Machine Learning with Confidential Computing: A Systematization of Knowledge

TL;DR

This paper systematically reviews how Confidential Computing enhances privacy and security in Machine Learning, analyzing existing techniques, challenges, and future directions for TEE-enabled ML systems.

Contribution

It provides a comprehensive systematization of Confidential Computing-assisted ML techniques, discusses their limitations, and proposes future research directions for stronger privacy guarantees.

Findings

Confidential Computing offers confidentiality and integrity in ML scenarios.

Existing TEE systems face limitations in ML use cases.

Future directions include TEE-aware ML and full pipeline guarantees.

Abstract

Privacy and security challenges in Machine Learning (ML) have become increasingly severe, along with ML's pervasive development and the recent demonstration of large attack surfaces. As a mature system-oriented approach, Confidential Computing has been utilized in both academia and industry to mitigate privacy and security issues in various ML scenarios. In this paper, the conjunction between ML and Confidential Computing is investigated. We systematize the prior work on Confidential Computing-assisted ML techniques that provide i) confidentiality guarantees and ii) integrity assurances, and discuss their advanced features and drawbacks. Key challenges are further identified, and we provide dedicated analyses of the limitations in existing Trusted Execution Environment (TEE) systems for ML use cases. Finally, prospective works are discussed, including grounded privacy definitions for closed-loop protection, partitioned executions of efficient ML, dedicated TEE-assisted designs for ML, TEE-aware ML, and ML full pipeline guarantees. By providing these potential solutions in our systematization of knowledge, we aim to build the bridge to help achieve a much stronger TEE-enabled ML for privacy guarantees without introducing computation and system costs.