Real-Time Scheduling of TrustZone-enabled DNN Workloads

“…A similar line of work exists [38] that presents a technique to enable time-critical DNN computations for TrustZoneenabled enclaves. As TrustZone enclaves do not have enough capacity to process DNN models from multiple tasks and run them together while retaining temporal constraints, the authors proposed splitting the DNN tasks into multiple chunks.…”

“…The majority of the work (i.e., 11 out of 16) [30], [31], [32], [33], [34], [35], [36], [37], [38], [39], [40] assume blackbox attacks and the rest consider white-box attacks [41], GAN-based attacks [42], fault injection attacks [43], [44], and membership inference scenarios [45]. A typical assumption is that adversaries have complete access to the rich OS.…”

“…A stealthy attacker could try to access the model's parameters, intermediate results, and final output without disrupting the inference task (T-Slices [40]). Further, the adversary may compromise the rich OS to intrude, forge, and modify the interference task and steal user data from nonprotected processes (SecDeep [31], real-time DNN [38]). They may also have access to the cache, memory, and storage (Trusted-DNN [33]) and inject faults that may change specific DNN parameters in the memory (AegisDNN [43]).…”

“…Researchers proposed several strategies depending on application requirements. For instance, there exist models for running the entire DNN layers inside TEEs [30], [33], [34], [38], [40]. Another alternative is to run the model in multiple enclaves to speed up the inference process [30], [32], [35], [37], [39], [42], [43], [45].…”

“…Table 3 summarizes the techniques we discuss in this survey. Majority of work (14 out of 16) [30], [31], [32], [33], [34], [35], [36], [37], [38], [40], [42], [43], [44], [45] focus on inference task and remaining two [39], [41] consider both training and inference (see ''Learning Task'' column). We use the ''Design Focus'' column to demonstrate the key performance metrics considered by the authors.…”

Trusted Deep Neural Execution—A Survey

“…A similar line of work exists [38] that presents a technique to enable time-critical DNN computations for TrustZoneenabled enclaves. As TrustZone enclaves do not have enough capacity to process DNN models from multiple tasks and run them together while retaining temporal constraints, the authors proposed splitting the DNN tasks into multiple chunks.…”

“…The majority of the work (i.e., 11 out of 16) [30], [31], [32], [33], [34], [35], [36], [37], [38], [39], [40] assume blackbox attacks and the rest consider white-box attacks [41], GAN-based attacks [42], fault injection attacks [43], [44], and membership inference scenarios [45]. A typical assumption is that adversaries have complete access to the rich OS.…”

“…A stealthy attacker could try to access the model's parameters, intermediate results, and final output without disrupting the inference task (T-Slices [40]). Further, the adversary may compromise the rich OS to intrude, forge, and modify the interference task and steal user data from nonprotected processes (SecDeep [31], real-time DNN [38]). They may also have access to the cache, memory, and storage (Trusted-DNN [33]) and inject faults that may change specific DNN parameters in the memory (AegisDNN [43]).…”

“…Researchers proposed several strategies depending on application requirements. For instance, there exist models for running the entire DNN layers inside TEEs [30], [33], [34], [38], [40]. Another alternative is to run the model in multiple enclaves to speed up the inference process [30], [32], [35], [37], [39], [42], [43], [45].…”

“…Table 3 summarizes the techniques we discuss in this survey. Majority of work (14 out of 16) [30], [31], [32], [33], [34], [35], [36], [37], [38], [40], [42], [43], [44], [45] focus on inference task and remaining two [39], [41] consider both training and inference (see ''Learning Task'' column). We use the ''Design Focus'' column to demonstrate the key performance metrics considered by the authors.…”

Trusted Deep Neural Execution—A Survey

Mitigating Adversarial Attacks in Federated Learning with Trusted Execution Environments