TFMNN:基於TF-M在MCUs上的可信神經網路推理

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：44

、訪客IP：18.217.128.108

姓名

葉庭愷(Ting-Kai Yeh) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

TFMNN:基於TF-M在MCUs上的可信神經網路推理
(TFMNN:Trusted Neural Network Inference using TF-M on MCUs)

相關論文

★ 基於OP-TEE的可信應用程式軟體生態系統	★ 在低軌道衛星無線通訊中的CSI預測方法
★ 為多流量低軌道衛星系統提出的動態換手策略	★ 基於Trustzone的智慧型設備語音隱私保護系統
★ 一種減輕LEO衛星網路干擾的方案	★ TruzGPS:基於TrustZone的位置隱私權保護系統
★ 衛星地面整合網路之隨機接入前導訊號設計與偵測	★ SatPolicy: 基於Trustzone的衛星政策執行系統
★ TruzMalloc: 基於TrustZone 的隱私資料保護系統	★ 衛星地面網路中基於物理層安全的CSI保護方法
★ 低軌道衛星地面整合網路之安全非正交多重存取傳輸	★ 低軌道衛星地面網路中的DRX機制設計
★ 衛星地面整合網路之基於集合系統的前導訊號設計	★ 基於省電的低軌衛星網路路由演算法
★ 衛星上可重組化計算之安全FPGA動態部分可重組架構	★ 衛星網路之基於空間多樣性的前導訊號設計

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

在當今的物聯網中，部署在微控制器上的神經網路被廣泛應用，從智能家電到機械臂和電動車，應用範圍非常廣泛。然而，部署在微控制器上的神經網路面臨一些重要的安全挑戰，尤其是篡改和隱私攻擊風險。本文提出了一個專為微控制器設計的可信神經網路框架，即TFMNN。TFMNN使用Arm TrustedFirmware-M，為微控制器提供了一個可信執行環境來隔離隱私操作和重要軟體元件的環境。微控制器通常具有有限的計算資源和有限的記憶體容量。因此，將神經網路運行在微控制器上面臨處理計算資源不足和記憶體限制的挑戰。此外，實施安全措施通常需要導入額外的機制，可能會影響MCU的計算和記憶體開銷。TFMNN不僅在可接受的開銷下維持推理安全，還優化神經網路推理的安全記憶體的使用。對於部署在微控制器上的神經網路，模型更新通常是必要的，例如在引入新數據進行學習和性能優化時。傳統上，要在設備上更新模型可能需要重新刷寫韌體，這非常耗時。因此，TFMNN提供了一個安全的模型存儲方式，使得模型提供者能夠輕鬆更新模型。總之，TFMNN作為一個專為微控制器設計的可信神經網路框架，有效地解決了神經網路在微控制器上面臨的安全挑戰。通過分析和討論在實際微控制器應用中的開銷，我們證明了TFMNN的可行性。

摘要(英)

In today′s IoT, NN (Neural Networks) on MCUs (Microcontrollers) are widely used ranging from smart home appliances, to robotic arms, electric vehicles. However, neural networks on MCUs face some important security challenges, especially the risk of tampering and privacy attacks. This paper provides a trusted NN framework, TFMNN, on MCUs. TFMNN uses Arm TF-M (TrustedFirmware-M) which provides a TEE (Trusted Execution Environment) for MCUs to isolate the environment for sensitive operations and critical software components. MCUs typically have restricted computing resources and limited memory capacity. Consequently, running NN on MCUs presents the challenges of dealing with insufficient computing power and memory constraints. In addition, implementing security measures often necessitates the incorporation of additional mechanisms, which can potentially impact the computational and memory overhead of the MCU. TFMNN not only maintains inference maintains inference security under acceptable overhead but also optimizes the secure memory usage of neural network inference. For NN deployed on MCUs, model updates are typically necessary, such as when incorporating new data for learning and performance optimization. Traditionally, updating a model on the device may require firmware reflashing, which can be time-consuming and cause interruptions. Therefore, TFMNN offers a secure model storage which makes it easy for model providers to update models. In summary, TFMNN, as a trusted NN framework specially designed for MCUs, effectively solves the security challenges faced by NN on MCUs. Through analyzing and discussing the overhead in real-world MCUs applications, we demonstrate the feasibility of TFMNN.

