Machine-learning (ML) models are increasingly being deployed on edge devices to provide a variety of services. However, their deployment is accompanied by challenges in model privacy and auditability. Model providers want to ensure that (i) their proprietary models are not exposed to third parties; and (ii) be able to get attestations that their genuine models are operating on edge devices in accordance with the service agreement with the user. Existing measures to address these challenges have been hindered by issues such as high overheads and limited capability (processing/secure memory) on edge devices. In this work, we propose GuaranTEE, a framework to provide attestable private machine learning on the edge. GuaranTEE uses Confidential Computing Architecture (CCA), Arm's latest architectural extension that allows for the creation and deployment of dynamic Trusted Execution Environments (TEEs) within which models can be executed. We evaluate CCA's feasibility to deploy ML models by developing, evaluating, and openly releasing a prototype. We also suggest improvements to CCA to facilitate its use in protecting the entire ML deployment pipeline on edge devices.

翻译：机器学习模型正日益部署于边缘设备以提供多样化服务。然而，其部署伴随模型隐私性及可审计性方面的挑战。模型提供方需确保：(i) 其专有模型不会暴露给第三方；(ii) 能够获取其原始模型依据与用户的服务协议在边缘设备上运行的认证。现有应对这些挑战的措施受到边缘设备高开销及有限（处理/安全内存）能力的制约。本工作提出GuaranTEE框架，为边缘端提供可验证的隐私机器学习。GuaranTEE采用机密计算架构（CCA）——Arm最新的架构扩展，支持创建和部署动态可信执行环境（TEE），模型可在其中运行。通过开发、评估并公开原型系统，我们验证了CCA部署ML模型的可行性，并提出改进方案，以促进CCA在保护边缘设备完整ML部署流水线中的应用。