{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,26]],"date-time":"2026-02-26T15:25:45Z","timestamp":1772119545692,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":60,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,10,29]],"date-time":"2023-10-29T00:00:00Z","timestamp":1698537600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"SRC"},{"name":"Intel Corporation"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,10,29]]},"DOI":"10.1145\/3623652.3623672","type":"proceedings-article","created":{"date-parts":[[2023,10,27]],"date-time":"2023-10-27T23:00:42Z","timestamp":1698447642000},"page":"19-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Triton: Software-Defined Threat Model for Secure Multi-Tenant ML Inference Accelerators"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-9704-932X","authenticated-orcid":false,"given":"Sarbartha","family":"Banerjee","sequence":"first","affiliation":[{"name":"University of Texas at Austin, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4513-5334","authenticated-orcid":false,"given":"Shijia","family":"Wei","sequence":"additional","affiliation":[{"name":"University of Texas at Austin, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-0774-1501","authenticated-orcid":false,"given":"Prakash","family":"Ramrakhyani","sequence":"additional","affiliation":[{"name":"ARM Research"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0384-3308","authenticated-orcid":false,"given":"Mohit","family":"Tiwari","sequence":"additional","affiliation":[{"name":"University of Texas at Austin, USA"}]}],"member":"320","published-online":{"date-parts":[[2023,10,29]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n. d.]. Amazon sagemaker. https:\/\/aws.amazon.com\/sagemaker\/."},{"key":"e_1_3_2_1_2_1","unstructured":"[n. d.]. ARM Trustzone. https:\/\/www.arm.com\/technologies\/trustzone-for-cortex-a."},{"key":"e_1_3_2_1_3_1","unstructured":"[n. d.]. HuggingFace. https:\/\/huggingface.co."},{"key":"e_1_3_2_1_4_1","unstructured":"[n. d.]. Intel Software Guard Extensions. https:\/\/software.intel.com\/en-us\/sgx."},{"key":"e_1_3_2_1_5_1","unstructured":"[n. d.]. LSTM in keras. https:\/\/blog.keras.io\/a-ten-minute-introduction-to-sequence-to-sequence-learning-in-keras.html."},{"key":"e_1_3_2_1_6_1","unstructured":"[n. d.]. openAI chatgpt. https:\/\/chat.openai.com."},{"key":"e_1_3_2_1_7_1","unstructured":"[n. d.]. System Architecture of TPUv4. https:\/\/cloud.google.com\/tpu\/docs\/system-architecture-tpu-vm."},{"key":"e_1_3_2_1_8_1","volume-title":"Protecting Memory Contents on ARM Cores. In Ninth Real World Crypto Symposium(RWC \u201920)","author":"Avanzi Roberto","year":"2020","unstructured":"Roberto Avanzi, Subhadeep Banik, Orr Dunkelman, Hector Montaner, Prakash Ramrakhyani, Francesco Regazzoni, and Andreas Sandberg. 2020. Protecting Memory Contents on ARM Cores. In Ninth Real World Crypto Symposium(RWC \u201920). https:\/\/rwc.iacr.org\/2020\/slides\/Avanzi.pdf"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA45697.2020.00081"},{"key":"e_1_3_2_1_10_1","volume-title":"Bandwidth Utilization Side-Channel on ML Inference Accelerators","author":"Banerjee Sarbartha","year":"2021","unstructured":"Sarbartha Banerjee, Shijia Wei, Prakash Ramrakhyani, and Mohit Tiwari. 2021. Bandwidth Utilization Side-Channel on ML Inference Accelerators (2021). arXiv:2110.07157"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3352460.3358310"},{"key":"e_1_3_2_1_12_1","volume-title":"Language models are few-shot learners","author":"Brown Tom","year":"2020","unstructured":"Tom Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared\u00a0D Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, 2020. Language models are few-shot learners (2020)."},{"key":"e_1_3_2_1_13_1","volume-title":"TVM: An Automated End-to-End Optimizing Compiler for Deep Learning. