{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,23]],"date-time":"2026-06-23T14:11:43Z","timestamp":1782223903822,"version":"3.54.5"},"publisher-location":"New York, NY, USA","reference-count":141,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,12,15]]},"DOI":"10.1145\/3721462.3730956","type":"proceedings-article","created":{"date-parts":[[2025,12,8]],"date-time":"2025-12-08T19:56:49Z","timestamp":1765223809000},"page":"298-313","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["MVTEE: Multi-Variant Trusted Execution for Secure Model Inference"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-3372-8724","authenticated-orcid":false,"given":"Kailun","family":"Qin","sequence":"first","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0504-9538","authenticated-orcid":false,"given":"Dawu","family":"Gu","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2025,12,14]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2024. Amazon Elastic Inference. https:\/\/docs.aws.amazon.com\/elastic-inference."},{"key":"e_1_3_2_1_2_1","unstructured":"2024. Eigen: a C++ template library for linear algebra: matrices vectors numerical solvers and related algorithms. https:\/\/eigen.tuxfamily.org."},{"key":"e_1_3_2_1_3_1","unstructured":"2024. Enarx: Confidential Computing with WebAssembly. https:\/\/github.com\/enarx\/enarx."},{"key":"e_1_3_2_1_4_1","unstructured":"2024. Fortanix EDP: Enclave Development Platform. https:\/\/edp.fortanix.com\/."},{"key":"e_1_3_2_1_5_1","unstructured":"2024. Google Tensorflow: Product details threats and statistics. https:\/\/www.cvedetails.com\/product\/53738\/Google-Tensorflow.html."},{"key":"e_1_3_2_1_6_1","unstructured":"2024. Intel\u00ae Trust Domain Extensions (Intel\u00ae TDX). https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/articles\/technical\/intel-trust-domainextensions.html."},{"key":"e_1_3_2_1_7_1","unstructured":"2024. Kubernetes Init Containers. https:\/\/kubernetes.io\/docs\/concepts\/workloads\/pods\/init-containers."},{"key":"e_1_3_2_1_8_1","unstructured":"2024. Kubernetes ReplicaSet. https:\/\/kubernetes.io\/docs\/concepts\/workloads\/controllers\/replicaset."},{"key":"e_1_3_2_1_9_1","unstructured":"2024. Model inference overview. https:\/\/cloud.google.com\/bigquery\/docs\/inference-overview."},{"key":"e_1_3_2_1_10_1","unstructured":"2024. NVIDIA Confidential Computing. https:\/\/www.nvidia.com\/en-us\/data-center\/solutions\/confidential-computing."},{"key":"e_1_3_2_1_11_1","unstructured":"2024. ONNX: Open standard for machine learning interoperability. https:\/\/github.com\/onnx\/onnx."},{"key":"e_1_3_2_1_12_1","unstructured":"2024. ONNX Runtime: cross-platform high performance ML inferencing and training accelerator. https:\/\/github.com\/microsoft\/onnxruntime."},{"key":"e_1_3_2_1_13_1","unstructured":"2024. OpenBLAS: an optimized BLAS library based on GotoBLAS2 1.13 BSD version. https:\/\/github.com\/OpenMathLib\/OpenBLAS."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3306346.3322967","article-title":"Learning to optimize halide with tree search and random programs","volume":"38","author":"Adams Andrew","year":"2019","unstructured":"Andrew Adams, Karima Ma, Luke Anderson, Riyadh Baghdadi, Tzu-Mao Li, Micha\u00ebl Gharbi, Benoit Steiner, Steven Johnson, Kayvon Fatahalian, Fr\u00e9do Durand, et al. 2019. Learning to optimize halide with tree search and random programs. ACM Transactions on Graphics (TOG) 38, 4 (2019), 1\u201312.","journal-title":"ACM Transactions on Graphics (TOG)"},{"key":"e_1_3_2_1_15_1","volume-title":"2018 48th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 195\u2013206","author":"Alder Fritz","year":"2018","unstructured":"Fritz Alder, Arseny Kurnikov, Andrew Paverd, and N Asokan. 2018. Migrating SGX enclaves with persistent state. In 2018 48th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 195\u2013206."},{"key":"e_1_3_2_1_16_1","volume-title":"DieHard: Probabilistic memory safety for unsafe languages. Acm sigplan notices 41, 6","author":"Berger Emery D","year":"2006","unstructured":"Emery D Berger and Benjamin G Zorn. 2006. DieHard: Probabilistic memory safety for unsafe languages. Acm sigplan notices 41, 6 (2006), 158\u2013168."},{"key":"e_1_3_2_1_17_1","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Biondo Andrea","year":"2018","unstructured":"Andrea Biondo, Mauro Conti, Lucas Davi, Tommaso Frassetto, and Ahmad-Reza Sadeghi. 2018. The Guard's Dilemma: Efficient {Code-Reuse} Attacks Against Intel {SGX}. In 27th USENIX Security Symposium (USENIX Security 18). 1213\u20131227."},{"key":"e_1_3_2_1_18_1","volume-title":"Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2204\u20132206","author":"Breier Jakub","year":"2018","unstructured":"Jakub Breier, Xiaolu Hou, Dirmanto Jap, Lei Ma, Shivam Bhasin, and Yang Liu. 2018. Practical fault attack on deep neural networks. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2204\u20132206."},{"key":"e_1_3_2_1_19_1","volume-title":"Artificial Software Diversification for WebAssembly. Ph. D. Dissertation","author":"Arteaga Javier Cabrera","unstructured":"Javier Cabrera Arteaga. 2022. Artificial Software Diversification for WebAssembly. Ph. D. Dissertation. KTH Royal Institute of Technology."},{"key":"e_1_3_2_1_20_1","volume-title":"Proceedings of the 9th ACM Workshop on Moving Target Defense. 11\u201322","author":"Arteaga Javier Cabrera","year":"2022","unstructured":"Javier Cabrera Arteaga, Pierre Laperdrix, Martin Monperrus, and Benoit Baudry. 2022. Multi-variant Execution at the Edge. In Proceedings of the 9th ACM Workshop on Moving Target Defense. 11\u201322."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"crossref","unstructured":"Liheng Chen Zheming Li Zheyu Ma Yuan Li Baojian Chen and Chao Zhang. 2024. EnclaveFuzz: Finding Vulnerabilities in SGX Applications. In NDSS.","DOI":"10.14722\/ndss.2024.24819"},{"key":"e_1_3_2_1_22_1","volume-title":"13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18)","author":"Chen Tianqi","year":"2018","unstructured":"Tianqi Chen, Thierry Moreau, Ziheng Jiang, Lianmin Zheng, Eddie Yan, Haichen Shen, Meghan Cowan, Leyuan Wang, Yuwei Hu, Luis Ceze, et al. 2018. {TVM}: An automated {End-to-End} optimizing compiler for deep learning. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18). 578\u2013594."},{"key":"e_1_3_2_1_23_1","volume-title":"Learning to optimize tensor programs. Advances in Neural Information Processing Systems 31","author":"Chen Tianqi","year":"2018","unstructured":"Tianqi Chen, Lianmin Zheng, Eddie Yan, Ziheng Jiang, Thierry Moreau, Luis Ceze, Carlos Guestrin, and Arvind Krishnamurthy. 2018. Learning to optimize tensor programs. Advances in Neural Information Processing Systems 31 (2018)."},{"key":"e_1_3_2_1_24_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Christou Neophytos","year":"2023","unstructured":"Neophytos Christou, Di Jin, Vaggelis Atlidakis, Baishakhi Ray, and Vasileios P Kemerlis. 