ASGARD: Protecting On-Device Deep Neural Networks with Virtualization-Based Trusted Execution Environments
Myungsuk Moon
Network and Distributed System Security (NDSS) Symposium 2025 · Day 3 · DNN Attack Surfaces
The proliferation of on-device Artificial Intelligence (AI) services offers significant advantages over traditional cloud-based AI, primarily by keeping sensitive user data local and avoiding network latency. However, these on-device Deep Neural Network (DNN) models represent highly valuable intellectual property, often trained with substantial computational resources. The core challenge addressed by this talk, "ASGARD: Protecting On-Device Deep Neural Networks with Virtualization-Based Trusted Execution Environments," is safeguarding these proprietary models from malicious device owners who might attempt to extract, tamper with, or reverse-engineer them.
AI review
ASGARD is a technically credible systems paper solving a real problem — protecting proprietary DNN model weights from malicious device owners — using a non-obvious architectural choice: EL2 hypervisor-based TEEs instead of TrustZone's Secure World. The prior-work analysis is honest, the threat model is well-scoped, and the engineering contributions (IOMMU driver split, page table recycling, exec-coalescing) are concrete and defensible. The 4x speedup over obfuscation-based approaches and the VM exit reduction numbers give this teeth.