SPOILER: TEE-Shielded DNN Partitioning of On-Device Secure Inference with Poison Learning

TL;DR

SPOILER introduces a hardware-aware NAS framework with self-poisoning learning to optimize secure DNN partitioning on edge devices, balancing privacy, latency, and accuracy.

Contribution

It proposes a novel search-before-training approach that decouples TEE and backbone networks, enhancing security and efficiency in on-device DNN inference.

Findings

Achieves state-of-the-art security and latency trade-offs.

Effectively isolates sensitive computations with minimal accuracy loss.

Demonstrates applicability on CNNs and Transformers.

Abstract

Deploying deep neural networks (DNNs) on edge devices exposes valuable intellectual property to model-stealing attacks. While TEE-shielded DNN partitioning (TSDP) mitigates this by isolating sensitive computations, existing paradigms fail to simultaneously satisfy privacy and efficiency. The training-before-partition paradigm suffers from intrinsic privacy leakage, whereas the partition-before-training paradigm incurs severe latency due to structural dependencies that hinder parallel execution. To overcome these limitations, we propose SPOILER, a novel search-before-training framework that fundamentally decouples the TEE sub-network from the backbone via hardware-aware neural architecture search (NAS). SPOILER identifies a lightweight TEE architecture strictly optimized for hardware constraints, maximizing parallel efficiency. Furthermore, we introduce self-poisoning learning to enforce logical isolation, rendering the exposed backbone functionally incoherent without the TEE component. Extensive experiments on CNNs and Transformers demonstrate that SPOILER achieves state-of-the-art trade-offs between security, latency, and accuracy.