{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,3]],"date-time":"2025-09-03T10:05:06Z","timestamp":1756893906811,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":55,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,4,22]],"date-time":"2024-04-22T00:00:00Z","timestamp":1713744000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Amazon Research Award"},{"DOI":"10.13039\/501100006374","name":"UK Research and Innovation","doi-asserted-by":"publisher","award":["EPSRC Open Plus Fellowship EP\/W005271\/1"],"award-info":[{"award-number":["EPSRC Open Plus Fellowship EP\/W005271\/1"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,4,22]]},"DOI":"10.1145\/3642970.3655845","type":"proceedings-article","created":{"date-parts":[[2024,4,19]],"date-time":"2024-04-19T10:46:57Z","timestamp":1713523617000},"page":"1-9","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":7,"title":["GuaranTEE"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9481-0826","authenticated-orcid":false,"given":"Sandra","family":"Siby","sequence":"first","affiliation":[{"name":"Imperial College London"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-3024-3106","authenticated-orcid":false,"given":"Sina","family":"Abdollahi","sequence":"additional","affiliation":[{"name":"Imperial College London"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-1905-1611","authenticated-orcid":false,"given":"Mohammad","family":"Maheri","sequence":"additional","affiliation":[{"name":"Imperial College London"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-7034-5284","authenticated-orcid":false,"given":"Marios","family":"Kogias","sequence":"additional","affiliation":[{"name":"Imperial College London"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5895-8903","authenticated-orcid":false,"given":"Hamed","family":"Haddadi","sequence":"additional","affiliation":[{"name":"Imperial College London"}]}],"member":"320","published-online":{"date-parts":[[2024,4,22]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Tamas Ban. 2022. Attestation and Measured Boot. https:\/\/www.trustedfirmware.org\/docs\/Attestation_and_Measured_Boot.pdf"},{"key":"e_1_3_2_1_2_1","volume-title":"Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 460--465","author":"Bayerl Sebastian P","year":"2020","unstructured":"Sebastian P Bayerl, Tommaso Frassetto, Patrick Jauernig, Korbinian Riedhammer, Ahmad-Reza Sadeghi, Thomas Schneider, Emmanuel Stapf, and Christian Weinert. 2020. Offline model guard: Secure and private ML on mobile devices. In 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 460--465."},{"key":"e_1_3_2_1_3_1","volume-title":"A systematic review on model watermarking for neural networks. Frontiers in big Data 4","author":"Boenisch Franziska","year":"2021","unstructured":"Franziska Boenisch. 2021. A systematic review on model watermarking for neural networks. Frontiers in big Data 4 (2021), 729663."},{"key":"e_1_3_2_1_4_1","volume-title":"SANCTUARY: ARMing TrustZone with User-space Enclaves.. In NDSS.","author":"Brasser Ferdinand","year":"2019","unstructured":"Ferdinand Brasser, David Gens, Patrick Jauernig, Ahmad-Reza Sadeghi, and Emmanuel Stapf. 2019. SANCTUARY: ARMing TrustZone with User-space Enclaves.. In NDSS."},{"key":"e_1_3_2_1_5_1","unstructured":"Buildroot. Accessed Feb 2024. buildroot. https:\/\/github.com\/buildroot\/buildroot"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00061"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3559388"},{"key":"e_1_3_2_1_8_1","volume-title":"International conference on machine learning. PMLR, 201--210","author":"Gilad-Bachrach Ran","year":"2016","unstructured":"Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. 2016. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In International conference on machine learning. PMLR, 201--210."