In federated learning (FL), data providers jointly train a machine learning model without sharing their training data. This makes it challenging to provide verifiable claims about the trained FL model, e.g., related to the employed training data, any data sanitization, or the correct training algorithm-a malicious data provider can simply deviate from the correct training protocol without detection. While prior FL training systems have explored the use of trusted execution environments (TEEs) to protect the training computation, such approaches rely on the confidentiality and integrity of TEEs. The confidentiality guarantees of TEEs, however, have been shown to be vulnerable to a wide range of attacks, such as side-channel attacks. We describe VerifiableFL, a system for training FL models that establishes verifiable claims about trained FL models with the help of fine-grained runtime attestation proofs. Since these runtime attestation proofs only require integrity protection, VerifiableFL generates them using the new abstraction of exclaves. Exclaves are integrity-only execution environments, which do not contain software-managed secrets and thus are immune to data leakage attacks. VerifiableFL uses exclaves to attest individual data transformations during FL training without relying on confidentiality guarantees. The runtime attestation proofs then form an attested dataflow graph of the entire FL model training computation. The graph is checked by an auditor to ensure that the trained FL model satisfies its claims, such as the use of data sanitization by data providers or correct aggregation by the model provider. VerifiableFL extends NVFlare FL framework to use exclaves. We show that VerifiableFL introduces less than 12% overhead compared to unprotected FL training.

翻译：在联邦学习（FL）中，数据提供方在不共享训练数据的情况下联合训练一个机器学习模型。这使得针对已训练的FL模型提供可验证声明（例如，关于所用训练数据、任何数据清洗操作或正确训练算法）变得困难——恶意数据提供方可能直接偏离正确的训练协议而无法被检测。尽管先前的FL训练系统已探索使用可信执行环境（TEE）来保护训练计算，但这类方法依赖于TEE的机密性和完整性。然而，TEE的机密性保证已被证明容易受到多种攻击（如侧信道攻击）的影响。我们提出了VerifiableFL，这是一个用于训练FL模型的系统，它借助细粒度的运行时证明来建立关于已训练FL模型的可验证声明。由于这些运行时证明仅需完整性保护，VerifiableFL通过新型隔离区抽象来生成它们。隔离区是仅提供完整性保护的执行环境，不包含软件管理的秘密，因此能够免疫数据泄露攻击。VerifiableFL利用隔离区对FL训练期间的各个数据转换过程进行证明，且无需依赖机密性保证。这些运行时证明随后构成整个FL模型训练计算的可验证数据流图。审计方通过检查该图来确保已训练的FL模型满足其声明，例如数据提供方执行了数据清洗或模型提供方进行了正确的聚合操作。VerifiableFL扩展了NVFlare联邦学习框架以支持隔离区。实验表明，与无保护的FL训练相比，VerifiableFL带来的性能开销低于12%。