As the only security technology selected by IEEE, why is confidential computing so important?
Author | Lan Yanxiang Shao Lexi
Exhibit | IDEA Institute
Data and Model Security in Large-Scale AI Computing
As the most influential technology of this era, artificial intelligence technology (AI) has penetrated into every aspect of our lives. Especially at the end of 2022, ChatGPT released by OpenAI has shown amazing information analysis, integration, decision-making and dialogue capabilities. With the further enhancement of the scale and capabilities of artificial intelligence models, AI will help people complete a series of personalized and complex tasks in the future, such as information consultation, task agency and so on.
The evolution of AI technology is inseparable from the support of big data and large models. The training of large models with hundreds of billions of parameters needs to consume trillions of high-quality data, and in the process of facing the market, it is constantly adjusted and upgraded according to user feedback . Here, the entire AI service involves three roles: data provider, model owner, and computing power provider. For the data provider, the data contains their personal sensitive data or the data accumulated by the enterprise after years of operation, which contains huge commercial value; for the model owner, the model contains the owner's understanding of the AI algorithm and The deep understanding of the application industry and the huge expenditure for training the model are valuable intellectual property rights of the enterprise.
All parties involved hope to protect their own data privacy during the training and application of the model, because the data and the model itself are regarded as valuable assets of the participants. On the other hand, with the promulgation and implementation of the "Network Security Law", "Data Security Law" and "Personal Information Protection Law", for the protection of data privacy, the realization of data "usable and invisible" "controllable and measurable" It has also become a requirement of laws and regulations. Once data and models are leaked, it will bring serious negative social impact and huge economic losses.
With the development of cloud computing and the increasing demand for large-scale computing power for model training, most of the model training work has been migrated to the cloud. In addition, based on the requirements for real-time and reliability of services, a large number of AI models are deployed on the IoT device side (for example, in autonomous driving scenarios). In most cases, cloud computing infrastructure and IoT devices are not owned and controlled by data and model owners. How to ensure the security and privacy of data and models in an untrusted environment has become an important issue for large-scale machine learning and application challenge.
What is confidential computing?
In order to meet the above challenges, a series of related technologies have gradually attracted the attention of academia and industry, and confidential computing technology is one of them. Confidential Computing refers to a technology that performs calculations in a hardware-based Trusted Execution Environment (Trusted Execution Environment, TEE) to protect data in use. The hardware-based trusted execution environment ensures that confidential computing tasks and data will not be stolen by malicious programs, and hardware-level security guarantees that even high-privilege operating systems or even virtual machine monitors (hypervisors) cannot spy on and tamper with secrets Data and code in calculations.
Since ARM proposed the TrustZone technology in 2002, confidential computing has gone through more than 20 years. In 2015, Intel launched SGX, and confidential computing technology entered a stage of rapid development. In August 2019, the Linux Foundation and domestic and foreign technology giants announced the establishment of the Confidential Computing Consortium, marking the further development and growth of confidential computing in the industry.
In 2022, NVIDIA will launch a new generation of GPU H100 that integrates confidential computing modules, marking that confidential computing will become one of the infrastructures for future AI computing. In the 2022 IEEE Technology Forecast, 16 technologies that will have a significant impact in the next few years (short term) were selected, and confidential computing technology was selected as the only security technology. Today, manufacturers such as ARM, Intel, AMD, and Huawei have launched their own confidential computing technologies. Intel's SGX technology and ARM's TrustZone technology occupy the main market share on the server side and the terminal side respectively.
Introduction to Intel SGX Technology
Intel's SGX technology allows applications to create a secure container called an Enclave and place sensitive data and code in the container through hardware expansion of the CPU. In the Enclave, the confidentiality and integrity of code and data depend only on hardware guarantees, and privileged applications such as BIOS and OS cannot directly access the contents of the Enclave. That is to say, the TCB (Trusted Computing Base) of SGX technology is only the CPU manufacturer and the Enclave itself. Even if the root authority of the server is stolen by an attacker, the confidential data in the Enclave cannot be directly obtained.