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18)","author":"Chen Tianqi","year":"2018","unstructured":"Tianqi Chen, Thierry Moreau, Ziheng Jiang, Lianmin Zheng, Eddie Yan, Haichen Shen, Meghan Cowan, Leyuan Wang, Yuwei Hu, Luis Ceze, Carlos Guestrin, and Arvind Krishnamurthy. 2018. TVM: An Automated End-to-End Optimizing Compiler for Deep Learning. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18). Carlsbad, CA. https:\/\/www.usenix.org\/conference\/osdi18\/presentation\/chen"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA47549.2020.00027"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1017\/S1351324916000243"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3503222.3507747"},{"key":"e_1_3_2_1_17_1","volume-title":"Citadel: Side-Channel-Resistant Enclaves with Secure Shared Memory on a Speculative Out-of-Order Processor","author":"Drean Jules","year":"2023","unstructured":"Jules Drean, Miguel Gomez-Garcia, Thomas Bourgeat, and Srinivas Devadas. 2023. Citadel: Side-Channel-Resistant Enclaves with Secure Shared Memory on a Speculative Out-of-Order Processor (2023)."},{"key":"e_1_3_2_1_18_1","volume-title":"recommendation for block cipher modes of operation: Galois\/counter mode (gcm) and gmac","author":"Dworkin J","unstructured":"Morris\u00a0J Dworkin. 2007. Sp 800-38d. recommendation for block cipher modes of operation: Galois\/counter mode (gcm) and gmac. National Institute of Standards & Technology."},{"key":"e_1_3_2_1_19_1","volume-title":"Maskgan: better text generation via filling in the_","author":"Fedus William","year":"2018","unstructured":"William Fedus, Ian Goodfellow, and Andrew\u00a0M Dai. 2018. Maskgan: better text generation via filling in the_ (2018)."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO50266.2020.00062"},{"key":"e_1_3_2_1_21_1","volume-title":"International Conference on Machine Learning.","author":"Gilad-Bachrach Ran","year":"2016","unstructured":"Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. 2016. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In International Conference on Machine Learning."},{"key":"e_1_3_2_1_22_1","article-title":"The netflix recommender system: Algorithms, business value, and innovation","volume":"6","author":"Gomez-Uribe A","year":"2015","unstructured":"Carlos\u00a0A Gomez-Uribe and Neil Hunt. 2015. The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6, 4 (2015).","journal-title":"ACM Transactions on Management Information Systems (TMIS)"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00494"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3007787.3001163"},{"key":"e_1_3_2_1_25_1","volume-title":"Deep speech: Scaling up end-to-end speech recognition","author":"Hannun Awni","year":"2014","unstructured":"Awni Hannun, Carl Case, Jared Casper, Bryan Catanzaro, Greg Diamos, Erich Elsen, Ryan Prenger, Sanjeev Satheesh, Shubho Sengupta, Adam Coates, 2014. Deep speech: Scaling up end-to-end speech recognition (2014)."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3466752.3480112"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46493-0_38"},{"key":"e_1_3_2_1_28_1","article-title":"Model Protection: Real-time privacy-preserving inference service for model privacy at the edge","volume":"19","author":"Hou Jiahui","year":"2021","unstructured":"Jiahui Hou, Huiqi Liu, Yunxin Liu, Yu Wang, Peng-Jun Wan, and Xiang-Yang Li. 2021. Model Protection: Real-time privacy-preserving inference service for model privacy at the edge. IEEE Transactions on Dependable and Secure Computing 19, 6 (2021).","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3489517.3530439"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3470496.3527418"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3195970.3196105"},{"key":"e_1_3_2_1_32_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Huang Zhicong","year":"2022","unstructured":"Zhicong Huang, Wen-jie Lu, Cheng Hong, and Jiansheng Ding. 2022. Cheetah: Lean and fast secure { two-party} deep neural network inference. In 31st USENIX Security Symposium (USENIX Security 22)."