},{"key":"e_1_3_2_1_9_1","volume-title":"Yerbabuena: Securing deep learning inference data via enclave-based ternary model partitioning. arXiv preprint arXiv:1807.00969","author":"Gu Zhongshu","year":"2018","unstructured":"Zhongshu Gu, Heqing Huang, Jialong Zhang, Dong Su, Hani Jamjoom, Ankita Lamba, Dimitrios Pendarakis, and Ian Molloy. 2018. Yerbabuena: Securing deep learning inference data via enclave-based ternary model partitioning. arXiv preprint arXiv:1807.00969 (2018)."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2185376.2185390"},{"key":"e_1_3_2_1_11_1","volume-title":"Darknight: A data privacy scheme for training and inference of deep neural networks. arXiv preprint arXiv:2006.01300","author":"Hashemi Hanieh","year":"2020","unstructured":"Hanieh Hashemi, Yongqin Wang, and Murali Annavaram. 2020. Darknight: A data privacy scheme for training and inference of deep neural networks. arXiv preprint arXiv:2006.01300 (2020)."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3126315"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/3579856.3582820"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3580599"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3172213"},{"key":"e_1_3_2_1_16_1","volume-title":"16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22)","author":"Li Xupeng","year":"2022","unstructured":"Xupeng Li, Xuheng Li, Christoffer Dall, Ronghui Gu, Jason Nieh, Yousuf Sait, and Gareth Stockwell. 2022. Design and verification of the arm confidential compute architecture. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22). 465--484."},{"key":"e_1_3_2_1_17_1","unstructured":"Xupeng Li Xuheng Li Christoffer Dall Ronghui Gu Jason Nieh Yousuf Sait Gareth Stockwell Mark Knight and Charles Garcia-Tobin. [n. d.]. Enabling Realms with the Arm Confidential Compute Architecture. ([n. d.])."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2021.07.051"},{"key":"e_1_3_2_1_19_1","unstructured":"Arm Limited. 2023. Fixed Virtual Platforms. https:\/\/developer.arm.com\/Tools%20and%20Software\/Fixed%20Virtual%20Platforms"},{"key":"e_1_3_2_1_20_1","unstructured":"Arm Limited. 2023. Introducing Arm Confidential Compute Architecture. https:\/\/developer.arm.com\/documentation\/den0125\/0300\/Overview"},{"key":"e_1_3_2_1_21_1","unstructured":"Arm Limited. 2023. Realm Management Monitor Sepcification. https:\/\/developer.arm.com\/documentation\/den0137\/latest\/"},{"key":"e_1_3_2_1_22_1","unstructured":"Arm Limited. 2023. Reference Arm CCA integration stack Software User Guide. https:\/\/gitlab.arm.com\/arm-reference-solutions\/arm-reference-solutions-docs\/-\/blob\/master\/docs\/aemfvp-a-rme\/user-guide.rst"},{"key":"e_1_3_2_1_23_1","unstructured":"Arm Limited. Accessed Feb 2024. Arm Confidential Compute Architecture. https:\/\/www.arm.com\/architecture\/security-features\/arm-confidential-compute-architecture"},{"key":"e_1_3_2_1_24_1","unstructured":"Arm Limited. Accessed Feb 2024. linux-cca. https:\/\/gitlab.arm.com\/linux-arm\/linux-cca"},{"key":"e_1_3_2_1_25_1","unstructured":"Arm Limited. Accessed Feb 2024. TrustZone for Cortex-A. https:\/\/www.arm.com\/technologies\/trustzone-for-cortex-a"},{"volume-title":"Performance Acceleration of Secure Machine Learning Computations for Edge Applications. In 2022 IEEE 28th International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA)","author":"Lin Zi-Jie","key":"e_1_3_2_1_26_1","unstructured":"Zi-Jie Lin, Chuan-Chi Wang, Chia-Heng Tu, and Shih-Hao Hung. 2022. Performance Acceleration of Secure Machine Learning Computations for Edge Applications. In 2022 IEEE 28th International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA). IEEE, 138--147."