research-article

Occlumency: Privacy-preserving Remote Deep-learning Inference Using SGX

Authors:
Taegyeong Lee

Korea Advanced Institute of Science and Technology, Daejeon, South Korea

Korea Advanced Institute of Science and Technology, Daejeon, South Korea
View Profile

,
Zhiqi Lin

University of Science and Technology of China, Hefei, China

University of Science and Technology of China, Hefei, China
View Profile

,
Saumay Pushp

Korea Advanced Institute of Science and Technology, Daejeon, South Korea

Korea Advanced Institute of Science and Technology, Daejeon, South Korea
View Profile

,
Caihua Li

Rice University, Houston, TX, USA

Rice University, Houston, TX, USA
View Profile

,
Yunxin Liu

Microsoft Research, Beijing, China

Microsoft Research, Beijing, China
View Profile

,
Youngki Lee

Seoul National University, Seoul, South Korea

Seoul National University, Seoul, South Korea
View Profile

,
Fengyuan Xu

Nanjing University, Nanjing, China

Nanjing University, Nanjing, China
View Profile

,
Chenren Xu

Peking University, Beijing, China

Peking University, Beijing, China
View Profile

,
Lintao Zhang

Microsoft Research, Beijing, China

Microsoft Research, Beijing, China
View Profile

,
Junehwa Song

Korea Advanced Institute of Science and Technology, Daejeon, South Korea

Korea Advanced Institute of Science and Technology, Daejeon, South Korea
View Profile

MobiCom '19: The 25th Annual International Conference on Mobile Computing and NetworkingAugust 2019Article No.: 46Pages 1–17https://doi.org/10.1145/3300061.3345447

Published:11 October 2019Publication History

MobiCom '19: The 25th Annual International Conference on Mobile Computing and Networking

Pages 1–17

ABSTRACT

Deep-learning (DL) is receiving huge attention as enabling techniques for emerging mobile and IoT applications. It is a common practice to conduct DNN model-based inference using cloud services due to their high computation and memory cost. However, such a cloud-offloaded inference raises serious privacy concerns. Malicious external attackers or untrustworthy internal administrators of clouds may leak highly sensitive and private data such as image, voice and textual data. In this paper, we propose Occlumency, a novel cloud-driven solution designed to protect user privacy without compromising the benefit of using powerful cloud resources. Occlumency leverages secure SGX enclave to preserve the confidentiality and the integrity of user data throughout the entire DL inference process. DL inference in SGX enclave, however, impose a severe performance degradation due to limited physical memory space and inefficient page swapping. We designed a suite of novel techniques to accelerate DL inference inside the enclave with a limited memory size and implemented Occlumency based on Caffe. Our experiment with various DNN models shows that Occlumency improves inference speed by 3.6x compared to the baseline DL inference in SGX and achieves a secure DL inference within 72% of latency overhead compared to inference in the native environment.