The working principle of the SGX application can be illustrated by the following figure. When the application is implemented, it is necessary to distinguish between trusted and untrusted parts. The trusted part needs to use EDL (Enclave-Definition Language) to implement logic, and use ECALL and OCALL to interact between the trusted part and the untrusted part, as shown in the figure below 1.
Figure 1 SGX application model
Introduction to ARM TrustZone Technology
ARM's TrustZone technology provides hardware isolation to distinguish between a secure world (Secure World) and an unsafe world (Normal World). TrustZone virtualizes each physical core into a secure core (Secure Core) and a non-secure core (Non-Secure Core) on the processor architecture, and realizes switching between the two worlds through Monitor Mode. In addition to computing cores, hardware such as MMU, GIC, and Cache all perform two-world isolation operations. In the security world, there is a trusted kernel (TEE Kernel) responsible for the management of multiple trusted application instances, such as memory allocation and isolation, communication management, etc., which is also part of the TCB.
The application model of TrustZone TEE conforms to the Global Platform (GP) specification and can be represented by Figure 2 below. An application needs to be divided into two programs running in the rich execution environment and running in the TEE, and the application communication between the two worlds needs to be carried out through the provided TEE API.
Figure 2 TrustZone application model
Confidential Computing vs. Other Privacy Computing Schemes
As a hardware-based privacy computing technology, confidential computing has greater advantages in efficiency and universality compared with other privacy computing technologies. Taking Multi-Party Computation (Secure Multi-Party Computation, SMPC) and Federated Learning (Federated Learning, FL) as examples, SMPC is based on cryptography, and jointly calculates an agreed task through multiple rounds of communication in an encrypted state, without disclose each other's private information. Based on distributed machine learning, FL constructs a global model based on all data samples only by exchanging model information of local data without exchanging local data of each data party. In terms of efficiency, due to the large amount of encryption and decryption and network communication involved in SMPC and FL, their comprehensive computing performance will be hundreds of times higher than that of plaintext-based calculations, which makes it difficult to adapt to high-throughput, low-latency systems. Calculate the scene. For confidential computing, the confidentiality and integrity of data and models are guaranteed by the underlying hardware, and computing performance close to plaintext computing can be obtained. In terms of universality, SMPC and FL have certain assumptions about the characteristics and structure of computing tasks, which cannot meet arbitrary computing needs. In contrast, confidential computing has no such constraints and is more universal.
Applications and Challenges of Confidential Computing
In the training and application of AI models, confidential computing technology has been widely used. Manufacturers such as AWS, Google, Microsoft, and domestic Alibaba and Tencent have launched their own confidential computing products, which are used in scenarios such as multi-party computing, healthcare, and drug research and development. At the same time, confidential computing technology is also a hot spot in academic research. For example, in the field of model training, some scholars have realized large-scale heterogeneous confidential AI model training based on programmable bus chips and security controls. In terms of model application, some scholars use the trusted execution environment on IoT devices and the encrypted communication of the trusted execution environment, coupled with corresponding management and control modules, while protecting the security and privacy of data collected by IoT devices and AI models.
However, the current mainstream confidential computing technology still faces some technical challenges. Mainstream confidential computing technology realizes logical hardware isolation of trusted applications and untrusted applications through technologies such as "flag bits" and "access control". However, in the mainstream confidential computing technology, the trusted application to be protected and the untrusted application run on the same computing core. The two types of tasks physically share hardware components such as page table (page table), hardware cache (cache), and branch target buffer (Branch target buffer, BTB). The sharing of hardware components may lead to the risk of side-channel attacks. Studies have shown that side-channel attacks on components such as hardware caches can lead to leakage of input data or models.
Researchers have proposed a series of methods to deal with this type of risk: one type of method is based on inadvertent (oblivious) access, that is, through cryptography techniques and protocols to cover up the access traces of trusted applications to shared components, so as to prevent the risk of side channel attacks ; Another method is to customize the building tools or running status of trusted applications, such as discovering and avoiding side-channel attacks through address randomization, closing hyper-threading, interrupt monitoring and other technologies; at the same time, corresponding to specific side-channel Attacks, hardware manufacturers will also release corresponding patches in a timely manner. In addition, with the widespread and important application of confidential computing, people have also begun to work on designing independent memory or computing units for trusted applications. Independent memory and computing units make trusted applications and untrusted applications completely isolated at the hardware level, which solves the risk of side channel attacks from the root cause.
