can be easily revealed to adversary system by due to unverified ...
Trustworthy confidential virtual machines for the masses
Middleware '23: Proceedings of the 24th International Middleware Conference

Confidential computing alleviates the concerns of distrustful customers by removing the cloud provider from their trusted computing base and resolves their disincentive to migrate their workloads to the cloud. This is facilitated by new hardware ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroMLSys '24: Proceedings of the 4th Workshop on Machine Learning and Systems

April 2024

218 pages

ISBN:9798400705410

DOI:10.1145/3642970

Copyright © 2024 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 April 2024

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

UK Research and Innovation
Amazon Research Award

Conference

EuroSys '24

Sponsor:

SIGOPS

EuroSys '24: Nineteenth European Conference on Computer Systems

April 22, 2024

Athens, Greece

Acceptance Rates

Overall Acceptance Rate 18 of 26 submissions, 69%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
699
Total Downloads

Downloads (Last 12 months)699
Downloads (Last 6 weeks)104

Reflects downloads up to 27 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Baciu VBraeken ASegers LSilva B(2025)Secure Tiny Machine Learning on Edge Devices: A Lightweight Dual Attestation Mechanism for Machine LearningFuture Internet10.3390/fi1702008517:2(85)Online publication date: 12-Feb-2025
https://doi.org/10.3390/fi17020085
Mo FTarkhani ZHaddadi H(2024)Machine Learning with Confidential Computing: A Systematization of KnowledgeACM Computing Surveys10.1145/367000756:11(1-40)Online publication date: 29-Jun-2024
https://dl.acm.org/doi/10.1145/3670007

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten