Protecting Deep Learning Models on Cloud Platforms with Trusted Execution Environments

Abstract

Deep learning is rapidly integrated into different applications, from medical imaging to financial products. Organisations are spending enormous financial resources to train deep learning models. Often, many organisations do not have sufficient resources to host, manage and scale these deep learning workloads in-house. Therefore, these organisations outsource deep learning inference workloads to public cloud platforms. However, outsourcing to public cloud platforms raises security and privacy risks for the trained models. On the cloud, the service provider controls all the software and hardware on their premises and has full access to the models deployed on their platforms. A malicious or compromised cloud provider can steal the trained model or interfere with the inference workload, which may lead to financial losses and legal troubles for the model owner. This dissertation presents solutions to secure deep learning workloads on public cloud platforms with hardware-assisted trusted execution environments.

Intel has introduced Software Guard Extensions (SGX), a hardware-based trusted execution environment, to run private computations on public cloud platforms. However, applications do not run out-of-the-box on the SGX platform due to the restrictions imposed by the SGX specifications to ensure confidentiality and integrity of the code and data. Therefore, applications need to be rewritten, or other methods should be employed to avoid executing restricted instructions within the SGX enclave that contains code and private data. To port commodity applications to SGX enclaves, the software community has developed multiple frameworks to adapt existing applications to SGX specifications. However, at the beginning of this work, it was not clear which framework should be used to port deep learning workloads to SGX enclaves. Therefore, in the first part of this dissertation, we studied various frameworks that port applications to SGX to find a suitable framework for porting deep learning workloads. The study focuses on the challenges in transitioning commodity applications to SGX enclaves.

Next, during the study, we observed that memory-intensive applications, such as deep learning workloads, incur a performance penalty when executing within the trusted execution environment offered by Intel SGX. Furthermore, SGX cannot securely use other untrusted resources, such as untrusted co-processors, that are commonly used to accelerate deep learning workloads. Therefore, the second part of the dissertation focuses on improving the performance of deep learning workloads on TEE. It presents MazeNet, a framework to transform pre-trained models into MazeNet models and deploy them on heterogeneous execution environments based on trusted and untrusted hardware, where the trusted hardware ensures the security of the model while the untrusted hardware accelerates the deep learning workload. MazeNet employs a secure outsourcing scheme that outsources both the linear and non-linear layers of deep learning models to untrusted hardware. Our experimental evaluation demonstrates that MazeNet can improve the throughput by 30x and reduce the latency by 5x.