At the level of project implementation, the mainstream confidential computing technology provides a new programming paradigm. Developers need to divide the application into trusted parts and untrusted parts, display the trusted part in the confidential computing framework, and manage the interaction between the trusted part and the outside world by themselves, which greatly increases the cost of software migration. Although there are some automatic partitioning tools based on developer annotations, and some people have proposed a library operating system (LibOS) to simplify the migration of existing applications, these solutions have their own limitations: Among the automatic partitioning tool solutions, the existing automatic The division tool only supports C/C++ and Java, and cannot support more languages (such as Python). Among the library operating system solutions, some solutions need to recompile the program, which is a big challenge for the implementation of commercial scenarios, because the code, as an important intellectual property right of the program owner, often cannot be recompiled based on the deployment environment; some solutions Although partial binary compatibility is achieved, a large sacrifice in performance is still required.
Finally, in terms of security, the POSIX system call (system call) of the current mainstream confidential computing technology is completed by an untrusted operating system. In order to deal with Iago attacks at the interface layer, the library operating system needs to implement a corresponding prevention mechanism. However, due to the numerous and complex POSIX interfaces, how to completely prevent interface attacks on the library operating system is also a topic that needs to be further studied.
IDEA Institute's Exploration in the Field of Confidential Computing
IDEA Institute has also made some explorations in the field of confidential computing. In order to deal with the challenges of side channel attacks and engineering implementation in the field of confidential computing, we completely offload the confidential computing tasks to an independent coprocessor (Secure Processing Unit, SPU) , hardware isolation at the physical level makes confidential computing tasks avoid the risk of side channel attacks.
The SPU only communicates with the host through the high-speed bus, and the hardware-level security access fence (Secure Enforcement Barrier) prevents unauthorized and non-authenticated data communication. At the system level, the customized secure boot, secure device abstraction, and secure container technologies in the SPU enable the original code to run without recompilation, and the POSIX system calls are processed by the SPU to avoid Iago attacks. These technologies further ensure the confidentiality of trusted applications sex and integrity.
Summarize
Today, with the rapid development of AI technology, data as the "oil" of artificial intelligence, and models as the final product of artificial intelligence, both contain huge commercial value. For the protection of the confidentiality of data and models, it is not only the requirement of laws and regulations, but also the need of the development of digital economy to realize the "available invisible" and "controllable and measurable" of data and models.
Confidential computing provides an efficient and universal solution, and with the rapid development of artificial intelligence, big data, and cloud computing technology, it has become a mainstream technical route for secure and private computing. In the future, confidential computing technology will continue to evolve in terms of trustworthiness, security, and engineering implementation and scalability, and will eventually become the security guardian of safe, pervasive, high-performance, scalable, and easy-to-deploy AI data and models.
References
1、Everest Group. Confidential Computing——The Next Frontier in Data Security[DB/OL]. https://confidentialcomputing.io/wp-content/uploads/sites/85/2021/10/Everest_Group_-Confidential_Computing-The_Next_Frontier_in_Data_Security-_2021-10-19.pdf
2、IEEE, IEEE Technology Predictions, https://cmte.ieee.org/futuredirections/2022/01/17/2022-technology-predictions/
3、J. Zhu et al., “Enabling Rack-scale Confidential Computing using Heterogeneous Trusted Execution Environment,” 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2020, pp. 1450-1465, doi: 10.1109/SP40000.2020.00054.
4、L. Hanzlik et al., “MLCapsule: Guarded Offline Deployment of Machine Learning as a Service,” 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW), Nashville, TN, USA, 2021, pp. 3295-3304, doi: 10.1109/CVPRW53098.2021.00368.