References

General Data Protection Regulation. Retrieved July 18, 2019 from https://eugdpr.orgGoogle Scholar
Monsoon Power Monitor. Retrieved July 18, 2019 from https://www. msoon.com/online-storeGoogle Scholar
ONNX Open Source Model Zoo. Retrieved July 18, 2019 from https: //github.com/onnx/modelsGoogle Scholar
The Microsoft Cognitive Toolkit. Retrieved July 18, 2019 from https: //www.microsoft.com/en-us/cognitive-toolkitGoogle Scholar
TP-Link AC1900. Retrieved July 18, 2019 from https://www.tplink. com/us/products/details/cat-9_Archer-C9.htmlGoogle Scholar
Protocol Buffers. Retrieved July 18, 2019 from http://code.google.com/ apis/protocolbuffers/Google Scholar
ARM Security Technology: Building a Secure System using TrustZone® Technology. http://infocenter.arm.com/ help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC- 009492C_trustzone_security_whitepaper.pdfGoogle Scholar
xxHash. Retrieved July 18, 2019 from https://cyan4973.github.io/ xxHash/Google Scholar
Intel Software Guard Extensions (Intel SGX). Retrieved July 18, 2019 from https://software.intel.com/en-us/sgxGoogle Scholar
Intel Software Guard Extensions (Intel SGX) SDK. Retrieved July 18, 2019 from https://software.intel.com/en-us/sgx-sdkGoogle Scholar
Caffe Model Zoo. Retrieved July 18, 2019 from http://caffe. berkeleyvision.org/model_zoo.htmlGoogle Scholar
OpenBLAS. Retrieved July 18, 2019 from https://www.openblas.net/Google Scholar
Keystone Enclave: An Open-Source Secure Enclave for RISC-V. Retrieved July 18, 2019 from https://docs.keystone-enclave.org/en/latest/Google Scholar
TensorFlow: An open source machine learning framework for everyone. Retrieved July 18, 2019 from https://www.tensorflow.org/Google Scholar
Facebook Security Breach Exposes Accounts of 50 Million Users. Retrieved July 18, 2019 from https://www.nytimes.com/2018/09/28/ technology/facebook-hack-data-breach.htmlGoogle Scholar
Google Cloud TPU. Retrieved July 18, 2019 from https://cloud.google. com/tpuGoogle Scholar
Huawei Kirin 970 - HiSilicon. Retrieved July 18, 2019 from https: //en.wikichip.org/wiki/hisilicon/kirin/970Google Scholar
Microsoft Azure Cognitive Services. Retrieved July 18, 2019 from https://azure.microsoft.com/en-us/services/cognitive-services/Google Scholar
Dakshi Agrawal and Charu C. Aggarwal. 2001. On the Design and Quantification of Privacy Preserving Data Mining Algorithms. In Proceedings of the Twentieth ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems (PODS '01). ACM, New York, NY, USA, 247--255. https://doi.org/10.1145/375551.375602Google Scholar
Hany Hassan amd Anthony Aue, Chang Chen, Vishal Chowdhary, Jonathan Clark, Christian Federmann, Marcin Junczys-Dowmunt Xuedong Huang, William Lewis, Mu Li, Shujie Liu, Tie-Yan Liu, Renqian Luo, Arul Menezes, Tao Qin, Frank Seide, Xu Tan, Fei Tian, Lijun Wu, ShuangzhiWu, Yingce Xia, Dongdong Zhang, Zhirui Zhang, and Ming Zhou. 2018. Achieving Human Parity on Automatic Chinese to English News Translation. (March 2018). https://www.microsoft.com/enus/ research/uploads/prod/2018/03/final-achieving-human.pdfGoogle Scholar
Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'Keeffe, Mark L. Stillwell, David Goltzsche, David Eyers, Rüdiger Kapitza, Peter Pietzuch, and Christof Fetzer. 2016. SCONE: Secure Linux Containers with Intel SGX. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (OSDI'16). USENIX Association, Berkeley, CA, USA, 689--703. http://dl.acm.org/ citation.cfm?id=3026877.3026930Google ScholarDigital Library
