Web Analytics
S3 Lab - Software & Systems Security Laboratory The University of Texas at Dallas

Building GPU TEEs using CPU Secure Enclaves with GEVisor

Xiaolong Wu, Dave (Jing) Tian, and Chung Hwan Kim

Proceedings of the 14th ACM Symposium on Cloud Computing (SOCC) 2023.

DOI: 10.1145/3620678.3624659

areas
Security, Operating Systems, Trusted Computing

abstract

Trusted execution environments (TEEs) have been proposed to protect GPU computation for machine learning applications operating on sensitive data. However, existing GPU TEE solutions either require CPU and/or GPU hardware modification to realize TEEs for GPUs, which prevents current systems from adopting them, or rely on untrusted system software such as GPU device drivers. In this paper, we propose using CPU secure enclaves, e.g., Intel SGX, to build GPU TEEs without modifications to existing hardware. To tackle the fundamental limitations of these enclaves, such as no support for I/O operations, we design and develop GEVISOR, a formally verified security reference monitor software to enable a trusted I/O path between enclaves and GPU without trusting the GPU device driver. GEVISOR operates in the Virtual Machine Extension (VMX) root mode, monitors the host system software to prevent unauthorized access to the GPU code and data outside the enclave, and isolates the enclave GPU context from other contexts during GPU computation. We implement and evaluate GEVISOR on a commodity machine with an Intel SGX CPU and an NVIDIA Pascal GPU. Our experimental results show that our approach maintains an average overhead of 13.1% for deep learning and 18% for GPU benchmarks compared to native GPU computation while providing GPU TEEs for existing CPU and GPU hardware.

related project

AI Vault AI Vault

The AI Vault project designs and develops a new trusted execution environment tailored to run artificial intelligence and machine learning programs on modern AI platforms (e.g., cloud and embedded devices) while providing strong data confidentiality and high efficiency.