關鍵字(中)

★ 邊緣AI
★ AI安全
★ 神經網路
★ 微控制器單元
★ 可信執行環境
★ TrustedFirmware-M

關鍵字(英)

★ Edge AI
★ AI Security
★ Neural Network
★ Microcontroller
★ Trusted Execution Environment
★ TrustedFirmware-M

論文目次

中文摘要 i
Abstract ii
致謝 iii
Contents iv
List of Figures vi
List of Tables vii
1 Introduction 1
2 Background 5
2.1 Microcontrollers (MCUs) 5
2.2 Trusted Execution Environment 6
2.3 Neural Network 7
2.4 Attack model 8
3 Related Works 11
4 Design and Implementation 15
4.1 Secure Partitions 15
4.2 Design Goals 16
4.3 TFMNN Implementation 19
5 Evaluation 24
5.1 Security Analysis 24
5.2 Experimental Setting 25
5.3 Performance Evaluation 26
6 Discussion and Conclusion 30
Bibliography 32
Appendices 37
A IPC model vs SFN model 38
B FANN vs TensorFlow Lite 38
C FANN NET Parsing 39
D Pretty Good Privacy 39

參考文獻

[1] “Artificial neural network,” [Online; accessed 19-June-2023]. [Online]. Available:
https://en.wikipedia.org/wiki/Artificial_neural_network
[2] X. Wang, M. Magno, L. Cavigelli, and L. Benini, “Fann-on-mcu: An open-source
toolkit for energy-efficient neural network inference at the edge of the internet of
things,” IEEE Internet of Things Journal, vol. 7, no. 5, pp. 4403–4417, 2020.
[3] R. David, J. Duke, A. Jain, V. J. Reddi, N. Jeffries, J. Li, N. Kreeger, I. Nappier,
M. Natraj, S. Regev, R. Rhodes, T. Wang, and P. Warden, “Tensorflow lite micro:
Embedded machine learning on tinyml systems,” 2021.
[4] C. Banbury, C. Zhou, I. Fedorov, R. Matas, U. Thakker, D. Gope, V. Janapa Reddi,
M. Mattina, and P. Whatmough, “Micronets: Neural network architectures for deploying tinyml applications on commodity microcontrollers,” Proceedings of machine learning and systems, vol. 3, pp. 517–532, 2021.
[5] X. Qi, J. Zhu, C. Xie, and Y. Yang, “Subnet replacement: Deployment-stage backdoor attack against deep neural networks in gray-box setting,” 2021.
[6] M. Rigaki and S. Garcia, “A survey of privacy attacks in machine learning,” 2021.
[7] R. Shokri, M. Stronati, C. Song, and V. Shmatikov, “Membership inference attacks
against machine learning models,” in 2017 IEEE Symposium on Security and Privacy
(SP), 2017, pp. 3–18.
[8] Z. Ji, Z. C. Lipton, and C. Elkan, “Differential privacy and machine learning: a
survey and review,” 2014. [Online]. Available: https://arxiv.org/abs/1412.7584
[9] J. Konečný, H. B. McMahan, F. X. Yu, P. Richtárik, A. T. Suresh, and D. Bacon,
“Federated learning: Strategies for improving communication efficiency,” 2016.
[Online]. Available: https://arxiv.org/abs/1610.05492
[10] P. Vepakomma, O. Gupta, T. Swedish, and R. Raskar, “Split learning for health:
Distributed deep learning without sharing raw patient data,” 2018. [Online].
Available: https://arxiv.org/abs/1812.00564
[11] “Trusted execution environment,” [Online; accessed 19-June-2023]. [Online].
Available: https://en.wikipedia.org/wiki/Trusted_execution_environment
[12] “Trustedfirmware-m (tf-m),” [Online; accessed 19-June-2023]. [Online]. Available:
https://www.trustedfirmware.org/projects/tf-m/
[13] “Microcontrollers (mcus),” [Online; accessed 19-June-2023]. [Online]. Available:
https://en.wikipedia.org/wiki/Microcontroller
[14] “Real time operating system (rtos),” [Online; accessed 19-June-2023]. [Online].
Available: https://www.freertos.org/about-RTOS.html
[15] “Trustzone® technology for armv8-m architecture,” [Online; accessed 19-June2023]. [Online]. Available: https://developer.arm.com/documentation/100690/
latest/
[16] S. Nissen et al., “Implementation of a fast artificial neural network library (fann),”
Report, Department of Computer Science University of Copenhagen (DIKU), vol. 31,
no. 29, p. 26, 2003.
[17] “Cmsis nn,” [Online; accessed 19-June-2023]. [Online]. Available: https:
//github.com/ARM-software/CMSIS-NN
[18] M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks that exploit
confidence information and basic countermeasures,” in Proceedings of the 22nd
ACM SIGSAC Conference on Computer and Communications Security, ser. CCS
’15. New York, NY, USA: Association for Computing Machinery, 2015, p. 1322–
1333. [Online]. Available: https://doi.org/10.1145/2810103.2813677
[19] J. Yosinski, J. Clune, Y. Bengio, and H. Lipson, “How transferable are features in
