The dark energy paradox leads to a new structure of spacetime.pptx
secureTF: A Secure TensorFlow Framework
1. 1secureTF: A Secure TensorFlow Framework – Middleware 2020 1
secureTF: A Secure
TensorFlow Framework
Do Le Quoc, Franz Gregor, Sergei Arnautov,
Roland Kunkel, Pramod Bhatotia, Christof Fetzer
2. 2secureTF: A Secure TensorFlow Framework – Middleware 2020 2
Cloud
Provider
Motivation
Data
Clients
Training
Data
Training Model Inference
How to ensure confidentiality and integrity of data, code (e.g., Python code), model and
computation with low performance overhead while retaining accuracy?
3. 3secureTF: A Secure TensorFlow Framework – Middleware 2020 3
Application
Application Libraries
(Enclave)
Hypervisor
Container Engine
Operating System
Host
SGX (Software Guard eXtensions) is a set of processor extensions
for establishing a TEE inside an application
Intel SGX
Intel SGX protects the integrity and confidentiality of applications
4. 4secureTF: A Secure TensorFlow Framework – Middleware 2020 4
Several works rely on Intel SGX to support secure machine learning:
• Privado [Microsoft Research 2019]
• Slalom [ICLR2019]
• Occlumency [MobiCom19]
• …
State-of-the-art systems
Limitations:
• Focuses only for secure inferences, not for training computation
• Does not support distributed setting
• Supports only a limited number of operators
5. 5secureTF: A Secure TensorFlow Framework – Middleware 2020 5
Cloud Provider
User
secureTF: Overview
secureTF
(Enclave)
SGXTLS
(1) Remote Attestation
(2) Keys, certificate
transferring
(3) Computation results
Data & Code Model
6. 6secureTF: A Secure TensorFlow Framework – Middleware 2020 6
Clients
Cloud Provider
Data
User TLS
Attestation &
policy
submitting
TLS
TLSTLS
Attestation &
secrets
provision
Training
Data
Inference
Training
Model
SGX
SGX
1. Protect against
attackers with
privileged/root
accesses
Configuration &
Attestation
Service (CAS)
SGX
2. Perform transparently
attestation & Key Management
secureTF: Design
8. 8secureTF: A Secure TensorFlow Framework – Middleware 2020 8
secureTF: Evaluation
0
500
1000
1500
2000
2500
Native
musl
Native
glibc
secureTF
SIM
secureTF
HW
Graphene
SGX
Latency(milliseconds)
Inception_v4 (163MB) Inception_v3 (91MB)
Lower
the better
secureTF incurs ~5% in SIM mode, ~22% overhead in HW mode compared to native versions
secureTF is ~1.1X – 1.4X faster than Graphene-SGX based system
9. 9secureTF: A Secure TensorFlow Framework – Middleware 2020 9
secureTF: A Secure TensorFlow Framework
• Transparency: supports unmodified TensorFlow applications (both training and inferences)
• Security: provides end-to-end security for the input data, ML model, and application code
• Accuracy: maintains the same in the native TensorFlow framework
Conclusion
Thank you!