2023. {IvySyn}: Automated Vulnerability Discovery in Deep Learning Frameworks. In 32nd USENIX Security Symposium (USENIX Security 23). 2383\u20132400."},{"key":"e_1_3_2_1_25_1","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Cloosters Tobias","year":"2020","unstructured":"Tobias Cloosters, Michael Rodler, and Lucas Davi. 2020. {TeeRex}: Discovery and exploitation of memory corruption vulnerabilities in {SGX} enclaves. In 29th USENIX Security Symposium (USENIX Security 20). 841\u2013858."},{"key":"e_1_3_2_1_26_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Cloosters Tobias","year":"2022","unstructured":"Tobias Cloosters, Johannes Willbold, Thorsten Holz, and Lucas Davi. 2022. {SGXFuzz}: Efficiently synthesizing nested structures for {SGX} enclave fuzzing. In 31st USENIX Security Symposium (USENIX Security 22). 3147\u20133164."},{"key":"e_1_3_2_1_27_1","volume-title":"Intel SGX explained. Cryptology ePrint Archive","author":"Costan Victor","year":"2016","unstructured":"Victor Costan and Srinivas Devadas. 2016. Intel SGX explained. Cryptology ePrint Archive (2016)."},{"key":"e_1_3_2_1_28_1","volume-title":"USENIX Security Symposium","volume":"114","author":"Cox Benjamin","year":"2006","unstructured":"Benjamin Cox, David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson, John Knight, Anh Nguyen-Tuong, and Jason Hiser. 2006. N-Variant Systems: A Secretless Framework for Security through Diversity.. In USENIX Security Symposium, Vol. 114. 114."},{"key":"e_1_3_2_1_29_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Deng Zizhuang","year":"2023","unstructured":"Zizhuang Deng, Guozhu Meng, Kai Chen, Tong Liu, Lu Xiang, and Chunyang Chen. 2023. Differential Testing of Cross Deep Learning Framework {APIs}: Revealing Inconsistencies and Vulnerabilities. In 32nd USENIX Security Symposium (USENIX Security 23). 7393\u20137410."},{"key":"e_1_3_2_1_30_1","volume-title":"2020 20th IEEE\/ACM International Symposium on Cluster, Cloud and Internet Computing (CCGRID). IEEE, 519\u2013528","author":"Elgamal Tarek","year":"2020","unstructured":"Tarek Elgamal and Klara Nahrstedt. 2020. Serdab: An IoT framework for partitioning neural networks computation across multiple enclaves. In 2020 20th IEEE\/ACM International Symposium on Cluster, Cloud and Internet Computing (CCGRID). IEEE, 519\u2013528."},{"key":"e_1_3_2_1_31_1","volume-title":"2022 18th European Dependable Computing Conference (EDCC). IEEE, 9\u201316","author":"Enomoto Shuhei","year":"2022","unstructured":"Shuhei Enomoto and Hiroshi Yamada. 2022. A Multi-variant Execution Environment for Securing In-memory KVSes. In 2022 18th European Dependable Computing Conference (EDCC). IEEE, 9\u201316."},{"key":"e_1_3_2_1_32_1","volume-title":"2022 52nd Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 415\u2013427","author":"Espinoza Antonio M","year":"2022","unstructured":"Antonio M Espinoza, Riley Wood, Stephanie Forrest, and Mohit Tiwari. 2022. Back to the future: N-Versioning of Microservices. In 2022 52nd Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 415\u2013427."},{"key":"e_1_3_2_1_33_1","volume-title":"DIMVA 2016, San Sebasti\u00e1n, Spain, July 7\u20138, 2016, Proceedings 13","author":"Gawlik Robert","year":"2016","unstructured":"Robert Gawlik, Philipp Koppe, Benjamin Kollenda, Andre Pawlowski, Behrad Garmany, and Thorsten Holz. 2016. Detile: Fine-grained information leak detection in script engines. In Detection of Intrusions and Malware, and Vulnerability Assessment: 13th International Conference, DIMVA 2016, San Sebasti\u00e1n, Spain, July 7\u20138, 2016, Proceedings 13. Springer, 322\u2013342."},{"key":"e_1_3_2_1_34_1","volume-title":"International conference on machine learning. PMLR, 201\u2013210","author":"Gilad-Bachrach Ran","year":"2016","unstructured":"Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. 2016. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In International conference on machine learning. PMLR, 201\u2013210."},{"key":"e_1_3_2_1_35_1","volume-title":"2020 IEEE International Symposium on High Performance Computer Architecture (HPCA). IEEE, 488\u2013501","author":"Gupta Udit","year":"2020","unstructured":"Udit Gupta, Carole-Jean Wu, Xiaodong Wang, Maxim Naumov, Brandon Reagen, David Brooks, Bradford Cottel, Kim Hazelwood, Mark Hempstead, Bill Jia, et al. 2020. The architectural implications of facebook's dnn-based personalized recommendation. In 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA). IEEE, 488\u2013501."},{"key":"e_1_3_2_1_36_1","volume-title":"2018 IEEE international symposium on high performance computer architecture (HPCA). IEEE, 620\u2013629","author":"Hazelwood Kim","year":"2018","unstructured":"Kim Hazelwood, Sarah Bird, David Brooks, Soumith Chintala, Utku Diril, Dmytro Dzhulgakov, Mohamed Fawzy, Bill Jia, Yangqing Jia, Aditya Kalro, et al. 2018. Applied machine learning at facebook: A datacenter infrastructure perspective. In 2018 IEEE international symposium on high performance computer architecture (HPCA). IEEE, 620\u2013629."},{"key":"e_1_3_2_1_37_1","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 14095\u201314103","author":"He Zhezhi","year":"2020","unstructured":"Zhezhi He, Adnan Siraj Rakin, Jingtao Li, Chaitali Chakrabarti, and Deliang Fan. 2020. Defending and harnessing the bit-flip based adversarial weight attack. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 14095\u201314103."},{"key":"e_1_3_2_1_38_1","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Hong Sanghyun","year":"2019","unstructured":"Sanghyun Hong, Pietro Frigo, Yi\u011fitcan Kaya, Cristiano Giuffrida, and Tudor Dumitra\u015f. 2019. Terminal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks. In 28th USENIX Security Symposium (USENIX Security 19). 497\u2013514."},{"key":"e_1_3_2_1_39_1","volume-title":"2013 35th International Conference on Software Engineering (ICSE). IEEE, 612\u2013621","author":"Hosek Petr","year":"2013","unstructured":"Petr Hosek and Cristian Cadar. 2013. Safe software updates via multi-version execution. In 2013 35th International Conference on Software Engineering (ICSE). IEEE, 612\u2013621."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"crossref","first-page":"339","DOI":"10.1145\/2786763.2694390","article-title":"Varan the unbelievable: An efficient n-version execution framework","volume":"43","author":"Hosek Petr","year":"2015","unstructured":"Petr Hosek and Cristian Cadar. 2015. Varan the unbelievable: An efficient n-version execution framework. ACM SIGARCH Computer Architecture News 43, 1 (2015), 339\u2013353.","journal-title":"ACM SIGARCH Computer Architecture News"},{"key":"e_1_3_2_1_41_1","first-page":"4270","article-title":"Model protection: Real-time privacy-preserving inference service for model privacy at the edge","volume":"19","author":"Hou Jiahui","year":"2021","unstructured":"Jiahui Hou, Huiqi Liu, Yunxin Liu, Yu Wang, Peng-Jun Wan, and Xiang-Yang Li. 2021. Model protection: Real-time privacy-preserving inference service for model privacy at the edge. IEEE Transactions on Dependable and Secure Computing 19, 6 (2021), 4270\u20134284.