deep neural networks?” 2014.
[20] R. Shokri, M. Stronati, C. Song, and V. Shmatikov, “Membership inference attacks
against machine learning models,” 2017.
[21] M. Nasr, R. Shokri, and A. Houmansadr, “Comprehensive privacy analysis of
deep learning: Passive and active white-box inference attacks against centralized
and federated learning,” in 2019 IEEE Symposium on Security and Privacy (SP).
IEEE, may 2019. [Online]. Available: https://doi.org/10.1109%2Fsp.2019.00065
[22] F. Mo, A. S. Shamsabadi, K. Katevas, S. Demetriou, I. Leontiadis, A. Cavallaro, and
H. Haddadi, “Darknetz: Towards model privacy at the edge using trusted execution
environments,” in Proceedings of the 18th International Conference on Mobile
Systems, Applications, and Services, ser. MobiSys ’20. New York, NY, USA:
Association for Computing Machinery, 2020, p. 161–174. [Online]. Available:
https://doi.org/10.1145/3386901.3388946
[23] M. F. Babar and M. Hasan, “Trusted deep neural execution—a survey,” IEEE Access,
vol. 11, pp. 45 736–45 748, 2023.
[24] T. Lee, Z. Lin, S. Pushp, C. Li, Y. Liu, Y. Lee, F. Xu, C. Xu, L. Zhang, and J. Song,
“Occlumency: Privacy-preserving remote deep-learning inference using sgx,” in
The 25th Annual International Conference on Mobile Computing and Networking,
ser. MobiCom ’19. New York, NY, USA: Association for Computing Machinery,
2019. [Online]. Available: https://doi.org/10.1145/3300061.3345447
[25] “Caffe: A deep learning framework.” [Online; accessed 19-June-2023]. [Online].
Available: https://caffe.berkeleyvision.org/
[26] “Software guard extensions (sgx),” [Online; accessed 19-June-2023]. [Online].
Available: https://www.intel.com/content/www/us/en/architecture-and-technology/
software-guard-extensions.html
[27] K. Grover, S. Tople, S. Shinde, R. Bhagwan, and R. Ramjee, “Privado: Practical and
secure dnn inference with enclaves,” arXiv preprint arXiv:1810.00602, 2018.
[28] “Tensorflow: An end-to-end open source platform for machine learning.” [Online;
accessed 19-June-2023]. [Online]. Available: https://www.tensorflow.org/
[29] “Pytorch is an optimized tensor library for deep learning using gpus and cpus.”
[Online; accessed 19-June-2023]. [Online]. Available: https://pytorch.org/
[30] J. Redmon, S. Divvala, R. Girshick, and A. Farhadi, “You only look once: Unified,
real-time object detection,” 2016.
[31] “Op-tee is a trusted execution environment (tee) designed as companion to
a non-secure linux kernel running on arm.” [Online; accessed 19-June-2023].
[Online]. Available: https://optee.readthedocs.io/en/latest/general/about.html
[32] M. S. Islam, M. Zamani, C. H. Kim, L. Khan, and K. W. Hamlen, “Confidential
execution of deep learning inference at the untrusted edge with arm trustzone,”
in Proceedings of the Thirteenth ACM Conference on Data and Application
Security and Privacy, ser. CODASPY ’23. New York, NY, USA: Association
for Computing Machinery, 2023, p. 153–164. [Online]. Available: https:
//doi.org/10.1145/3577923.3583648
[33] “Spm backends,” [Online; accessed 19-June-2023]. [Online]. Available: https://tfm-user-guide.trustedfirmware.org/integration_guide/spm_backends.html
[34] “Pretty good privacy,” [Online; accessed 13-July-2023]. [Online]. Available:
https://en.wikipedia.org/wiki/Pretty_Good_Privacy
[35] D. McGrew and J. Viega, “The galois/counter mode of operation (gcm),” submission
to NIST Modes of Operation Process, vol. 20, pp. 0278–0070, 2004.
[36] PSA Crypto API, [Online; accessed 13-July-2023]. [Online]. Available: https:
//armmbed.github.io/mbed-crypto/html/
[37] “Psa certified: Iot security framework and certification,” [Online; accessed
13-July-2023]. [Online]. Available: https://www.PSAcertified.org/
[38] “Zephyr project,” [Online; accessed 13-July-2023]. [Online]. Available: https:
//zephyrproject.org/
[39] S. B. Šegota, N. Anđelić, V. Mrzljak, I. Lorencin, I. Kuric, and Z. Car, “Utilization of
multilayer perceptron for determining the inverse kinematics of an industrial robotic
manipulator,” International Journal of Advanced Robotic Systems, vol. 18, no. 4, p.
1729881420925283, 2021.

指導教授

張貴雲(Guey-Yun Chang)

審核日期

2023-8-8

推文