2 research outputs found
Enabling Privacy-Preserving, Compute- and Data-Intensive Computing using Heterogeneous Trusted Execution Environment
There is an urgent demand for privacy-preserving techniques capable of
supporting compute and data intensive (CDI) computing in the era of big data.
However, none of existing TEEs can truly support CDI computing tasks, as CDI
requires high throughput accelerators like GPU and TPU but TEEs do not offer
security protection of such accelerators. This paper present HETEE
(Heterogeneous TEE), the first design of TEE capable of strongly protecting
heterogeneous computing with unsecure accelerators. HETEE is uniquely
constructed to work with today's servers, and does not require any changes for
existing commercial CPUs or accelerators. The key idea of our design runs
security controller as a stand-alone computing system to dynamically adjust the
boundary of between secure and insecure worlds through the PCIe switches,
rendering the control of an accelerator to the host OS when it is not needed
for secure computing, and shifting it back when it is. The controller is the
only trust unit in the system and it runs the custom OS and accelerator
runtimes, together with the encryption, authentication and remote attestation
components. The host server and other computing systems communicate with
controller through an in memory task queue that accommodates the computing
tasks offloaded to HETEE, in the form of encrypted and signed code and data.
Also, HETEE offers a generic and efficient programming model to the host CPU.
We have implemented the HETEE design on a hardware prototype system, and
evaluated it with large-scale Neural Networks inference and training tasks. Our
evaluations show that HETEE can easily support such secure computing tasks and
only incurs a 12.34% throughput overhead for inference and 9.87% overhead for
training on average.Comment: 16 pages, 7 figure
SESAME: Software defined Enclaves to Secure Inference Accelerators with Multi-tenant Execution
Hardware-enclaves that target complex CPU designs compromise both security
and performance. Programs have little control over micro-architecture, which
leads to side-channel leaks, and then have to be transformed to have worst-case
control- and data-flow behaviors and thus incur considerable slowdown. We
propose to address these security and performance problems by bringing enclaves
into the realm of accelerator-rich architectures. The key idea is to construct
software-defined enclaves (SDEs) where the protections and slowdown are tied to
an application-defined threat model and tuned by a compiler for the
accelerator's specific domain. This vertically integrated approach requires new
hardware data-structures to partition, clear, and shape the utilization of
hardware resources; and a compiler that instantiates and schedules these
data-structures to create multi-tenant enclaves on accelerators. We demonstrate
our ideas with a comprehensive prototype -- Sesame -- that includes
modifications to compiler, ISA, and microarchitecture to a decoupled access
execute (DAE) accelerator framework for deep learning models. Our security
evaluation shows that classifiers that could distinguish different layers in
VGG, ResNet, and AlexNet, fail to do so when run using Sesame. Our
synthesizable hardware prototype (on a Xilinx Pynq board) demonstrates how the
compiler and micro-architecture enables threat-model-specific trade-offs in
code size increase ranging from 3-7 and run-time performance overhead for
specific defenses ranging from 3.96 to 34.87 (across confidential
inputs and models and single vs. multi-tenant systems)