Ferdinand Brasser, Urs Müller, Alexandra Dmitrienko, Kari Kostiainen, Srdjan Capkun, and Ahmad-Reza Sadeghi. 2017. Software Grand Exposure: SGX Cache Attacks Are Practical. CoRR abs/1702.07521 (2017). arXiv:1702.07521 http://arxiv.org/abs/1702.07521Google Scholar
Kumar Chellapilla, Sidd Puri, and Patrice Simard. 2006. High Performance Convolutional Neural Networks for Document Processing. In Tenth International Workshop on Frontiers in Handwriting Recognition, Guy Lorette (Ed.). Université de Rennes 1, Suvisoft, La Baule (France). https://hal.inria.fr/inria-00112631Google Scholar
Minsik Cho and Daniel Brand. 2017. MEC: Memory-efficient Convolution for Deep Neural Network. In Proceedings of the 34th International Conference on Machine Learning (ICML '17), Vol. 70. PMLR, Sydney, NSW, Australia, 815--824. http://proceedings.mlr.press/v70/cho17a. htmlGoogle Scholar
Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. IACR Cryptology ePrint Archive (2016), 86. http://eprint.iacr.org/2016/086Google Scholar
Victor Costan, Ilia A. Lebedev, and Srinivas Devadas. 2016. Sanctum: Minimal Hardware Extensions for Strong Software Isolation. In 25th USENIX Security Symposium (USENIX Security '16). USENIX Association, Austin, TX, 857--874. https://www.usenix.org/conference/ usenixsecurity16/technical-sessions/presentation/costanGoogle Scholar
Tom Woller David Kaplan, Jeremy Powell. AMD memory encryption. http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/ 2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdfGoogle Scholar
Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. 2016. CryptoNets: Applying Neural Networks to Encrypted Data with High Throughput and Accuracy. In Proceedings of The 33rd International Conference on Machine Learning (ICML '16), Vol. 48. PMLR, New York, NY, USA, 201--210. http://proceedings.mlr.press/v48/gilad-bachrach16.htmlGoogle Scholar
Yunchao Gong, Liu Liu, Ming Yang, and Lubomir D. Bourdev. 2014. Compressing Deep Convolutional Networks using Vector Quantization. CoRR abs/1412.6115 (2014). arXiv:1412.6115 http://arxiv.org/abs/ 1412.6115Google Scholar
Johannes Götzfried, Moritz Eckert, Sebastian Schinzel, and Tilo Müller. 2017. Cache Attacks on Intel SGX. In Proceedings of the 10th European Workshop on Systems Security (EuroSec'17). ACM, New York, NY, USA, Article 2, 6 pages. https://doi.org/10.1145/3065913.3065915Google ScholarDigital Library
Zhongshu Gu, Heqing Huang, Jialong Zhang, Dong Su, Ankita Lamba, Dimitrios Pendarakis, and Ian Molloy. 2018. Securing Input Data of Deep Learning Inference Systems via Partitioned Enclave Execution. CoRR abs/1807.00969 (2018). arXiv:1807.00969 http://arxiv.org/abs/ 1807.00969Google Scholar
Shay Gueron. A Memory Encryption Engine Suitable for General Purpose Processors. Cryptology ePrint Archive, Report 2016/204. https://eprint.iacr.org/2016/204Google Scholar
Marcus Hähnel, Weidong Cui, and Marcus Peinado. 2017. High- Resolution Side Channels for Untrusted Operating Systems. In 2017 USENIX Annual Technical Conference (ATC '17). USENIX Association, Santa Clara, CA, 299--312. https://www.usenix.org/conference/atc17/ technical-sessions/presentation/hahnelGoogle Scholar
Song Han, Huizi Mao, and William J. Dally. 2015. Deep Compression: Compressing Deep Neural Network with Pruning, Trained Quantization and Huffman Coding. CoRR abs/1510.00149 (2015). arXiv:1510.00149 http://arxiv.org/abs/1510.00149Google Scholar
Song Han, Jeff Pool, John Tran, and William J. Dally. 2015. Learning both Weights and Connections for Efficient Neural Network. In Advances in Neural Information Processing Systems 28 (NIPS '15). Curran Associates, Inc., Montreal, Quebec, Canada, 1135-- 1143. http://papers.nips.cc/paper/5784-learning-both-weights-andconnections- for-efficient-neural-networkGoogle Scholar
