SoK: Analysis of Accelerator TEE Designs
Chenxu Wang
Network and Distributed System Security (NDSS) Symposium 2026 · Day 1 · Trusted Execution
As AI workloads move to GPUs, TPUs, FPGAs, and other accelerators (collectively "XPUs"), the need to extend **Trusted Execution Environment (TEE)** protections beyond CPUs has become urgent. This **Systematization of Knowledge (SoK)** paper surveys **51 academic and industry accelerator TEE studies** across GPU, NPU, TPU, and FPGA-based designs, categorizing them into three architectural types, analyzing their security mechanisms, and identifying critical deployment gaps. The most alarming finding: **34 out of 44 surveyed accelerators lack attestation support**, meaning there is no way to verify the integrity of the execution environment -- a fundamental security guarantee.
AI review
A systematization of 51 accelerator TEE designs that reveals critical gaps -- particularly that 34 of 44 accelerators lack attestation. Useful as a reference but contains no novel attacks, no exploitation, and no new technical contributions beyond the survey itself.