5、K. Grover et al. “Privado:Practical and Secure DNN Inference with Enclaves”, https://arxiv.org/abs/1810.00602
6、Yuntao Liu and Ankur Srivastava. 2020. GANRED: GAN-based Reverse Engineering of DNNs via Cache Side-Channel. In Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop (CCSW’20). Association for Computing Machinery, New York, NY, USA, 41–52. https://doi.org/10.1145/3411495.3421356
7、 S. Sasy, S. Gorbunov, and C. W. Fletcher, “ZeroTrace: Oblivious Memory Primitives from Intel SGX,” in Proc. 2018 Netw. Distrib. Syst. Secur. Symp., Reston, VA: Internet Society, 2018, ISBN: 1-891562-49-5. DOI:10.14722/ndss.2018.23239.
8、 J. Seo, B. Lee, S. Kim, M.-W. Shih, I. Shin, D. Han, and T. Kim, “SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs,” in Proc. 2017 Netw. Distrib. Syst. Secur. Symp., Reston, VA: Internet Society, 2017, ISBN: 1-891562-46-0. DOI: 10.14722/ndss.2017.23037.
9、G. Chen, W. Wang, T. Chen, S. Chen, Y. Zhang, X.Wang, T.-H. Lai, and D. Lin, “Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races,” in 2018 IEEE Symp. Secur. Priv., vol. 2018-May, IEEE, 2018, pp. 178–194, ISBN: 978-1-5386-4353-2. DOI: 10 . 1109 / SP. 2018 . 00024.
10、 M.-W. Shih, S. Lee, T. Kim, and M. Peinado, “TSGX: Eradicating Controlled-Channel Attacks Against Enclave Programs,” March, 2017. DOI: 10.14722/ndss.2017.23193.
11、Hyunyoung Oh, Adil Ahmad, Seonghyun Park, Byoungyoung Lee, and Yunheung Paek. 2020. TRUSTORE: Side-Channel Resistant Storage for SGX using Intel Hybrid CPU-FPGA. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS '20). Association for Computing Machinery, New York, NY, USA, 1903–1918.https://doi.org/10.1145/3372297.3417265
12、H. Oh, K. Nam, S. Jeon, Y. Cho and Y. Paek, “MeetGo: A Trusted Execution Environment for Remote Applications on FPGA,” in IEEE Access, vol. 9, pp. 51313-51324, 2021, doi: 10.1109/ACCESS.2021.3069223.
13、Joshua Lind, Christian Priebe, Divya Muthukumaran, Dan O’Keeffe, Pierre-Louis Aublin, Florian Kelbert, Tobias Reiher, David Goltzsche, David Eyers, Rüdiger Kapitza, Christof Fetzer, and Peter Pietzuch. 2017. Glamdring: automatic application partitioning for intel SGX. In Proceedings of the 2017 USENIX Conference on Usenix Annual Technical Conference (USENIX ATC '17). USENIX Association, USA, 285–298.
14、Chia-Che Tsai, Jeongseok Son, Bhushan Jain, John McAvey, Raluca Ada Popa, and Donald E. Porter. 2020. Civet: an efficient Java partitioning framework for hardware enclaves. In Proceedings of the 29th USENIX Conference on Security Symposium (SEC’20). USENIX Association, USA, Article 29, 505–522.
15、 Youren Shen, Hongliang Tian, Yu Chen, Kang Chen, Runji Wang, Yi Xu, Yubin Xia, and Shoumeng Yan. 2020. Occlum: Secure and Efficient Multitasking Inside a Single Enclave of Intel SGX. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '20). Association for Computing Machinery, New York, NY, USA, 955–970. https://doi.org/10.1145/3373376.3378469
16、Chia-Che Tsai, Donald E. Porter, and Mona Vij. 2017. Graphene-SGX: a practical library OS for unmodified applications on SGX. In Proceedings of the 2017 USENIX Conference on Usenix Annual Technical Conference (USENIX ATC '17). USENIX Association, USA, 645–658.
17、Shweta Shinde, Shengyi Wang, Pinghai Yuan, Aquinas Hobor, Abhik Roychoudhury, and Prateek Saxena. 2020. BesFS: a POSIX filesystem for enclaves with a mechanized safety proof. In Proceedings of the 29th USENIX Conference on Security Symposium (SEC’20). USENIX Association, USA, Article 30, 523–540.
Disclaimer: This content comes from the creators of the Tencent platform and does not represent the views and positions of Tencent News or Tencent.com.