SAGE: Software-based Attestation for GPU Execution

TL;DR

SAGE is a software-based attestation mechanism that ensures code and data integrity and secrecy for GPU execution, enabling trustworthy computation on NVIDIA Ampere GPUs without hardware support.

Contribution

This work introduces SAGE, a novel software-only attestation approach for GPU security, addressing the lack of hardware support and enhancing trustworthiness in GPU computations.

Findings

SAGE provides code integrity and secrecy on NVIDIA Ampere GPUs.

SAGE operates effectively without hardware support for trusted execution.

The approach is practical for real-world secure GPU computation.

Abstract

With the application of machine learning to security-critical and sensitive domains, there is a growing need for integrity and privacy in computation using accelerators, such as GPUs. Unfortunately, the support for trusted execution on GPUs is currently very limited - trusted execution on accelerators is particularly challenging since the attestation mechanism should not reduce performance. Although hardware support for trusted execution on GPUs is emerging, we study purely software-based approaches for trusted GPU execution. A software-only approach offers distinct advantages: (1) complement hardware-based approaches, enhancing security especially when vulnerabilities in the hardware implementation degrade security, (2) operate on GPUs without hardware support for trusted execution, and (3) achieve security without reliance on secrets embedded in the hardware, which can be extracted as history has shown. In this work, we present SAGE, a software-based attestation mechanism for GPU execution. SAGE enables secure code execution on NVIDIA GPUs of the Ampere architecture (A100), providing properties of code integrity and secrecy, computation integrity, as well as data integrity and secrecy - all in the presence of malicious code running on the GPU and CPU. Our evaluation demonstrates that SAGE is already practical today for executing code in a trustworthy way on GPUs without specific hardware support.