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_2_1_42_1","volume-title":"Proceedings of the ACM\/IEEE 42nd international conference on software engineering. 1110\u20131121","author":"Humbatova Nargiz","year":"2020","unstructured":"Nargiz Humbatova, Gunel Jahangirova, Gabriele Bavota, Vincenzo Riccio, Andrea Stocco, and Paolo Tonella. 2020. Taxonomy of real faults in deep learning systems. In Proceedings of the ACM\/IEEE 42nd international conference on software engineering. 1110\u20131121."},{"key":"e_1_3_2_1_43_1","unstructured":"Gadi Hutt Vibhav Viswanathan and Adam Nadolski. 2019. Deliver high performance ML inference with AWS Inferentia. (2019). https:\/\/d1.awsstatic.com\/events\/reinvent\/2019\/REPEAT_1_Deliver_high_performance_ML_inference_with_AWS_Inferentia_CMP324-R1.pdf"},{"key":"e_1_3_2_1_44_1","volume-title":"Proceedings of the 2019 27th ACM joint meeting on european software engineering conference and symposium on the foundations of software engineering. 510\u2013520","author":"Islam Md Johirul","year":"2019","unstructured":"Md Johirul Islam, Giang Nguyen, Rangeet Pan, and Hridesh Rajan. 2019. A comprehensive study on deep learning bug characteristics. In Proceedings of the 2019 27th ACM joint meeting on european software engineering conference and symposium on the foundations of software engineering. 510\u2013520."},{"key":"e_1_3_2_1_45_1","volume-title":"System Call Interposition Without Compromise. In 2024 54th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 183\u2013194","author":"Jacobs Adriaan","year":"2024","unstructured":"Adriaan Jacobs, Merve G\u00fclmez, Alicia Andries, Stijn Volckaert, and Alexios Voulimeneas. 2024. System Call Interposition Without Compromise. In 2024 54th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 183\u2013194."},{"key":"e_1_3_2_1_46_1","volume-title":"Proceedings of the 2nd Workshop on System Software for Trusted Execution. 1\u20136.","author":"Jang Yeongjin","year":"2017","unstructured":"Yeongjin Jang, Jaehyuk Lee, Sangho Lee, and Taesoo Kim. 2017. SGX-Bomb: Locking down the processor via Rowhammer attack. In Proceedings of the 2nd Workshop on System Software for Trusted Execution. 1\u20136."},{"key":"e_1_3_2_1_47_1","volume-title":"2021 IEEE\/ACM International Conference On Computer Aided Design (ICCAD). IEEE, 1\u20139.","author":"Javaheripi Mojan","year":"2021","unstructured":"Mojan Javaheripi and Farinaz Koushanfar. 2021. Hashtag: Hash signatures for online detection of fault-injection attacks on deep neural networks. In 2021 IEEE\/ACM International Conference On Computer Aided Design (ICCAD). IEEE, 1\u20139."},{"key":"e_1_3_2_1_48_1","volume-title":"Proceedings of the 2018 conference of the ACM special interest group on data communication. 253\u2013266","author":"Jiang Junchen","year":"2018","unstructured":"Junchen Jiang, Ganesh Ananthanarayanan, Peter Bodik, Siddhartha Sen, and Ion Stoica. 2018. Chameleon: scalable adaptation of video analytics. In Proceedings of the 2018 conference of the ACM special interest group on data communication. 253\u2013266."},{"key":"e_1_3_2_1_49_1","volume-title":"Proceedings of the 2017 symposium on cloud computing. 445\u2013451","author":"Jonas Eric","year":"2017","unstructured":"Eric Jonas, Qifan Pu, Shivaram Venkataraman, Ion Stoica, and Benjamin Recht. 2017. Occupy the cloud: Distributed computing for the 99%. In Proceedings of the 2017 symposium on cloud computing. 445\u2013451."},{"key":"e_1_3_2_1_50_1","volume-title":"27th USENIX security symposium (USENIX security 18). 1651\u20131669.","author":"Juvekar Chiraag","unstructured":"Chiraag Juvekar, Vinod Vaikuntanathan, and Anantha Chandrakasan. 2018. {GAZELLE}: A low latency framework for secure neural network inference. In 27th USENIX security symposium (USENIX security 18). 1651\u20131669."},{"key":"e_1_3_2_1_51_1","volume-title":"Soda","volume":"93","author":"Karger David R","year":"1993","unstructured":"David R Karger. 1993. Global Min-cuts in RNC, and Other Ramifications of a Simple Min-Cut Algorithm.. In Soda, Vol. 93. Citeseer, 21\u201330."},{"key":"e_1_3_2_1_52_1","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Kenjar Zijo","year":"2020","unstructured":"Zijo Kenjar, Tommaso Frassetto, David Gens, Michael Franz, and Ahmad-Reza Sadeghi. 2020. {V0LTpwn}: Attacking x86 processor integrity from software. In 29th USENIX Security Symposium (USENIX Security 20). 1445\u20131461."},{"key":"e_1_3_2_1_53_1","volume-title":"Proceedings of the 11th ACM Symposium on Cloud Computing. 462\u2013476","author":"Kim Kyungtae","year":"2020","unstructured":"Kyungtae Kim, Chung Hwan Kim, Junghwan\" John\" Rhee, Xiao Yu, Haifeng Chen, Dave Tian, and Byoungyoung Lee. 2020. Vessels: Efficient and scalable deep learning prediction on trusted processors. In Proceedings of the 11th ACM Symposium on Cloud Computing. 462\u2013476."},{"key":"e_1_3_2_1_54_1","volume-title":"Integrating remote attestation with transport layer security. arXiv preprint arXiv:1801.05863","author":"Knauth Thomas","year":"2018","unstructured":"Thomas Knauth, Michael Steiner, Somnath Chakrabarti, Li Lei, Cedric Xing, and Mona Vij. 2018. Integrating remote attestation with transport layer security. arXiv preprint arXiv:1801.05863 (2018)."},{"key":"e_1_3_2_1_55_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Kogler Andreas","year":"2022","unstructured":"Andreas Kogler, Daniel Gruss, and Michael Schwarz. 2022. Minefield: A Software-only Protection for {SGX} Enclaves against {DVFS} Attacks. In 31st USENIX Security Symposium (USENIX Security 22). 4147\u20134164."},{"key":"e_1_3_2_1_56_1","unstructured":"Denis Kolegov and Anton Nikolaev. [n. d.]."},{"key":"e_1_3_2_1_57_1","volume-title":"2016 46th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 431\u2013442","author":"Koning Koen","year":"2016","unstructured":"Koen Koning, Herbert Bos, and Cristiano Giuffrida. 2016. Secure and efficient multi-variant execution using hardware-assisted process virtualization. In 2016 46th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 431\u2013442."},{"key":"e_1_3_2_1_58_1","volume-title":"Franz Gregor, Sergei Arnautov, Pramod Bhatotia, and Christof Fetzer.","author":"Kunkel Roland","year":"2019","unstructured":"Roland Kunkel, Do Le Quoc, Franz Gregor, Sergei Arnautov, Pramod Bhatotia, and Christof Fetzer. 2019. Tensorscone: A secure tensorflow framework using intel sgx. arXiv preprint arXiv:1902.04413 (2019)."},{"key":"e_1_3_2_1_59_1","volume-title":"Proceedings of the Twelfth European Conference on Computer Systems. 205\u2013221","author":"Kuvaiskii Dmitrii","year":"2017","unstructured":"Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2017. SGXBOUNDS: Memory safety for shielded execution. In Proceedings of the Twelfth European Conference on Computer Systems. 