TensorSCONE: A Secure TensorFlow Framework using Intel SGX

TL;DR

TensorSCONE is a secure TensorFlow framework leveraging Intel SGX to enable privacy-preserving machine learning computations on untrusted cloud infrastructure, balancing security and performance.

Contribution

We developed TensorSCONE, integrating TensorFlow with SCONE and Intel SGX, to enable secure, hardware-assisted machine learning on untrusted platforms.

Findings

Achieves reasonable performance overheads

Provides strong security with low TCB

Enables secure execution of existing TensorFlow applications

Abstract

Machine learning has become a critical component of modern data-driven online services. Typically, the training phase of machine learning techniques requires to process large-scale datasets which may contain private and sensitive information of customers. This imposes significant security risks since modern online services rely on cloud computing to store and process the sensitive data. In the untrusted computing infrastructure, security is becoming a paramount concern since the customers need to trust the thirdparty cloud provider. Unfortunately, this trust has been violated multiple times in the past. To overcome the potential security risks in the cloud, we answer the following research question: how to enable secure executions of machine learning computations in the untrusted infrastructure? To achieve this goal, we propose a hardware-assisted approach based on Trusted Execution Environments (TEEs), specifically Intel SGX, to enable secure execution of the machine learning computations over the private and sensitive datasets. More specifically, we propose a generic and secure machine learning framework based on Tensorflow, which enables secure execution of existing applications on the commodity untrusted infrastructure. In particular, we have built our system called TensorSCONE from ground-up by integrating TensorFlow with SCONE, a shielded execution framework based on Intel SGX. The main challenge of this work is to overcome the architectural limitations of Intel SGX in the context of building a secure TensorFlow system. Our evaluation shows that we achieve reasonable performance overheads while providing strong security properties with low TCB.