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep Residual Learning for Image Recognition. In 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR '16). Las Vegas, NV, USA, 770--778. https://doi.org/10.1109/CVPR.2016.90Google Scholar
Ehsan Hesamifard, Hassan Takabi, and Mehdi Ghasemi. 2017. CryptoDL: Deep Neural Networks over Encrypted Data. CoRR abs/1711.05189 (2017). arXiv:1711.05189 http://arxiv.org/abs/1711. 05189Google Scholar
Tyler Highlander and Andres Rodriguez. 2016. Very Efficient Training of Convolutional Neural Networks using Fast Fourier Transform and Overlap-and-Add. CoRR abs/1601.06815 (2016). arXiv:1601.06815 http://arxiv.org/abs/1601.06815Google Scholar
Andrew G. Howard, Menglong Zhu, Bo Chen, Dmitry Kalenichenko, Weijun Wang, Tobias Weyand, Marco Andreetto, and Hartwig Adam. 2017. MobileNets: Efficient Convolutional Neural Networks for Mobile Vision Applications. CoRR abs/1704.04861 (2017). arXiv:1704.04861 http://arxiv.org/abs/1704.04861Google Scholar
Jie Hu, Li Shen, and Gang Sun. 2018. Squeeze-and-Excitation Networks. In 2018 IEEE Conference on Computer Vision and Pattern Recognition (CVPR '18). Salt Lake City, UT, USA, 7132--7141. https://doi.org/10. 1109/CVPR.2018.00745Google Scholar
Tyler Hunt, Congzheng Song, Reza Shokri, Vitaly Shmatikov, and Emmett Witchel. 2018. Chiron: Privacy-preserving Machine Learning as a Service. CoRR abs/1803.05961 (2018). arXiv:1803.05961 http: //arxiv.org/abs/1803.05961Google Scholar
Tyler Hunt, Zhiting Zhu, Yuanzhong Xu, Simon Peter, and Emmett Witchel. 2016. Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (OSDI'16). USENIX Association, Berkeley, CA, USA, 533--549. http://dl.acm.org/citation. cfm?id=3026877.3026919Google Scholar
Loc N. Huynh, Youngki Lee, and Rajesh Krishna Balan. 2017. DeepMon: Mobile GPU-based Deep Learning Framework for Continuous Vision Applications. In Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys '17). ACM, New York, NY, USA, 82--95. https://doi.org/10.1145/3081333.3081360Google ScholarDigital Library
Forrest N. Iandola, Matthew W. Moskewicz, Khalid Ashraf, Song Han, William J. Dally, and Kurt Keutzer. 2016. SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and <1MB model size. CoRR abs/1602.07360 (2016). arXiv:1602.07360 http://arxiv.org/abs/1602. 07360Google Scholar
Max Jaderberg, Andrea Vedaldi, and Andrew Zisserman. 2014. Speeding up Convolutional Neural Networks with Low Rank Expansions. In Proceedings of the British Machine Vision Conference (BMVC '14). BMVA Press, Nottingham, UK. https://doi.org/10.5244/C.28.88Google ScholarCross Ref
Yujie Ji, Xinyang Zhang, Shouling Ji, Xiapu Luo, and Ting Wang. 2018. Model-Reuse Attacks on Deep Learning Systems. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). ACM, New York, NY, USA, 349--363. https://doi. org/10.1145/3243734.3243757Google ScholarDigital Library
Yangqing Jia. 2014. Learning Semantic Image Representations at a Large Scale. Ph.D. Dissertation. University of California, Berkeley, USA. http://www.escholarship.org/uc/item/64c2v6snGoogle Scholar
Yangqing Jia, Evan Shelhamer, Jeff Donahue, Sergey Karayev, Jonathan Long, Ross Girshick, Sergio Guadarrama, and Trevor Darrell. 2014. Caffe: Convolutional Architecture for Fast Feature Embedding. In Proceedings of the 22Nd ACM International Conference on Multimedia (MM '14). ACM, New York, NY, USA, 675--678. https://doi.org/10.1145/ 2647868.2654889Google ScholarDigital Library
Yong-Deok Kim, Eunhyeok Park, Sungjoo Yoo, Taelim Choi, Lu Yang, and Dongjun Shin. 2015. Compression of Deep Convolutional Neural Networks for Fast and Low Power Mobile Applications. CoRR abs/1511.06530 (2015). arXiv:1511.06530 http://arxiv.org/abs/1511. 06530Google Scholar
