TEE: Machine Learning
Microsoft Research
Support vector machines, matrix factorization, neural networks, decision trees, and k-means clustering
Peking University, Baidu
Deep Learning
Karan Grover, Shruti Tople, Shweta Shinde, Ranjita Bhagwan, Ramachandran Ramjee
Zhongshu Gu, Heqing Huang, Jialong Zhang, Dong Su, Hani Jamjoom, Ankita Lamba, Dimitrios Pendarakis, Ian Molloy
In Occlumency,
To overcome the SGX’s limited memory size, the system splits the DL network – it executes the first few layers in an enclave, and latter layers outside the enclave. As a result, DeepEnclave only copes with input data protection
MobiCom'19
porting Caffe into SGX
Experiment with Imagenet (ILSVRC 2012) dataset
SOCC'20
Poster @EuroSys'19
TU Dresden, Scontain UG, The University of Edinburgh
https://gyazo.com/d60c4b1964c08b391eb3af8a84235a87
https://gyazo.com/59c70b8d342eab60afa7d3b022d2e6e5
https://gyazo.com/293a81e75f7a1d3e9f4faa6cb36c0dde
PPMLP'20
PPMLP'20
Florian Tramèr, Dan Boneh
ICLR 2019
NLP
プライバシーポリシーに従っていることをSGXで検証
Our goal is to design an architecture that uses an underlying trusted hardware platform to run a program, named the decryptor, that only hands users’ data to a target program that has been determined to be compliant with a privacy policy model.
GPU
TU Dresden, Scontain UG, IBM Research
https://gyazo.com/7bd75918cc34360806e65572e172b701
https://gyazo.com/34a0b1edd94520d004e3b2d1f3177e64
A framework for confidential multi-stakeholder machine learning
Executes ML training on hardware accelerators (e.g., GPU) while providing security guarantees using trusted computing technologies, such as trusted platform module and integrity measurement architecture.
Less computeintensive workloads, such as inference, execute only inside TEE, thus at a lower trusted computing base.
The evaluation shows that during the ML training on CIFAR-10 and real-world medical datasets, Perun achieved a 161× to 1560× speedup compared to a pure TEE-based approach.
Hanieh Hashemi, Yongqin Wang, Murali Annavaram
https://gyazo.com/25c4cfae19ed2f9476250e8ce316c5cd
Trusted GPUs
Stavros Volos (Microsoft Research), Kapil Vaswani (Microsoft Research), Rodrigo Bruno (INESC-ID / IST, University of Lisbon)
OSDI’18
Graviton, an architecture for supporting trusted execution environments on GPUs
Graviton can be integrated into existing GPUs with relatively low hardware complexity
all changes are restricted to peripheral components, such as the GPU’s command processor, with no changes to existing CPUs, GPU cores, or the GPU’s MMU and memory controller.
We also propose extensions to the CUDA runtime for securely copying data and executing kernels on the GPU.
We have implemented Graviton on off-the-shelf NVIDIA GPUs, using emulation for new hardware features.
Our evaluation shows that overheads are low (17-33%) with encryption and decryption of traffic to and from the GPU being the main source of overheads.
Tyler Hunt (The University of Texas at Austin) et al.
https://gyazo.com/5eb4e9a50029713f405bedc95e4b6153
If you are already logged in, please enable 3rd party cookies in your web browser settings.
Others
Ant's Occulum LibOS, Analytics Zoo,
Baidu’s PaddlePaddle (open-source deep learning platform) on Baidu's MesaTEE
ImageNet