Outsourced computation can put client data confidentiality at risk. Existing solutions are either inefficient or insufficiently secure: cryptographic techniques like fully-homomorphic encryption incur significant overheads, even with hardware assistance, while the complexity of hardware-assisted trusted execution environments has been exploited to leak secret data. Recent proposals such as BliMe and OISA show how dynamic information flow tracking (DIFT) enforced in hardware can protect client data efficiently. They are designed to protect CPU-only workloads. However, many outsourced computing applications, like machine learning, make extensive use of accelerators. We address this gap with Dolma, which applies DIFT to the Gemmini matrix multiplication accelerator, efficiently guaranteeing client data confidentiality, even in the presence of malicious/vulnerable software and side channel attacks on the server. We show that accelerators can allow DIFT logic optimizations that significantly reduce area overhead compared with general-purpose processor architectures. Dolma is integrated with the BliMe framework to achieve end-to-end security guarantees. We evaluate Dolma on an FPGA using a ResNet-50 DNN model and show that it incurs low overheads for large configurations ($4.4\%$, $16.7\%$, $16.5\%$ for performance, resource usage and power, respectively, with a 32x32 configuration).

翻译：外包计算可能危及客户端数据的机密性。现有解决方案要么效率低下，要么安全性不足：全同态加密等密码学技术即便有硬件辅助也会带来显著开销，而硬件辅助可信执行环境的复杂性已被利用来泄露机密数据。BliMe 和 OISA 等最新方案展示了如何在硬件中强制实施动态信息流跟踪 (DIFT) 以高效保护客户端数据。这些方案专为保护仅含 CPU 的工作负载而设计。然而，许多外包计算应用（如机器学习）广泛使用了加速器。我们通过 Dolma 解决了这一空白，该方案将 DIFT 应用于 Gemmini 矩阵乘法加速器，即使在服务器存在恶意/脆弱软件及侧信道攻击的情况下，也能高效保证客户端数据的机密性。研究表明，加速器可允许 DIFT 逻辑优化，相较于通用处理器架构大幅降低面积开销。Dolma 与 BliMe 框架集成，实现了端到端的安全保证。我们使用 ResNet-50 深度神经网络模型在 FPGA 上评估了 Dolma，结果表明该方案在大配置下（32x32 配置）带来的性能、资源使用率和功耗开销分别仅为 4.4%、16.7% 和 16.5%，整体开销较低。