GuaranTEE: Towards Attestable and Private ML with CCA

TL;DR

GuaranTEE is a framework that leverages Confidential Computing Architecture to enable attestable and private machine learning deployment on edge devices, addressing privacy and auditability challenges with low overhead.

Contribution

This work introduces GuaranTEE, utilizing CCA to create dynamic TEEs for secure ML deployment on edge devices, and proposes improvements to CCA for better protection.

Findings

Prototype deployment demonstrates feasibility of CCA for ML models.

GuaranTEE effectively ensures model privacy and attestability.

Proposed CCA enhancements improve security and usability.

Abstract

Machine-learning (ML) models are increasingly being deployed on edge devices to provide a variety of services. However, their deployment is accompanied by challenges in model privacy and auditability. Model providers want to ensure that (i) their proprietary models are not exposed to third parties; and (ii) be able to get attestations that their genuine models are operating on edge devices in accordance with the service agreement with the user. Existing measures to address these challenges have been hindered by issues such as high overheads and limited capability (processing/secure memory) on edge devices. In this work, we propose GuaranTEE, a framework to provide attestable private machine learning on the edge. GuaranTEE uses Confidential Computing Architecture (CCA), Arm's latest architectural extension that allows for the creation and deployment of dynamic Trusted Execution Environments (TEEs) within which models can be executed. We evaluate CCA's feasibility to deploy ML models by developing, evaluating, and openly releasing a prototype. We also suggest improvements to CCA to facilitate its use in protecting the entire ML deployment pipeline on edge devices.