No Privacy Left Outside: On the (In-)Security of TEE-Shielded DNN Partition for On-Device ML
Ziqi Zhang, Chen Gong, Yifeng Cai, Yuanyuan Yuan, Bingyan Liu, Shuai Wang
IEEE Symposium on Security and Privacy 2024 · Day 3 · Continental Ballroom 5
In an era where machine learning (ML) models are both immensely valuable and deeply integrated into private applications, their secure deployment on edge devices presents significant challenges. This talk, delivered by Ziqi Zhang, a postdoctoral researcher at the University of Illinois Urbana-Champaign (UIUC) and based on his Ph.D. work at Peking University, delves into the critical security vulnerabilities of existing TEE-Shielded DNN Partition (TSDP) solutions for on-device ML. The core issue arises from the inherent conflict between the computational demands of large models and the limited resources of **Trusted Execution Environments (TEEs)**, leading to a partitioning strategy that inadvertently compromises privacy.
AI review
This critical research dismantles the security claims of existing TEE-Shielded DNN Partition (TSDP) solutions, demonstrating their fundamental vulnerability to model stealing and membership inference attacks due to the "training before partition" paradigm. The proposed TSlice, with its novel "partition before training" strategy, offers a robust and empirically validated alternative that achieves black-box level security with minimal overhead, fundamentally redefining secure on-device ML deployment. This work is a crucial warning for developers and organizations relying on current TSDP schemes.