},{"key":"e_1_3_2_1_33_1","volume-title":"Telekine: Secure Computing with Cloud GPUs. In 17th { USENIX} Symposium on Networked Systems Design and Implementation ({ NSDI} 20).","author":"Hunt Tyler","year":"2020","unstructured":"Tyler Hunt, Zhipeng Jia, Vance Miller, Ariel Szekely, Yige Hu, Christopher\u00a0J Rossbach, and Emmett Witchel. 2020. Telekine: Secure Computing with Cloud GPUs. In 17th { USENIX} Symposium on Networked Systems Design and Implementation ({ NSDI} 20)."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3079856.3080246"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/IMW.2017.7939084"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3419111.3421282"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/LCA.2015.2414456"},{"key":"e_1_3_2_1_38_1","volume-title":"Trusted platform module basics: using TPM in embedded systems","author":"Kinney L","unstructured":"Steven\u00a0L Kinney. 2006. Trusted platform module basics: using TPM in embedded systems. Elsevier."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3065386"},{"key":"e_1_3_2_1_40_1","volume-title":"MAESTRO: A Data-Centric Approach to Understand Reuse, Performance, and Hardware Cost of DNN Mappings","author":"Kwon Hyoukjun","year":"2020","unstructured":"Hyoukjun Kwon, Prasanth Chatarasi, Vivek Sarkar, Tushar Krishna, Michael Pellauer, and Angshuman Parashar. 2020. MAESTRO: A Data-Centric Approach to Understand Reuse, Performance, and Hardware Cost of DNN Mappings. IEEE Micro 40, 3 (2020)."},{"key":"e_1_3_2_1_41_1","volume-title":"Keystone: A framework for architecting tees","author":"Lee Dayeol","year":"2019","unstructured":"Dayeol Lee, David Kohlbrenner, Shweta Shinde, Dawn Song, and Krste Asanovi\u0107. 2019. Keystone: A framework for architecting tees (2019)."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","unstructured":"Sunho Lee Jungwoo Kim Seonjin Na Jongse Park and Jaehyuk Huh. 2022. TNPU: Supporting Trusted Execution with Tree-less Integrity Protection for Neural Processing Unit. In 2022 IEEE International Symposium on High-Performance Computer Architecture (HPCA). https:\/\/doi.org\/10.1109\/HPCA53966.2022.00025","DOI":"10.1109\/HPCA53966.2022.00025"},{"key":"e_1_3_2_1_43_1","volume-title":"Tunable Memory Protection for Secure Neural Processing Units. In The 40th International Conference on Computer Design (ICCD)","author":"Lee Sunho","year":"2022","unstructured":"Sunho Lee, Seonjin Na, Jungwoo Kim, Jongse Park, and Jaehyuk Huh. 2022. Tunable Memory Protection for Secure Neural Processing Units. In The 40th International Conference on Computer Design (ICCD) 2022."},{"key":"e_1_3_2_1_44_1","article-title":"A survey on deep learning for named entity recognition","volume":"34","author":"Li Jing","year":"2020","unstructured":"Jing Li, Aixin Sun, Jianglei Han, and Chenliang Li. 2020. A survey on deep learning for named entity recognition. IEEE Transactions on Knowledge and Data Engineering 34, 1 (2020).","journal-title":"IEEE Transactions on Knowledge and Data Engineering"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3472883.3486988"},{"key":"e_1_3_2_1_46_1","volume-title":"Proceedings of the Chapel Hill Conference on VLSI.","author":"Lipton J","year":"1985","unstructured":"Richard\u00a0J Lipton and Daniel Lopresti. 1985. A systolic array for rapid string comparison. In Proceedings of the Chapel Hill Conference on VLSI."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.12"},{"key":"e_1_3_2_1_48_1","volume-title":"VTA: An Open Hardware-Software Stack for Deep Learning","author":"Moreau Thierry","year":"2018","unstructured":"Thierry Moreau, Tianqi Chen, Ziheng Jiang, Luis Ceze, Carlos Guestrin, and Arvind Krishnamurthy. 2018. VTA: An Open Hardware-Software Stack for Deep Learning (2018)."