205\u2013221."},{"key":"e_1_3_2_1_60_1","volume-title":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 4598\u20134612","author":"Kuvaiskii Dmitrii","year":"2024","unstructured":"Dmitrii Kuvaiskii, Dimitrios Stavrakakis, Kailun Qin, Cedric Xing, Pramod Bhatotia, and Mona Vij. 2024. Gramine-TDX: A Lightweight OS Kernel for Confidential VMs. In Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 4598\u20134612."},{"key":"e_1_3_2_1_61_1","volume-title":"2014 IEEE Symposium on Security and Privacy. IEEE, 276\u2013291","author":"Larsen Per","year":"2014","unstructured":"Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. 2014. SoK: Automated software diversity. In 2014 IEEE Symposium on Security and Privacy. IEEE, 276\u2013291."},{"key":"e_1_3_2_1_62_1","volume-title":"Deep learning. nature 521, 7553","author":"LeCun Yann","year":"2015","unstructured":"Yann LeCun, Yoshua Bengio, and Geoffrey Hinton. 2015. Deep learning. nature 521, 7553 (2015), 436\u2013444."},{"key":"e_1_3_2_1_63_1","volume-title":"Privacy-Preserving Machine Learning in Untrusted Clouds Made Simple. arXiv preprint arXiv:2009.04390","author":"Lee Dayeol","year":"2020","unstructured":"Dayeol Lee, Dmitrii Kuvaiskii, Anjo Vahldiek-Oberwagner, and Mona Vij. 2020. Privacy-Preserving Machine Learning in Untrusted Clouds Made Simple. arXiv preprint arXiv:2009.04390 (2020)."},{"key":"e_1_3_2_1_64_1","volume-title":"26th USENIX Security Symposium (USENIX Security 17)","author":"Lee Jaehyuk","year":"2017","unstructured":"Jaehyuk Lee, Jinsoo Jang, Yeongjin Jang, Nohyun Kwak, Yeseul Choi, Changho Choi, Taesoo Kim, Marcus Peinado, and Brent ByungHoon Kang. 2017. Hacking in darkness: Return-oriented programming against secure enclaves. In 26th USENIX Security Symposium (USENIX Security 17). 523\u2013539."},{"key":"e_1_3_2_1_65_1","volume-title":"The 25th Annual International Conference on Mobile Computing and Networking. 1\u201317","author":"Lee Taegyeong","year":"2019","unstructured":"Taegyeong Lee, Zhiqi Lin, Saumay Pushp, Caihua Li, Yunxin Liu, Youngki Lee, Fengyuan Xu, Chenren Xu, Lintao Zhang, and Junehwa Song. 2019. Occlumency: Privacy-preserving remote deep-learning inference using SGX. In The 25th Annual International Conference on Mobile Computing and Networking. 1\u201317."},{"key":"e_1_3_2_1_66_1","volume-title":"Proceedings of the 39th Annual Computer Security Applications Conference. 621\u2013635","author":"Li Fabing","year":"2023","unstructured":"Fabing Li, Xiang Li, and Mingyu Gao. 2023. Secure MLaaS with Temper: Trusted and Efficient Model Partitioning and Enclave Reuse. In Proceedings of the 39th Annual Computer Security Applications Conference. 621\u2013635."},{"key":"e_1_3_2_1_67_1","volume-title":"Proceedings of the International Conference for High Performance Computing, Networking, Storage and Analysis. 1\u201312","author":"Li Guanpeng","year":"2017","unstructured":"Guanpeng Li, Siva Kumar Sastry Hari, Michael Sullivan, Timothy Tsai, Karthik Pattabiraman, Joel Emer, and Stephen W Keckler. 2017. Understanding error propagation in deep learning neural network (DNN) accelerators and applications. In Proceedings of the International Conference for High Performance Computing, Networking, Storage and Analysis. 1\u201312."},{"key":"e_1_3_2_1_68_1","volume-title":"Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 790\u2013795","author":"Li Jingtao","year":"2021","unstructured":"Jingtao Li, Adnan Siraj Rakin, Zhezhi He, Deliang Fan, and Chaitali Chakrabarti. 2021. Radar: Run-time adversarial weight attack detection and accuracy recovery. In 2021 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 790\u2013795."},{"key":"e_1_3_2_1_69_1","volume-title":"2020 57th ACM\/IEEE Design Automation Conference (DAC). IEEE, 1\u20136.","author":"Li Jingtao","year":"2020","unstructured":"Jingtao Li, Adnan Siraj Rakin, Yan Xiong, Liangliang Chang, Zhezhi He, Deliang Fan, and Chaitali Chakrabarti. 2020. Defending bit-flip attack through dnn weight reconstruction. In 2020 57th ACM\/IEEE Design Automation Conference (DAC). IEEE, 1\u20136."},{"key":"e_1_3_2_1_70_1","volume-title":"Proceedings of the 33th USENIX Security Symposium.","author":"Li Shaofeng","year":"2024","unstructured":"Shaofeng Li, Xinyu Wang, Minhui Xue, Haojin Zhu, Zhi Zhang, Yansong Gao, Wen Wu, and Xuemin Sherman Shen. 2024. Yes, One-Bit-Flip Matters! Universal DNN Model Inference Depletion with Runtime Code Fault Injection. In Proceedings of the 33th USENIX Security Symposium."},{"key":"e_1_3_2_1_71_1","volume-title":"16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22)","author":"Li Xupeng","year":"2022","unstructured":"Xupeng Li, Xuheng Li, Christoffer Dall, Ronghui Gu, Jason Nieh, Yousuf Sait, and Gareth Stockwell. 2022. Design and verification of the arm confidential compute architecture. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22). 465\u2013484."},{"key":"e_1_3_2_1_72_1","volume-title":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 101\u2013112","author":"Li Yu","year":"2020","unstructured":"Yu Li, Min Li, Bo Luo, Ye Tian, and Qiang Xu. 2020. Deepdyve: Dynamic verification for deep neural networks. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 101\u2013112."},{"key":"e_1_3_2_1_73_1","volume-title":"Proceedings of the 35th Annual Computer Security Applications Conference. 138\u2013147","author":"Li Yu","year":"2019","unstructured":"Yu Li, Yannan Liu, Min Li, Ye Tian, Bo Luo, and Qiang Xu. 2019. D2nn: a fine-grained dual modular redundancy framework for deep neural networks. In Proceedings of the 35th Annual Computer Security Applications Conference. 138\u2013147."},{"key":"e_1_3_2_1_74_1","volume-title":"Proceedings of the ACM Symposium on Cloud Computing. 533\u2013545","author":"Li Yuepeng","year":"2021","unstructured":"Yuepeng Li, Deze Zeng, Lin Gu, Quan Chen, Song Guo, Albert Zomaya, and Minyi Guo. 2021. Lasagna: Accelerating secure deep learning inference in sgx-enabled edge cloud. In Proceedings of the ACM Symposium on Cloud Computing. 533\u2013545."},{"key":"e_1_3_2_1_75_1","volume-title":"IEEE\/ACM International Conference on Computer-Aided Design (ICCAD)","author":"Liu Qi","year":"2020","unstructured":"Qi Liu, Wujie Wen, and Yanzhi Wang. 2020. Concurrent weight encoding-based detection for bit-flip attack on neural network accelerators. In IEEE\/ACM International Conference on Computer-Aided Design (ICCAD), 2020."},{"key":"e_1_3_2_1_76_1","volume-title":"2017 IEEE\/ACM International Conference on Computer-Aided Design (ICCAD). IEEE, 131\u2013138","author":"Liu Yannan","year":"2017","unstructured":"Yannan Liu, Lingxiao Wei, Bo Luo, and Qiang Xu. 2017. Fault injection attack on deep neural network. In 2017 IEEE\/ACM International Conference on Computer-Aided Design (ICCAD). IEEE, 131\u2013138."