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134056"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3543507.3583198"},{"key":"e_1_3_2_1_29_1","volume-title":"MirrorNet: A TEE-Friendly Framework for Secure On-Device DNN Inference. In 2023 IEEE\/ACM International Conference on Computer Aided Design (ICCAD). IEEE, 1--9.","author":"Liu Ziyu","year":"2023","unstructured":"Ziyu Liu, Yukui Luo, Shijin Duan, Tong Zhou, and Xiaolin Xu. 2023. MirrorNet: A TEE-Friendly Framework for Secure On-Device DNN Inference. In 2023 IEEE\/ACM International Conference on Computer Aided Design (ICCAD). IEEE, 1--9."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3386901.3388946"},{"key":"e_1_3_2_1_31_1","volume-title":"SoK: machine learning with confidential computing. arXiv preprint arXiv:2208.10134","author":"Mo Fan","year":"2022","unstructured":"Fan Mo, Zahra Tarkhani, and Hamed Haddadi. 2022. SoK: machine learning with confidential computing. arXiv preprint arXiv:2208.10134 (2022)."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.12"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.5555\/2907333.2907522"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3291047"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196522"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3591197.3591308"},{"key":"e_1_3_2_1_37_1","volume-title":"SoK: Attestation in confidential computing. ResearchGate pre-print","author":"Sardar M","year":"2023","unstructured":"M Sardar, Thomas Fossati, and Simon Frost. 2023. SoK: Attestation in confidential computing. ResearchGate pre-print (2023)."},{"key":"e_1_3_2_1_38_1","volume-title":"Shweta Shinde, Srdjan Capkun, and Ronald Perez.","author":"Schneider Moritz","year":"2022","unstructured":"Moritz Schneider, Ramya Jayaram Masti, Shweta Shinde, Srdjan Capkun, and Ronald Perez. 2022. Sok: Hardware-supported trusted execution environments. arXiv preprint arXiv:2205.12742 (2022)."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/IoTDI.2018.00024"},{"key":"e_1_3_2_1_40_1","volume-title":"2022 USENIX Annual Technical Conference (USENIX ATC 22)","author":"Shen Tianxiang","year":"2022","unstructured":"Tianxiang Shen, Ji Qi, Jianyu Jiang, Xian Wang, Siyuan Wen, Xusheng Chen, Shixiong Zhao, Sen Wang, Li Chen, Xiapu Luo, et al. 2022. {SOTER}: Guarding Black-box Inference for General Neural Networks at the Edge. In 2022 USENIX Annual Technical Conference (USENIX ATC 22). 723--738."},{"key":"e_1_3_2_1_41_1","volume-title":"33rd USENIX Security Symposium (USENIX Security'24)","author":"Sridhara Supraja","year":"2024","unstructured":"Supraja Sridhara, Andrin Bertschi, Benedict Schl\u00fcter, Mark Kuhne, Fabio Aliberti, and Shweta Shinde. 2024. ACAI: Extending Arm Confidential Computing Architecture Protection from CPUs to Accelerators. In 33rd USENIX Security Symposium (USENIX Security'24)."},{"key":"e_1_3_2_1_42_1","volume-title":"LEAP: TrustZone Based Developer-Friendly TEE for Intelligent Mobile Apps","author":"Sun Lizhi","year":"2022","unstructured":"Lizhi Sun, Shuocheng Wang, Hao Wu, Yuhang Gong, Fengyuan Xu, Yunxin Liu, Hao Han, and Sheng Zhong. 2022. LEAP: TrustZone Based Developer-Friendly TEE for Intelligent Mobile Apps. IEEE Transactions on Mobile Computing (2022)."},{"key":"e_1_3_2_1_43_1","volume-title":"Deep Intellectual Property: A Survey. arXiv preprint arXiv:2304.14613","author":"Sun Yuchen","year":"2023","unstructured":"Yuchen Sun, Tianpeng Liu, Panhe Hu, Qing Liao, Shouling Ji, Nenghai Yu, Deke Guo, and Li Liu. 2023. Deep Intellectual Property: A Survey. arXiv preprint arXiv:2304.14613 (2023)."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179382"},{"key":"e_1_3_2_1_45_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Sun Zhichuang","year":"2021","unstructured":"Zhichuang Sun, Ruimin Sun, Long Lu, and Alan Mislove. 