Alex Krizhevsky, Ilya Sutskever, and Geoffrey E. Hinton. 2012. ImageNet Classification with Deep Convolutional Neural Networks. In Advances in Neural Information Processing Systems 25 (NIPS '12). Curran Associates, Inc., Lake Tahoe, Nevada, USA, 1106-- 1114. http://papers.nips.cc/paper/4824-imagenet-classification-withdeep- convolutional-neural-networksGoogle ScholarDigital Library
Nicholas D. Lane, Sourav Bhattacharya, Petko Georgiev, Claudio Forlivesi, Lei Jiao, Lorena Qendro, and Fahim Kawsar. 2016. DeepX: A Software Accelerator for Low-power Deep Learning Inference on Mobile Devices. In Proceedings of the 15th International Conference on Information Processing in Sensor Networks (IPSN '16). IEEE Press, Piscataway, NJ, USA, Article 23, 12 pages. http://dl.acm.org/citation.cfm? id=2959355.2959378Google ScholarDigital Library
Andrew Lavin and Scott Gray. 2016. Fast Algorithms for Convolutional Neural Networks. In 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR '16). Las Vegas, NV, USA, 4013--4021. https: //doi.org/10.1109/CVPR.2016.435Google Scholar
Kristen LeFevre, David J. DeWitt, and Raghu Ramakrishnan. 2005. Incognito: Efficient Full-domain K-anonymity. In Proceedings of the 2005 ACM SIGMOD International Conference on Management of Data (SIGMOD '05). ACM, New York, NY, USA, 49--60. https://doi.org/10. 1145/1066157.1066164Google ScholarDigital Library
Meng Li, Liangzhen Lai, Naveen Suda, Vikas Chandra, and David Z. Pan. 2017. PrivyNet: A Flexible Framework for Privacy-Preserving Deep Neural Network Training with A Fine-Grained Privacy Control. CoRR abs/1709.06161 (2017). arXiv:1709.06161 http://arxiv.org/abs/ 1709.06161Google ScholarDigital Library
Sinisa Matetic, Mansoor Ahmed, Kari Kostiainen, Aritra Dhar, David M. Sommer, Arthur Gervais, Ari Juels, and Srdjan Capkun. 2017. ROTE: Rollback Protection for Trusted Execution. In 26th USENIX Security Symposium (USENIX Security '17). USENIX Association, Vancouver, BC, 1289--1306. https://www.usenix.org/conference/usenixsecurity17/ technical-sessions/presentation/mateticGoogle Scholar
Olga Ohrimenko, Felix Schuster, Cedric Fournet, Aastha Mehta, Sebastian Nowozin, Kapil Vaswani, and Manuel Costa. 2016. Oblivious Multi- Party Machine Learning on Trusted Processors. In 25th USENIX Security Symposium (USENIX Security '16). USENIX Association, Austin, TX, 619--636. https://www.usenix.org/conference/usenixsecurity16/ technical-sessions/presentation/ohrimenkoGoogle Scholar
Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein, and Christof Fetzer. 2018. Varys: Protecting SGX Enclaves from Practical Side-Channel Attacks. In 2018 USENIX Annual Technical Conference (ATC '18). USENIX Association, Boston, MA, 227--240. https://www. usenix.org/conference/atc18/presentation/oleksenkoGoogle Scholar
Maxime Oquab, Léon Bottou, Ivan Laptev, and Josef Sivic. 2014. Learning and Transferring Mid-level Image Representations Using Convolutional Neural Networks. In 2014 IEEE Conference on Computer Vision and Pattern Recognition (CVPR '14). Columbus, OH, USA, 1717--1724. https://doi.org/10.1109/CVPR.2014.222Google Scholar
Seyed Ali Ossia, Ali Shahin Shamsabadi, Ali Taheri, Kleomenis Katevas, Hamid R. Rabiee, Nicholas D. Lane, and Hamed Haddadi. 2017. Privacy- Preserving Deep Inference for Rich User Data on The Cloud. CoRR abs/1710.01727 (2017). arXiv:1710.01727 http://arxiv.org/abs/1710. 01727Google Scholar