},{"key":"e_1_3_2_1_77_1","first-page":"160","article-title":"Stopping memory disclosures via diversification and replicated execution","volume":"18","author":"Lu Kangjie","year":"2018","unstructured":"Kangjie Lu, Meng Xu, Chengyu Song, Taesoo Kim, and Wenke Lee. 2018. Stopping memory disclosures via diversification and replicated execution. IEEE Transactions on Dependable and Secure Computing 18, 1 (2018), 160\u2013173.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_2_1_78_1","volume-title":"S3ML: A secure serving system for machine learning inference. arXiv preprint arXiv:2010.06212","author":"Ma Junming","year":"2020","unstructured":"Junming Ma, Chaofan Yu, Aihui Zhou, Bingzhe Wu, Xibin Wu, Xingyu Chen, Xiangqun Chen, Lei Wang, and Donggang Cao. 2020. S3ML: A secure serving system for machine learning inference. arXiv preprint arXiv:2010.06212 (2020)."},{"key":"e_1_3_2_1_79_1","volume-title":"26th USENIX Security Symposium (USENIX Security 17)","author":"Matetic Sinisa","year":"2017","unstructured":"Sinisa Matetic, Mansoor Ahmed, Kari Kostiainen, Aritra Dhar, David Sommer, Arthur Gervais, Ari Juels, and Srdjan Capkun. 2017. {ROTE}: Rollback protection for trusted execution. In 26th USENIX Security Symposium (USENIX Security 17). 1289\u20131306."},{"key":"e_1_3_2_1_80_1","volume-title":"21st USENIX Security Symposium (USENIX Security 12)","author":"Maurer Matthew","year":"2012","unstructured":"Matthew Maurer and David Brumley. 2012. TACHYON: Tandem execution for efficient live patch testing. In 21st USENIX Security Symposium (USENIX Security 12). 617\u2013630."},{"key":"e_1_3_2_1_81_1","volume-title":"Proceedings of the Hardware and Architectural Support for Security and Privacy","author":"McKeen Frank","year":"2016","unstructured":"Frank McKeen, Ilya Alexandrovich, Ittai Anati, Dror Caspi, Simon Johnson, Rebekah Leslie-Hurd, and Carlos Rozas. 2016. Intel\u00ae software guard extensions (intel\u00ae sgx) support for dynamic memory management inside an enclave. In Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. 1\u20139."},{"key":"e_1_3_2_1_82_1","volume-title":"Innovative instructions and software model for isolated execution. Hasp@ isca 10, 1","author":"McKeen Frank","year":"2013","unstructured":"Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R Savagaonkar. 2013. Innovative instructions and software model for isolated execution. Hasp@ isca 10, 1 (2013)."},{"key":"e_1_3_2_1_83_1","volume-title":"IFIP International Conference on Distributed Applications and Interoperable Systems. Springer, 95\u2013113","author":"M\u00e9n\u00e9trey J\u00e4mes","year":"2022","unstructured":"J\u00e4mes M\u00e9n\u00e9trey, Christian G\u00f6ttel, Anum Khurshid, Marcelo Pasin, Pascal Felber, Valerio Schiavoni, and Shahid Raza. 2022. Attestation mechanisms for trusted execution environments demystified. In IFIP International Conference on Distributed Applications and Interoperable Systems. Springer, 95\u2013113."},{"key":"e_1_3_2_1_84_1","volume-title":"Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services. 161\u2013174","author":"Mo Fan","year":"2020","unstructured":"Fan Mo, Ali Shahin Shamsabadi, Kleomenis Katevas, Soteris Demetriou, Ilias Leontiadis, Andrea Cavallaro, and Hamed Haddadi. 2020. Darknetz: towards model privacy at the edge using trusted execution environments. In Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services. 161\u2013174."},{"key":"e_1_3_2_1_85_1","volume-title":"2023 IEEE 16th International Conference on Cloud Computing (CLOUD). IEEE, 547\u2013553","author":"Morbitzer Mathias","year":"2023","unstructured":"Mathias Morbitzer, Benedikt Kopf, and Philipp Zieris. 2023. GuaranTEE: Introducing control-flow attestation for trusted execution environments. In 2023 IEEE 16th International Conference on Cloud Computing (CLOUD). IEEE, 547\u2013553."},{"key":"e_1_3_2_1_86_1","volume-title":"2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1466\u20131482","author":"Murdock Kit","year":"2020","unstructured":"Kit Murdock, David Oswald, Flavio D Garcia, Jo Van Bulck, Daniel Gruss, and Frank Piessens. 2020. Plundervolt: Software-based fault injection attacks against Intel SGX. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1466\u20131482."},{"key":"e_1_3_2_1_87_1","volume-title":"Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation. 883\u2013898","author":"Niu Wei","year":"2021","unstructured":"Wei Niu, Jiexiong Guan, Yanzhi Wang, Gagan Agrawal, and Bin Ren. 2021. Dnnfusion: accelerating deep neural networks execution with advanced operator fusion. In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation. 883\u2013898."},{"key":"e_1_3_2_1_88_1","volume-title":"International Conference on Machine Learning. PMLR, 4901\u20134911","author":"Odena Augustus","year":"2019","unstructured":"Augustus Odena, Catherine Olsson, David Andersen, and Ian Goodfellow. 2019. Tensorfuzz: Debugging neural networks with coverage-guided fuzzing. In International Conference on Machine Learning. PMLR, 4901\u20134911."},{"key":"e_1_3_2_1_89_1","volume-title":"2018 Usenix Annual Technical Conference (USENIX ATC 18)","author":"Oleksenko Oleksii","year":"2018","unstructured":"Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein, and Christof Fetzer. 2018. Varys: Protecting { SGX} Enclaves from Practical {Side-Channel} Attacks. In 2018 Usenix Annual Technical Conference (USENIX ATC 18). 227\u2013240."},{"key":"e_1_3_2_1_90_1","volume-title":"Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems. 559\u2013572","author":"\u00d6sterlund Sebastian","year":"2019","unstructured":"Sebastian \u00d6sterlund, Koen Koning, Pierre Olivier, Antonio Barbalace, Herbert Bos, and Cristiano Giuffrida. 2019. kMVX: Detecting kernel information leaks with multi-variant execution. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems. 559\u2013572."},{"key":"e_1_3_2_1_91_1","volume-title":"Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems. 573\u2013585","author":"Pina Lu\u00eds","year":"2019","unstructured":"Lu\u00eds Pina, Anastasios Andronidis, Michael Hicks, and Cristian Cadar. 2019. Mvedsua: Higher availability dynamic software updates via multi-version execution. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems. 573\u2013585."},{"key":"e_1_3_2_1_92_1","volume-title":"2024 IEEE 17th International Conference on Cloud Computing (CLOUD). IEEE, 205\u2013216","author":"Qin Kailun","year":"2024","unstructured":"Kailun Qin and Dawu Gu. 2024. One System Call Hook to Rule All TEE OSes in the Cloud. In 2024 IEEE 17th International Conference on Cloud Computing (CLOUD). IEEE, 205\u2013216."},{"key":"e_1_3_2_1_93_1","volume-title":"Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 195\u2013209","author":"Qiu Pengfei","year":"2019","unstructured":"Pengfei Qiu, Dongsheng Wang, Yongqiang Lyu, and Gang Qu. 2019. Voltjockey: Breaching trustzone by software-controlled voltage manipulation over multi-core frequencies. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 195\u2013209."