{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T16:21:12Z","timestamp":1769703672457,"version":"3.49.0"},"reference-count":31,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2026,1,27]],"date-time":"2026-01-27T00:00:00Z","timestamp":1769472000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100000780","name":"European Commission","doi-asserted-by":"crossref","award":["101120726"],"award-info":[{"award-number":["101120726"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"<jats:p>Machine learning inference is increasingly deployed on shared and cloud infrastructures, where both user inputs and model parameters are highly sensitive. Confidential computing promises to protect these assets using Trusted Execution Environments (TEEs), yet existing TEE-based inference systems remain fundamentally constrained: they rely almost exclusively on low-level, memory-unsafe languages to enforce confinement, sacrificing developer productivity, portability, and access to modern ML ecosystems. At the same time, mainstream high-level runtimes, such as Python, are widely considered incompatible with enclave execution due to their large memory footprints and unsafe model-loading mechanisms that permit arbitrary code execution. To bridge this gap, we present the first Python-based ML inference system that executes entirely inside Intel SGX enclaves while safely supporting untrusted third-party models. Our design enforces standardized, declarative model representations (ONNX), eliminating deserialization-time code execution and confining model behavior through interpreter-mediated execution. The entire inference pipeline (including model loading, execution, and I\/O) remains enclave-resident, with cryptographic protection and integrity verification throughout. Our experimental results show that Python incurs modest overheads for small models (\u224817%) and outperforms a low-level baseline on larger workloads (97% vs. 265% overhead), demonstrating that enclave-resident high-level runtimes can achieve competitive performances. Overall, our findings indicate that Python-based TEE inference is practical and secure, enabling the deployment of untrusted models with strong confidentiality and integrity guarantees while maintaining developer productivity and ecosystem advantages.<\/jats:p>","DOI":"10.3390\/jcp6010023","type":"journal-article","created":{"date-parts":[[2026,1,27]],"date-time":"2026-01-27T15:41:56Z","timestamp":1769528516000},"page":"23","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Trusted Yet Flexible: High-Level Runtimes for Secure ML Inference in TEEs"],"prefix":"10.3390","volume":"6","author":[{"given":"Nikolaos-Achilleas","family":"Steiakakis","sequence":"first","affiliation":[{"name":"Department of Computer Science, University of Crete, Voutes Campus, 70013 Heraklion, Greece"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5470-4714","authenticated-orcid":false,"given":"Giorgos","family":"Vasiliadis","sequence":"additional","affiliation":[{"name":"Institute of Computer Science, FORTH (Foundation for Research & Technology\u2013Hellas), 70013 Heraklion, Greece"},{"name":"Department of Management Science and Technology, Hellenic Mediterranean University, 72100 Agios Nikolaos, Greece"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2026,1,27]]},"reference":[{"key":"ref_1","first-page":"63","article-title":"Machine learning stock market prediction studies: Review and research directions","volume":"28","author":"Strader","year":"2020","journal-title":"J. Int. Technol. Inf. Manag."},{"key":"ref_2","first-page":"289","article-title":"Machine Learning-Based Smart Appliances for Everyday Life","volume":"Volume 110","author":"Dhanalakshmi","year":"2023","journal-title":"Smart Analytics, Artificial Intelligence and Sustainable Performance Management in a Global Digitalised Economy"},{"key":"ref_3","first-page":"1","article-title":"When machine learning meets privacy: A survey and outlook","volume":"54","author":"Liu","year":"2021","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Yeom, S., Giacomelli, I., Fredrikson, M., and Jha, S. (2018, January 9\u201312). Privacy risk in machine learning: Analyzing the connection to overfitting. Proceedings of the 2018 IEEE 31st Computer Security Foundations Symposium (CSF), Oxford, UK.","DOI":"10.1109\/CSF.2018.00027"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"57","DOI":"10.1109\/MC.2020.2984868","article-title":"The top 10 risks of machine learning security","volume":"53","author":"McGraw","year":"2020","journal-title":"Computer"},{"key":"ref_6","unstructured":"Tan, S., Taeihagh, A., and Baxter, K. (2022). The risks of machine learning systems. arXiv."},{"key":"ref_7","unstructured":"Services, A.W. (2025, August 02). Algorithms and Packages in the AWS Marketplace. Available online: https:\/\/docs.aws.amazon.com\/sagemaker\/latest\/dg\/sagemaker-marketplace.html."},{"key":"ref_8","unstructured":"Microsoft Ignite (2025, August 01). Use a Custom Container to Deploy a Model to an Online Endpoint. Available online: https:\/\/learn.microsoft.com\/en-us\/azure\/machine-learning\/how-to-deploy-custom-container."},{"key":"ref_9","unstructured":"Costan, V., and Devadas, S. (2025, December 30). Intel SGX Explained. IACR Cryptology ePrint Archive 2016, Paper 086, Available online: https:\/\/eprint.iacr.org\/2016\/086."},{"key":"ref_10","unstructured":"Schneider, M., Masti, R.J., Shinde, S., Capkun, S., and Perez, R. (2022). Sok: Hardware-supported trusted execution environments. arXiv."