2021. Mind your weight (s): A large-scale study on insufficient machine learning model protection in mobile apps. In 30th USENIX Security Symposium (USENIX Security 21). 1955--1972."},{"key":"e_1_3_2_1_46_1","unstructured":"TensorFlow. Accessed Feb 2024. MobilenetV1. https:\/\/github.com\/tensorflow\/models\/blob\/master\/research\/slim\/nets\/mobilenet_v1.md"},{"key":"e_1_3_2_1_47_1","volume-title":"Verifiable and Private Execution of Neural Networks in Trusted Hardware. In International Conference on Learning Representations.","author":"Tramer Florian","year":"2018","unstructured":"Florian Tramer and Dan Boneh. 2018. Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_48_1","unstructured":"TrustedFirmware. Accessed Feb 2024. TF-A. https:\/\/www.trustedfirmware.org\/projects\/tf-a"},{"key":"e_1_3_2_1_49_1","unstructured":"TrustedFirmware. Accessed Feb 2024. TF-RMM. https:\/\/www.trustedfirmware.org\/projects\/tf-rmm"},{"key":"e_1_3_2_1_50_1","volume-title":"SEALion: A framework for neural network inference on encrypted data. arXiv preprint arXiv:1904.12840","author":"van Elsloo Tim","year":"2019","unstructured":"Tim van Elsloo, Giorgio Patrini, and Hamish Ivey-Law. 2019. SEALion: A framework for neural network inference on encrypted data. arXiv preprint arXiv:1904.12840 (2019)."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313591"},{"key":"e_1_3_2_1_52_1","volume-title":"virtCCA: Virtualized Arm Confidential Compute Architecture with TrustZone. arXiv preprint arXiv:2306.11011","author":"Xu Xiangyi","year":"2023","unstructured":"Xiangyi Xu, Wenhao Wang, Yongzheng Wu, Zhennan Min, Zixuan Pang, and Yier Jin. 2023. virtCCA: Virtualized Arm Confidential Compute Architecture with TrustZone. arXiv preprint arXiv:2306.11011 (2023)."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/TAI.2021.3133824"},{"key":"e_1_3_2_1_54_1","volume-title":"SHELTER: Extending Arm CCA with Isolation in User Space. In 32nd USENIX Security Symposium (USENIX Security'23)","author":"Zhang Yiming","year":"2023","unstructured":"Yiming Zhang, Yuxin Hu, Zhenyu Ning, Fengwei Zhang, Xiapu Luo, Haoyang Huang, Shoumeng Yan, and Zhengyu He. 2023. SHELTER: Extending Arm CCA with Isolation in User Space. In 32nd USENIX Security Symposium (USENIX Security'23)."},{"key":"e_1_3_2_1_55_1","volume-title":"No Privacy Left Outside: On the (In-) Security of TEE-Shielded DNN Partition for On-Device ML. In 2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 52--52","author":"Zhang Ziqi","year":"2024","unstructured":"Ziqi Zhang, Chen Gong, Yifeng Cai, Yuanyuan Yuan, Bingyan Liu, Ding Li, Yao Guo, and Xiangqun Chen. 2024. No Privacy Left Outside: On the (In-) Security of TEE-Shielded DNN Partition for On-Device ML. In 2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 52--52."}],"event":{"name":"EuroSys '24: Nineteenth European Conference on Computer Systems","sponsor":["SIGOPS ACM Special Interest Group on Operating Systems"],"location":"Athens Greece","acronym":"EuroSys '24"},"container-title":["Proceedings of the 4th Workshop on Machine Learning and Systems"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3642970.3655845","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3642970.3655845","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T00:16:33Z","timestamp":1755908193000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3642970.3655845"}},"subtitle":["Towards Attestable and Private ML with CCA"],"short-title":[],"issued":{"date-parts":[[2024,4,22]]},"references-count":55,"alternative-id":["10.1145\/3642970.3655845","10.1145\/3642970"],"URL":"https:\/\/doi.org\/10.1145\/3642970.3655845","relation":{},"subject":[],"published":{"date-parts":[[2024,4,22]]},"assertion":[{"value":"2024-04-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}