},{"key":"e_1_3_2_1_94_1","volume-title":"Proceedings of the 21st International Middleware Conference. 44\u201359","author":"Quoc Do Le","year":"2020","unstructured":"Do Le Quoc, Franz Gregor, Sergei Arnautov, Roland Kunkel, Pramod Bhatotia, and Christof Fetzer. 2020. Securetf: A secure tensorflow framework. In Proceedings of the 21st International Middleware Conference. 44\u201359."},{"key":"e_1_3_2_1_95_1","volume-title":"Proceedings of the 2018 on Asia conference on computer and communications security. 707\u2013721","author":"Riazi M Sadegh","year":"2018","unstructured":"M Sadegh Riazi, Christian Weinert, Oleksandr Tkachenko, Ebrahim M Songhori, Thomas Schneider, and Farinaz Koushanfar. 2018. Chameleon: A hybrid secure computation framework for machine learning applications. In Proceedings of the 2018 on Asia conference on computer and communications security. 707\u2013721."},{"key":"e_1_3_2_1_96_1","volume-title":"2024 Annual Computer Security Applications Conference (ACSAC). IEEE, 520\u2013533","author":"R\u00f6sti Andr\u00e9","year":"2024","unstructured":"Andr\u00e9 R\u00f6sti, Stijn Volckaert, Michael Franz, and Alexios Voulimeneas. 2024. I'll Be There for You! Perpetual Availability in the A 8 MVX System. In 2024 Annual Computer Security Applications Conference (ACSAC). IEEE, 520\u2013533."},{"key":"e_1_3_2_1_97_1","volume-title":"Proceedings of the 4th ACM European conference on Computer systems. 33\u201346","author":"Salamat Babak","year":"2009","unstructured":"Babak Salamat, Todd Jackson, Andreas Gal, and Michael Franz. 2009. Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space. In Proceedings of the 4th ACM European conference on Computer systems. 33\u201346."},{"key":"e_1_3_2_1_98_1","doi-asserted-by":"crossref","first-page":"588","DOI":"10.1109\/TDSC.2011.18","article-title":"Runtime defense against code injection attacks using replicated execution","volume":"8","author":"Salamat Babak","year":"2011","unstructured":"Babak Salamat, Todd Jackson, Gregor Wagner, Christian Wimmer, and Michael Franz. 2011. Runtime defense against code injection attacks using replicated execution. IEEE Transactions on Dependable and Secure Computing 8, 4 (2011), 588\u2013601.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_2_1_99_1","volume-title":"Ming-Wei Shih, Insik Shin, Dongsu Han, and Taesoo Kim.","author":"Seo Jaebaek","year":"2017","unstructured":"Jaebaek Seo, Byoungyoung Lee, Seong Min Kim, Ming-Wei Shih, Insik Shin, Dongsu Han, and Taesoo Kim. 2017. SGX-shield: Enabling address space layout randomization for SGX programs.. In NDSS."},{"key":"e_1_3_2_1_100_1","first-page":"1450","article-title":"Strengthening VM isolation with integrity protection and more","volume":"53","author":"Sev-Snp AMD","year":"2020","unstructured":"AMD Sev-Snp. 2020. Strengthening VM isolation with integrity protection and more. White Paper, January 53 (2020), 1450\u20131465.","journal-title":"White Paper"},{"key":"e_1_3_2_1_101_1","volume-title":"Proceedings of the 29th ACM Joint meeting on european software engineering conference and symposium on the foundations of software engineering. 968\u2013980","author":"Shen Qingchao","year":"2021","unstructured":"Qingchao Shen, Haoyang Ma, Junjie Chen, Yongqiang Tian, Shing-Chi Cheung, and Xiang Chen. 2021. A comprehensive study of deep learning compiler bugs. In Proceedings of the 29th ACM Joint meeting on european software engineering conference and symposium on the foundations of software engineering. 968\u2013980."},{"key":"e_1_3_2_1_102_1","volume-title":"2022 USENIX Annual Technical Conference (USENIX ATC 22)","author":"Shen Tianxiang","year":"2022","unstructured":"Tianxiang Shen, Ji Qi, Jianyu Jiang, Xian Wang, Siyuan Wen, Xusheng Chen, Shixiong Zhao, Sen Wang, Li Chen, Xiapu Luo, et al. 2022. {SOTER}: Guarding Black-box Inference for General Neural Networks at the Edge. In 2022 USENIX Annual Technical Conference (USENIX ATC 22). 723\u2013738."},{"key":"e_1_3_2_1_103_1","volume-title":"Proceedings of the 4th Workshop on Machine Learning and Systems. 1\u20139.","author":"Siby Sandra","year":"2024","unstructured":"Sandra Siby, Sina Abdollahi, Mohammad Maheri, Marios Kogias, and Hamed Haddadi. 2024. GuaranTEE: Towards Attestable and Private ML with CCA. In Proceedings of the 4th Workshop on Machine Learning and Systems. 1\u20139."},{"key":"e_1_3_2_1_104_1","volume-title":"2019 USENIX Conference on Operational Machine Learning (OpML 19)","author":"Soifer Jonathan","year":"2019","unstructured":"Jonathan Soifer, Jason Li, Mingqin Li, Jeffrey Zhu, Yingnan Li, Yuxiong He, Elton Zheng, Adi Oltean, Maya Mosyak, Chris Barnes, et al. 2019. Deep learning inference service at microsoft. In 2019 USENIX Conference on Operational Machine Learning (OpML 19). 15\u201317."},{"key":"e_1_3_2_1_105_1","volume-title":"SIGY: Breaking Intel SGX Enclaves with Malicious Exceptions & Signals. arXiv preprint arXiv:2404.13998","author":"Sridhara Supraja","year":"2024","unstructured":"Supraja Sridhara, Andrin Bertschi, Benedict Schl\u00fcter, and Shweta Shinde. 2024. SIGY: Breaking Intel SGX Enclaves with Malicious Exceptions & Signals. arXiv preprint arXiv:2404.13998 (2024)."},{"key":"e_1_3_2_1_106_1","volume-title":"Proceedings of the Workshop on Advances in Trusted Computing (WATC). 65","author":"Stumpf Frederic","year":"2006","unstructured":"Frederic Stumpf, Omid Tafreschi, Patrick R\u00f6der, Claudia Eckert, et al. 2006. A robust integrity reporting protocol for remote attestation. In Proceedings of the Workshop on Advances in Trusted Computing (WATC). 65."},{"key":"e_1_3_2_1_107_1","volume-title":"2023 IEEE Symposium on Security and Privacy (SP). IEEE, 1596\u20131612","author":"Sun Zhichuang","year":"2023","unstructured":"Zhichuang Sun, Ruimin Sun, Changming Liu, Amrita Roy Chowdhury, Long Lu, and Somesh Jha. 2023. Shadownet: A secure and efficient on-device model inference system for convolutional neural networks. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 1596\u20131612."},{"key":"e_1_3_2_1_108_1","volume-title":"26th USENIX Security Symposium (USENIX Security 17)","author":"Tang Adrian","year":"2017","unstructured":"Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. 2017. {CLKSCREW}: Exposing the perils of {Security-Oblivious} energy management. In 26th USENIX Security Symposium (USENIX Security 17). 1057\u20131074."},{"key":"e_1_3_2_1_109_1","volume-title":"Proceedings of the 38th Annual Computer Security Applications Conference. 102\u2013116","author":"Toffalini Flavio","year":"2022","unstructured":"Flavio Toffalini, Mathias Payer, Jianying Zhou, and Lorenzo Cavallaro. 2022. Designing a provenance analysis for SGX enclaves. In Proceedings of the 38th Annual Computer Security Applications Conference. 102\u2013116."},{"key":"e_1_3_2_1_110_1","volume-title":"2023 USENIX Annual Technical Conference (USENIX ATC 23)","author":"T\u00f6llner Dominik","year":"2023","unstructured":"Dominik T\u00f6llner, Christian Dietrich, Illia Ostapyshyn, Florian Rommel, and Daniel Lohmann. 