},{"key":"e_1_3_2_1_49_1","volume-title":"Deep learning recommendation model for personalization and recommendation systems","author":"Naumov Maxim","year":"2019","unstructured":"Maxim Naumov, Dheevatsa Mudigere, Hao-Jun\u00a0Michael Shi, Jianyu Huang, Narayanan Sundaraman, Jongsoo Park, Xiaodong Wang, Udit Gupta, Carole-Jean Wu, Alisson\u00a0G Azzolini, 2019. Deep learning recommendation model for personalization and recommendation systems (2019)."},{"key":"e_1_3_2_1_50_1","volume-title":"Faster r-cnn: Towards real-time object detection with region proposal networks","author":"Ren Shaoqing","year":"2015","unstructured":"Shaoqing Ren, Kaiming He, Ross Girshick, and Jian Sun. 2015. Faster r-cnn: Towards real-time object detection with region proposal networks (2015)."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISPASS48437.2020.00016"},{"key":"e_1_3_2_1_52_1","volume-title":"Julian Schrittwieser, Ioannis Antonoglou","author":"Silver David","year":"2016","unstructured":"David Silver, Aja Huang, Chris\u00a0J Maddison, Arthur Guez, Laurent Sifre, George Van Den\u00a0Driessche, Julian Schrittwieser, Ioannis Antonoglou, Veda Panneershelvam, Marc Lanctot, 2016. Mastering the game of Go with deep neural networks and tree search. nature 529, 7587 (2016)."},{"key":"e_1_3_2_1_53_1","volume-title":"Localizing objects with self-supervised transformers and no labels","author":"Sim\u00e9oni Oriane","year":"2021","unstructured":"Oriane Sim\u00e9oni, Gilles Puy, Huy\u00a0V Vo, Simon Roburin, Spyros Gidaris, Andrei Bursuc, Patrick P\u00e9rez, Renaud Marlet, and Jean Ponce. 2021. Localizing objects with self-supervised transformers and no labels (2021)."},{"key":"e_1_3_2_1_54_1","volume-title":"ACM SIGARCH Computer Architecture News, Vol.\u00a010","author":"Smith E","unstructured":"James\u00a0E Smith. 1982. Decoupled access\/execute computer architectures. In ACM SIGARCH Computer Architecture News, Vol.\u00a010. IEEE Computer Society Press."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"crossref","unstructured":"Lisa Torrey and Jude Shavlik. 2010. Transfer learning. In Handbook of research on machine learning applications and trends: algorithms methods and techniques. IGI global.","DOI":"10.4018\/978-1-60566-766-9.ch011"},{"key":"e_1_3_2_1_56_1","volume-title":"Attention is all you need","author":"Vaswani Ashish","year":"2017","unstructured":"Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan\u00a0N Gomez, \u0141ukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need (2017)."},{"key":"e_1_3_2_1_57_1","volume-title":"13th { USENIX} Symposium on Operating Systems Design and Implementation ({ OSDI} 18).","author":"Volos Stavros","unstructured":"Stavros Volos, Kapil Vaswani, and Rodrigo Bruno. 2018. Graviton: trusted execution environments on GPUs. In 13th { USENIX} Symposium on Operating Systems Design and Implementation ({ OSDI} 18)."},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3503222.3507733"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA.2017.36"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00054"}],"event":{"name":"HASP '23: Hardware and Architectural Support for Security and Privacy 2023","location":"Toronto Canada","acronym":"HASP '23"},"container-title":["Proceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3623652.3623672","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3623652.3623672","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:00Z","timestamp":1750178220000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3623652.3623672"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,29]]},"references-count":60,"alternative-id":["10.1145\/3623652.3623672","10.1145\/3623652"],"URL":"https:\/\/doi.org\/10.1145\/3623652.3623672","relation":{},"subject":[],"published":{"date-parts":[[2023,10,29]]},"assertion":[{"value":"2023-10-29","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}