Seyed Ali Ossia, Ali Shahin Shamsabadi, Ali Taheri, Hamid R. Rabiee, Nicholas D. Lane, and Hamed Haddadi. 2017. A Hybrid Deep Learning Architecture for Privacy-Preserving Mobile Analytics. CoRR abs/1703.02952 (2017). arXiv:1703.02952 http://arxiv.org/abs/1703. 02952Google Scholar
Antonis Papadimitriou, Ranjita Bhagwan, Nishanth Chandran, Ramachandran Ramjee, Andreas Haeberlen, Harmeet Singh, Abhishek Modi, and Saikrishna Badrinarayanan. 2016. Big Data Analytics over Encrypted Datasets with Seabed. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (OSDI'16). USENIX Association, Berkeley, CA, USA, 587--602. http://dl.acm.org/citation.cfm?id=3026877.3026922Google ScholarDigital Library
Mohammad Rastegari, Vicente Ordonez, Joseph Redmon, and Ali Farhadi. 2016. XNOR-Net: ImageNet Classification Using Binary Convolutional Neural Networks. In Computer Vision - ECCV 2016 - 14th European Conference, Amsterdam, The Netherlands. Springer International Publishing, Cham, 525--542. https://doi.org/10.1007/978--3--319- 46493-0_32Google Scholar
Joseph Redmon, Santosh Kumar Divvala, Ross B. Girshick, and Ali Farhadi. 2016. You Only Look Once: Unified, Real-Time Object Detection. In 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR '16). Las Vegas, NV, USA, 779--788. https://doi.org/10.1109/ CVPR.2016.91Google ScholarCross Ref
Olga Russakovsky, Jia Deng, Hao Su, Jonathan Krause, Sanjeev Satheesh, Sean Ma, Zhiheng Huang, Andrej Karpathy, Aditya Khosla, Michael Bernstein, Alexander C. Berg, and Li Fei-Fei. 2015. ImageNet Large Scale Visual Recognition Challenge. International Journal of Computer Vision 115, 3 (2015), 211--252. https://doi.org/10.1007/s11263- 015-0816-yGoogle ScholarDigital Library
Mark Sandler, Andrew G. Howard, Menglong Zhu, Andrey Zhmoginov, and Liang-Chieh Chen. 2018. MobileNetV2: Inverted Residuals and Linear Bottlenecks. In 2018 IEEE Conference on Computer Vision and Pattern Recognition (CVPR '18). Salt Lake City, UT, USA, 4510-- 4520. http://openaccess.thecvf.com/content_cvpr_2018/html/Sandler_ MobileNetV2_Inverted_Residuals_CVPR_2018_paper.htmlGoogle ScholarCross Ref
Boris Schäling. 2011. The boost C++ libraries. Boris Schäling.Google Scholar
Karen Simonyan and Andrew Zisserman. 2014. Very Deep Convolutional Networks for Large-Scale Image Recognition. CoRR abs/1409.1556 (2014). arXiv:1409.1556 http://arxiv.org/abs/1409.1556Google Scholar
Christian Szegedy, Wei Liu, Yangqing Jia, Pierre Sermanet, Scott E. Reed, Dragomir Anguelov, Dumitru Erhan, Vincent Vanhoucke, and Andrew Rabinovich. 2015. Going deeper with convolutions. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR '15). Boston, MA, USA, 1--9. https://doi.org/10.1109/CVPR.2015.7298594Google ScholarCross Ref
Cheng Tai, Tong Xiao, Xiaogang Wang, and Weinan E. 2015. Convolutional neural networks with low-rank regularization. CoRR abs/1511.06067 (2015). arXiv:1511.06067 http://arxiv.org/abs/1511. 06067Google Scholar
Shruti Tople, Karan Grover, Shweta Shinde, Ranjita Bhagwan, and Ramachandran Ramjee. 2018. Privado: Practical and Secure DNN Inference. CoRR abs/1810.00602 (2018). arXiv:1810.00602 http://arxiv. org/abs/1810.00602Google Scholar
Florian Tramèr and Dan Boneh. 2018. Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. CoRR abs/1806.03287 (2018). arXiv:1806.03287 http://arxiv.org/abs/1806. 03287Google Scholar
Stavros Volos, Kapil Vaswani, and Rodrigo Bruno. 2018. Graviton: Trusted Execution Environments on GPUs. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (OSDI'18). USENIX Association, Berkeley, CA, USA, 681--696. http: //dl.acm.org/citation.cfm?id=3291168.3291219Google Scholar