2023. {MELF}: Multivariant Executables for a Heterogeneous World. In 2023 USENIX Annual Technical Conference (USENIX ATC 23). 257\u2013273."},{"key":"e_1_3_2_1_111_1","doi-asserted-by":"crossref","unstructured":"Lisa Torrey and Jude Shavlik. 2010. Transfer learning. In Handbook of research on machine learning applications and trends: algorithms methods and techniques. IGI global 242\u2013264.","DOI":"10.4018\/978-1-60566-766-9.ch011"},{"key":"e_1_3_2_1_112_1","volume-title":"2017 USENIX Annual Technical Conference (USENIX ATC 17)","author":"Tsai Chia-Che","year":"2017","unstructured":"Chia-Che Tsai, Donald E Porter, and Mona Vij. 2017. {Graphene-SGX}: A Practical Library {OS } for Unmodified Applications on {SGX}. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). 645\u2013658."},{"key":"e_1_3_2_1_113_1","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Bulck Jo Van","year":"2018","unstructured":"Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the keys to the intel {SGX} kingdom with transient {Out-of-Order} execution. In 27th USENIX Security Symposium (USENIX Security 18). 991\u20131008."},{"key":"e_1_3_2_1_114_1","volume-title":"Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 1741\u20131758","author":"Bulck Jo Van","year":"2019","unstructured":"Jo Van Bulck, David Oswald, Eduard Marin, Abdulla Aldoseri, Flavio D Garcia, and Frank Piessens. 2019. A tale of two worlds: Assessing the vulnerability of enclave shielding runtimes. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 1741\u20131758."},{"key":"e_1_3_2_1_115_1","volume-title":"2024 IEEE Symposium on Security and Privacy (SP). IEEE, 4143\u20134162","author":"Schaik Stephan Van","year":"2024","unstructured":"Stephan Van Schaik, Alex Seto, Thomas Yurek, Adam Batori, Bader AlBassam, Daniel Genkin, Andrew Miller, Eyal Ronen, Yuval Yarom, and Christina Garman. 2024. Sok: Sgx. fail: How stuff gets exposed. In 2024 IEEE Symposium on Security and Privacy (SP). IEEE, 4143\u20134162."},{"key":"e_1_3_2_1_116_1","volume-title":"Tensor comprehensions: Framework-agnostic high-performance machine learning abstractions. arXiv preprint arXiv:1802.04730","author":"Vasilache Nicolas","year":"2018","unstructured":"Nicolas Vasilache, Oleksandr Zinenko, Theodoros Theodoridis, Priya Goyal, Zachary DeVito, William S Moses, Sven Verdoolaege, Andrew Adams, and Albert Cohen. 2018. Tensor comprehensions: Framework-agnostic high-performance machine learning abstractions. arXiv preprint arXiv:1802.04730 (2018)."},{"key":"e_1_3_2_1_117_1","volume-title":"Proceedings of the Seventeenth European Conference on Computer Systems. 99\u2013116","author":"Vinck Jonas","year":"2022","unstructured":"Jonas Vinck, Bert Abrath, Bart Coppens, Alexios Voulimeneas, Bjorn De Sutter, and Stijn Volckaert. 2022. Sharing is caring: Secure and efficient shared memory support for mvees. In Proceedings of the Seventeenth European Conference on Computer Systems. 99\u2013116."},{"key":"e_1_3_2_1_118_1","volume-title":"Proceedings of the Twelfth European Conference on Computer Systems. 270\u2013285","author":"Volckaert Stijn","year":"2017","unstructured":"Stijn Volckaert, Bart Coppens, Bjorn De Sutter, Koen De Bosschere, Per Larsen, and Michael Franz. 2017. Taming parallelism in a multi-variant execution environment. In Proceedings of the Twelfth European Conference on Computer Systems. 270\u2013285."},{"key":"e_1_3_2_1_119_1","volume-title":"2016 USENIX Annual Technical Conference (USENIX ATC 16)","author":"Volckaert Stijn","year":"2016","unstructured":"Stijn Volckaert, Bart Coppens, Alexios Voulimeneas, Andrei Homescu, Per Larsen, Bjorn De Sutter, and Michael Franz. 2016. Secure and efficient application monitoring and replication. In 2016 USENIX Annual Technical Conference (USENIX ATC 16). 167\u2013179."},{"key":"e_1_3_2_1_120_1","volume-title":"Foundations and Practice of Security: 5th International Symposium, FPS 2012","author":"Volckaert Stijn","year":"2013","unstructured":"Stijn Volckaert, Bjorn De Sutter, Tim De Baets, and Koen De Bosschere. 2013. GHUMVEE: efficient, effective, and flexible replication. In Foundations and Practice of Security: 5th International Symposium, FPS 2012, Montreal, QC, Canada, October 25\u201326, 2012, Revised Selected Papers 5. Springer, 261\u2013277."},{"key":"e_1_3_2_1_121_1","volume-title":"Proceedings of the 14th European Workshop on Systems Security. 41\u201347","author":"Voulimeneas Alexios","year":"2021","unstructured":"Alexios Voulimeneas, Dokyung Song, Per Larsen, Michael Franz, and Stijn Volckaert. 2021. dmvx: Secure and efficient multi-variant execution in a distributed setting. In Proceedings of the 14th European Workshop on Systems Security. 41\u201347."},{"key":"e_1_3_2_1_122_1","volume-title":"DMON: A distributed heterogeneous n-variant system. arXiv preprint arXiv:1903.03643","author":"Voulimeneas Alexios","year":"2019","unstructured":"Alexios Voulimeneas, Dokyung Song, Fabian Parzefall, Yeoul Na, Per Larsen, Michael Franz, and Stijn Volckaert. 2019. DMON: A distributed heterogeneous n-variant system. arXiv preprint arXiv:1903.03643 (2019)."},{"key":"e_1_3_2_1_123_1","volume-title":"DIMVA 2020, Lisbon, Portugal, June 24\u201326, 2020, Proceedings 17","author":"Voulimeneas Alexios","year":"2020","unstructured":"Alexios Voulimeneas, Dokyung Song, Fabian Parzefall, Yeoul Na, Per Larsen, Michael Franz, and Stijn Volckaert. 2020. Distributed heterogeneous n-variant execution. In Detection of Intrusions and Malware, and Vulnerability Assessment: 17th International Conference, DIMVA 2020, Lisbon, Portugal, June 24\u201326, 2020, Proceedings 17. Springer, 217\u2013237."},{"key":"e_1_3_2_1_124_1","doi-asserted-by":"crossref","unstructured":"Endong Wang Qing Zhang Bo Shen Guangyong Zhang Xiaowei Lu Qing Wu Yajuan Wang Endong Wang Qing Zhang Bo Shen et al. 2014. Intel math kernel library. High-Performance Computing on the Intel\u00ae Xeon Phi\u2122: How to Fully Exploit MIC Architectures (2014) 167\u2013188.","DOI":"10.1007\/978-3-319-06486-4_7"},{"key":"e_1_3_2_1_125_1","volume-title":"Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2333\u20132350","author":"Wang Huibo","year":"2019","unstructured":"Huibo Wang, Pei Wang, Yu Ding, Mingshen Sun, Yiming Jing, Ran Duan, Long Li, Yulong Zhang, Tao Wei, and Zhiqiang Lin. 2019. Towards memory safe enclave programming with rust-sgx. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2333\u20132350."},{"key":"e_1_3_2_1_126_1","volume-title":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2421\u20132434","author":"Wang Wenhao","year":"2017","unstructured":"Wenhao Wang, Guoxing Chen, Xiaorui Pan, Yinqian Zhang, XiaoFeng Wang, Vincent Bindschaedler, Haixu Tang, and Carl A Gunter. 2017. Leaky cauldron on the dark land: Understanding memory side-channel hazards in SGX. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2421\u20132434."