Shielding Federated Learning Systems against Inference Attacks with ARM TrustZone

TL;DR

This paper introduces GradSec, a method that enhances federated learning privacy by protecting only sensitive model layers within ARM TrustZone TEEs, reducing TCB size and training time while defending against inference attacks.

Contribution

GradSec is a novel approach that selectively protects sensitive model layers in TEEs, improving efficiency and security over existing methods like DarkneTZ.

Findings

Reduces TCB size by up to 30%

Decreases training time by up to 56%

Effectively defends against inference attacks

Abstract

Federated Learning (FL) opens new perspectives for training machine learning models while keeping personal data on the users premises. Specifically, in FL, models are trained on the users devices and only model updates (i.e., gradients) are sent to a central server for aggregation purposes. However, the long list of inference attacks that leak private data from gradients, published in the recent years, have emphasized the need of devising effective protection mechanisms to incentivize the adoption of FL at scale. While there exist solutions to mitigate these attacks on the server side, little has been done to protect users from attacks performed on the client side. In this context, the use of Trusted Execution Environments (TEEs) on the client side are among the most proposing solutions. However, existing frameworks (e.g., DarkneTZ) require statically putting a large portion of the machine learning model into the TEE to effectively protect against complex attacks or a combination of attacks. We present GradSec, a solution that allows protecting in a TEE only sensitive layers of a machine learning model, either statically or dynamically, hence reducing both the TCB size and the overall training time by up to 30% and 56%, respectively compared to state-of-the-art competitors.