Endong Wang, Qing Zhang, Bo Shen, Guangyong Zhang, Xiaowei Lu, Qing Wu, and Yajuan Wang. 2014. Intel math kernel library. In High- Performance Computing on the Intel® Xeon Phi?. Springer, 167--188.Google Scholar
Qian Wang, Xianyi Zhang, Yunquan Zhang, and Qing Yi. 2013. AUGEM: Automatically Generate High Performance Dense Linear Algebra Kernels on x86 CPUs. In Proceedings of the International Conference on High Performance Computing, Networking, Storage and Analysis (SC '13). ACM, New York, NY, USA, Article 25, 12 pages. https://doi.org/10.1145/2503210.2503219Google ScholarDigital Library
Wenhao Wang, Guoxing Chen, Xiaorui Pan, Yinqian Zhang, XiaoFeng Wang, Vincent Bindschaedler, Haixu Tang, and Carl A. Gunter. 2017. Leaky Cauldron on the Dark Land: Understanding Memory Side- Channel Hazards in SGX. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17).ACM, New York, NY, USA, 2421--2434. https://doi.org/10.1145/3133956.3134038Google Scholar
NicoWeichbrodt, Pierre-Louis Aublin, and Rüdiger Kapitza. 2018. Sgxperf: A Performance Analysis Tool for Intel SGX Enclaves. In Proceedings of the 19th International Middleware Conference (Middleware '18). ACM, New York, NY, USA, 201--213. https://doi.org/10.1145/3274808. 3274824Google Scholar
Jiaxiang Wu, Cong Leng, Yuhang Wang, Qinghao Hu, and Jian Cheng. 2016. Quantized Convolutional Neural Networks for Mobile Devices. In 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR '16). Las Vegas, NV, USA, 4820--4828. https://doi.org/10.1109/ CVPR.2016.521Google Scholar
Wayne Xiong, Lingfeng Wu, Fil Alleva, Jasha Droppo, Xuedong Huang, and Andreas Stolcke. 2017. The Microsoft 2017 Conversational Speech Recognition System [Technical Report]. (August 2017). https://www.microsoft.com/en-us/research/publication/ microsoft-2017-conversational-speech-recognition-system/Google Scholar
Mengwei Xu, Jiawei Liu, Yuanqiang Liu, Felix Xiaozhu Lin, Yunxin Liu, and Xuanzhe Liu. 2019. A First Look at Deep Learning Apps on Smartphones. In The World Wide Web Conference (WWW '19). ACM, New York, NY, USA, 2125--2136. https://doi.org/10.1145/3308558.3313591Google ScholarDigital Library
Mengwei Xu, Mengze Zhu, Yunxin Liu, Felix Xiaozhu Lin, and Xuanzhe Liu. 2018. DeepCache: Principled Cache for Mobile Deep Vision. In Proceedings of the 24th Annual International Conference on Mobile Computing and Networking (MobiCom '18). ACM, New York, NY, USA, 129--144. https://doi.org/10.1145/3241539.3241563Google ScholarDigital Library
Yuanzhong Xu, Weidong Cui, and Marcus Peinado. 2015. Controlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. In 2015 IEEE Symposium on Security and Privacy (SP '15). San Jose, CA, USA, 640--656. https://doi.org/10.1109/SP.2015.45Google Scholar
Jason Yosinski, Jeff Clune, Yoshua Bengio, and Hod Lipson. 2014. How transferable are features in deep neural networks?. In Advances in Neural Information Processing Systems 27 (NIPS '14). Curran Associates, Inc., Montreal, Quebec, Canada, 3320--3328. http://papers.nips.cc/paper/ 5347-how-transferable-are-features-in-deep-neural-networksGoogle Scholar
Xiao Zeng, Kai Cao, and Mi Zhang. 2017. MobileDeepPill: A Small- Footprint Mobile Deep Learning System for Recognizing Unconstrained Pill Images. In Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys '17). ACM, New York, NY, USA, 56--67. https://doi.org/10.1145/3081333. 3081336Google ScholarDigital Library
Jiyuan Zhang, Franz Franchetti, and Tze Meng Low. 2018. High Performance Zero-Memory Overhead Direct Convolutions. In Proceedings of the 35th International Conference on Machine Learning (ICML '18), Vol. 80. PMLR, Stockholmsmässan, Stockholm Sweden, 5776--5785. http://proceedings.mlr.press/v80/zhang18d.htmlGoogle Scholar