},{"key":"e_1_3_2_1_127_1","volume-title":"23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID","author":"Wang Xiaoguang","year":"2020","unstructured":"Xiaoguang Wang, SengMing Yeoh, Robert Lyerly, Pierre Olivier, Sang-Hoon Kim, and Binoy Ravindran. 2020. A framework for software diversification with {ISA} heterogeneity. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020). 427\u2013442."},{"key":"e_1_3_2_1_128_1","volume-title":"Proceedings of the 13th European workshop on Systems Security. 7\u201312","author":"Wang Xiaoguang","year":"2020","unstructured":"Xiaoguang Wang, SengMing Yeoh, Pierre Olivier, and Binoy Ravindran. 2020. Secure and efficient in-process monitor (and library) protection with Intel MPK. In Proceedings of the 13th European workshop on Systems Security. 7\u201312."},{"key":"e_1_3_2_1_129_1","volume-title":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2710\u20132724","author":"Wang Yuanpeng","year":"2023","unstructured":"Yuanpeng Wang, Ziqi Zhang, Ningyu He, Zhineng Zhong, Shengjian Guo, Qinkun Bao, Ding Li, Yao Guo, and Xiangqun Chen. 2023. Symgx: Detecting cross-boundary pointer vulnerabilities of sgx applications via static symbolic execution. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2710\u20132724."},{"key":"e_1_3_2_1_130_1","volume-title":"Proceedings of the 28th Annual Computer Security Applications Conference. 299\u2013308","author":"Wartell Richard","year":"2012","unstructured":"Richard Wartell, Vishwath Mohan, Kevin W Hamlen, and Zhiqiang Lin. 2012. Securing untrusted code via compiler-agnostic binary rewriting. In Proceedings of the 28th Annual Computer Security Applications Conference. 299\u2013308."},{"key":"e_1_3_2_1_131_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Watson Jean-Luc","year":"2022","unstructured":"Jean-Luc Watson, Sameer Wagh, and Raluca Ada Popa. 2022. Piranha: A { GPU} platform for secure computation. In 31st USENIX Security Symposium (USENIX Security 22). 827\u2013844."},{"key":"e_1_3_2_1_132_1","volume-title":"2021 IEEE Real-Time Systems Symposium (RTSS). IEEE, 68\u201381","author":"Xiang Yecheng","year":"2021","unstructured":"Yecheng Xiang, Yidi Wang, Hyunjong Choi, Mohsen Karimi, and Hyoseung Kim. 2021. Aegisdnn: Dependable and timely execution of dnn tasks with sgx. In 2021 IEEE Real-Time Systems Symposium (RTSS). IEEE, 68\u201381."},{"key":"e_1_3_2_1_133_1","volume-title":"2017 USENIX Annual Technical Conference (USENIX ATC 17)","author":"Xu Meng","year":"2017","unstructured":"Meng Xu, Kangjie Lu, Taesoo Kim, and Wenke Lee. 2017. Bunshin: compositing security mechanisms through diversification. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). 271\u2013283."},{"key":"e_1_3_2_1_134_1","volume-title":"Endokernel: A Thread Safe Monitor for Lightweight Subprocess Isolation. In 33rd USENIX Security Symposium (USENIX Security 24)","author":"Yang Fangfei","year":"2024","unstructured":"Fangfei Yang, Bumjin Im, Weijie Huang, Kelly Kaoudis, Anjo Vahldiek-Oberwagner, Chia-Che Tsai, and Nathan Dautenhahn. 2024. Endokernel: A Thread Safe Monitor for Lightweight Subprocess Isolation. In 33rd USENIX Security Symposium (USENIX Security 24). 145\u2013162."},{"key":"e_1_3_2_1_135_1","volume-title":"2023 USENIX Annual Technical Conference (USENIX ATC 23)","author":"Yasukata Kenichi","year":"2023","unstructured":"Kenichi Yasukata, Hajime Tazaki, Pierre-Louis Aublin, and Kenta Ishiguro. 2023. zpoline: a system call hook mechanism based on binary rewriting. In 2023 USENIX Annual Technical Conference (USENIX ATC 23). 293\u2013300."},{"key":"e_1_3_2_1_136_1","volume-title":"Proceedings of the 25th International Middleware Conference.","author":"Yeoh SengMing","year":"2024","unstructured":"SengMing Yeoh, Xiaoguang Wang, Jae-Won Jang, and Binoy Ravindran. 2024. sMVX: Multi-Variant Execution on Selected Code Paths. In Proceedings of the 25th International Middleware Conference."},{"key":"e_1_3_2_1_137_1","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Zhang Ruiyi","year":"2024","unstructured":"Ruiyi Zhang, Lukas Gerlach, Daniel Weber, Lorenz Hetterich, Youheng L\u00fc, Andreas Kogler, and Michael Schwarz. 2024. {CacheWarp}: Software-based Fault Injection using Selective State Reset. In 33rd USENIX Security Symposium (USENIX Security 24). 1135\u20131151."},{"key":"e_1_3_2_1_138_1","volume-title":"Proceedings of the International Symposium on Low Power Electronics and Design. 1\u20136.","author":"Zhang Sheng","year":"2018","unstructured":"Sheng Zhang, Adrian Tang, Zhewei Jiang, Simha Sethumadhavan, and Mingoo Seok. 2018. Blacklist core: Machine-learning based dynamic operating-performance-point blacklisting for mitigating power-management security attacks. In Proceedings of the International Symposium on Low Power Electronics and Design. 1\u20136."},{"key":"e_1_3_2_1_139_1","volume-title":"Proceedings of the 27th ACM SIGSOFT international symposium on software testing and analysis. 129\u2013140","author":"Zhang Yuhao","year":"2018","unstructured":"Yuhao Zhang, Yifan Chen, Shing-Chi Cheung, Yingfei Xiong, and Lu Zhang. 2018. An empirical study on tensorflow program bugs. In Proceedings of the 27th ACM SIGSOFT international symposium on software testing and analysis. 129\u2013140."},{"key":"e_1_3_2_1_140_1","volume-title":"No Privacy Left Outside: On the (In-) Security of TEE-Shielded DNN Partition for On-Device ML. arXiv preprint arXiv:2310.07152","author":"Zhang Ziqi","year":"2023","unstructured":"Ziqi Zhang, Chen Gong, Yifeng Cai, Yuanyuan Yuan, Bingyan Liu, Ding Li, Yao Guo, and Xiangqun Chen. 2023. No Privacy Left Outside: On the (In-) Security of TEE-Shielded DNN Partition for On-Device ML. arXiv preprint arXiv:2310.07152 (2023)."},{"key":"e_1_3_2_1_141_1","volume-title":"Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. 859\u2013873","author":"Zheng Size","year":"2020","unstructured":"Size Zheng, Yun Liang, Shuo Wang, Renze Chen, and Kaiwen Sheng. 2020. Flextensor: An automatic schedule exploration and optimization framework for tensor computation on heterogeneous system. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. 859\u2013873."}],"event":{"name":"MIDDLEWARE '25: 26th International Middleware Conference","location":"Vanderbilt University Nashville TN USA","acronym":"MIDDLEWARE '25","sponsor":["IFIP","Usenix"]},"container-title":["Proceedings of the 26th International Middleware Conference"],"original-title":[],"deposited":{"date-parts":[[2025,12,8]],"date-time":"2025-12-08T20:00:27Z","timestamp":1765224027000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3721462.3730956"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,12,14]]},"references-count":141,"alternative-id":["10.1145\/3721462.3730956","10.1145\/3721462"],"URL":"https:\/\/doi.org\/10.1145\/3721462.3730956","relation":{},"subject":[],"published":{"date-parts":[[2025,12,14]]},"assertion":[{"value":"2025-12-14","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}