Index Terms

Occlumency: Privacy-preserving Remote Deep-learning Inference Using SGX

Recommendations

TrustAV: Practical and Privacy Preserving Malware Analysis in the Cloud
CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy

While the number of connected devices is constantly growing, we observe an increased incident rate of cyber attacks that target user data. Typically, personal devices contain the most sensitive information regarding their users, so there is no doubt ...
Read More
Consent-driven Data Reuse in Multi-tasking Crowdsensing Systems: A Privacy-by-Design Solution
Abstract
Mobile crowdsensing allows gathering massive data across time and space to feed our environmental knowledge, and to link such knowledge to user behavior. However, a major challenge facing mobile crowdsensing is to guarantee privacy ...
Graphical abstract

Display Omitted
Highlights
- Identifying the problem of defects in consent
Read More
Security Vulnerabilities of SGX and Countermeasures: A Survey
Invited Tutorial

Trusted Execution Environments (TEEs) have been widely used in many security-critical applications. The popularity of TEEs derives from its high security and trustworthiness supported by secure hardware. Intel Software Guard Extensions (SGX) is one of ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
MobiCom '19: The 25th Annual International Conference on Mobile Computing and Networking
August 2019
1017 pages
ISBN:9781450361699
DOI:10.1145/3300061
General Chairs:
Sharad Agarwal
Microsoft
,
Ben Greenstein
Google
,
Aruna Balasubramanian
Stony Brook University
,
Program Chairs:
Shyam Gollakota
University of Washington
,
Xinyu Zhang
University of California, San Diego
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 11 October 2019
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
cloud offloading
mobile deep learning
privacy
trusted execution environment
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate440of2,972submissions,15%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 57
  Total Citations
  View Citations
- 2,256
  Total Downloads
- Downloads (Last 12 months)217
- Downloads (Last 6 weeks)32
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

ePub

View this article in ePub.

View ePub

Occlumency: Privacy-preserving Remote Deep-learning Inference Using SGX

MobiCom '19: The 25th Annual International Conference on Mobile Computing and Networking

ABSTRACT

References

Cited By

Index Terms

Recommendations

TrustAV: Practical and Privacy Preserving Malware Analysis in the Cloud

Consent-driven Data Reuse in Multi-tasking Crowdsensing Systems: A Privacy-by-Design Solution

Security Vulnerabilities of SGX and Countermeasures: A Survey