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3231594","article-title":"Ryoan: A distributed sandbox for untrusted computation on secret data","volume":"35","author":"Hunt","year":"2018","journal-title":"ACM Trans. Comput. Syst. (TOCS)"},{"key":"ref_12","unstructured":"Grover, K., Tople, S., Shinde, S., Bhagwan, R., and Ramjee, R. (2018). Privado: Practical and secure DNN inference with enclaves. arXiv."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Lee, T., Lin, Z., Pushp, S., Li, C., Liu, Y., Lee, Y., Xu, F., Xu, C., Zhang, L., and Song, J. (2019, January 21\u201325). Occlumency: Privacy-preserving remote deep-learning inference using SGX. Proceedings of the 25th Annual International Conference on Mobile Computing and Networking, Los Cabos, Mexico.","DOI":"10.1145\/3300061.3345447"},{"key":"ref_14","unstructured":"Shen, T., Qi, J., Jiang, J., Wang, X., Wen, S., Chen, X., Zhao, S., Wang, S., Chen, L., and Luo, X. (2022, January 11\u201313). SOTER: Guarding black-box inference for general neural networks at the edge. Proceedings of the 2022 USENIX Annual Technical Conference (USENIX ATC 22), Carlsbad, CA, USA."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Li, F., Li, X., and Gao, M. (2023, January 4\u20138). Secure MLaaS with Temper: Trusted and Efficient Model Partitioning and Enclave Reuse. Proceedings of the 39th Annual Computer Security Applications Conference, Austin, TX, USA.","DOI":"10.1145\/3627106.3627145"},{"key":"ref_16","unstructured":"Lee, J., Jang, J., Jang, Y., Kwak, N., Choi, Y., Choi, C., Kim, T., Peinado, M., and Kang, B.B. (2017, January 16\u201318). Hacking in darkness: Return-oriented programming against secure enclaves. Proceedings of the 26th USENIX Security Symposium (USENIX Security 17), Vancouver, BC, Canada."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Van Bulck, J., Oswald, D., Marin, E., Aldoseri, A., Garcia, F.D., and Piessens, F. (2019, January 11\u201315). A tale of two worlds: Assessing the vulnerability of enclave shielding runtimes. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK.","DOI":"10.1145\/3319535.3363206"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Shen, Y., Tian, H., Chen, Y., Chen, K., Wang, R., Xu, Y., Xia, Y., and Yan, S. (2020, January 16\u201320). Occlum: Secure and efficient multitasking inside a single enclave of intel sgx. Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems, Lausanne, Switzerland.","DOI":"10.1145\/3373376.3378469"},{"key":"ref_19","unstructured":"(2025, August 01). Hugging Face. Hugging Face Hub. Available online: https:\/\/huggingface.co\/models."},{"key":"ref_20","unstructured":"Amazon Web Services (2025, August 01). AWS Marketplace for Machine Learning. Available online: https:\/\/aws.amazon.com\/marketplace\/solutions\/machine-learning."},{"key":"ref_21","unstructured":"(2025, August 01). Google Cloud. Google Cloud AI Hub. Available online: https:\/\/cloud.google.com\/ai-hub."},{"key":"ref_22","unstructured":"Zhao, Y., He, R., Kersting, N., Liu, C., Agrawal, S., Chetia, C., and Gu, Y. (2023). ONNXExplainer: An ONNX Based Generic Framework to Explain Neural Networks Using Shapley Values. arXiv."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Kim, S.Y., Lee, J., Kim, C.H., Lee, W.J., and Kim, S.W. (2022, January 6\u20139). Extending the ONNX Runtime Framework for the Processing-in-Memory Execution. Proceedings of the 2022 International Conference on Electronics, Information, and Communication (ICEIC), Jeju, Republic of Korea.","DOI":"10.1109\/ICEIC54506.2022.9748444"},{"key":"ref_24","unstructured":"Oliphant, T.E. (2006). Guide to Numpy, Trelgol Publishing."},{"key":"ref_25","unstructured":"(2025, October 01). Mithril Security. BlindAI. Available online: https:\/\/github.com\/mithril-security\/blindai."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3214303","article-title":"A survey on homomorphic encryption schemes: Theory and implementation","volume":"51","author":"Acar","year":"2018","journal-title":"ACM Comput. Surv. (Csur)"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"53881","DOI":"10.1109\/ACCESS.2024.3388992","article-title":"Secure Multi-Party Computation for Machine Learning: A Survey","volume":"12","author":"Zhou","year":"2024","journal-title":"IEEE Access"},{"key":"ref_28","first-page":"4961","article-title":"Crypten: Secure multi-party computation meets machine learning","volume":"34","author":"Knott","year":"2021","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Zheng, W., Wu, Y., Wu, X., Feng, C., Sui, Y., Luo, X., and Zhou, Y. (2021). A survey of Intel SGX and its applications. Front. Comput. Sci., 15.","DOI":"10.1007\/s11704-019-9096-y"},{"key":"ref_30","first-page":"3268","article-title":"Extending on-chain trust to off-chain\u2013trustworthy blockchain data collection using trusted execution environment (tee)","volume":"71","author":"Liu","year":"2022","journal-title":"IEEE Trans. Comput."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Natarajan, D., Loveless, A., Dai, W., and Dreslinski, R. (2023, January 3\u20137). CHEX-MIX: Combining Homomorphic Encryption with Trusted Execution Environments for Oblivious Inference in the Cloud. Proceedings of the 2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P), Delft, The Netherlands.","DOI":"10.1109\/EuroSP57164.2023.00014"}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/6\/1\/23\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T05:11:52Z","timestamp":1769663512000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/6\/1\/23"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,27]]},"references-count":31,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,2]]}},"alternative-id":["jcp6010023"],"URL":"https:\/\/doi.org\/10.3390\/jcp6010023","relation":{},"ISSN":["2624-800X"],"issn-type":[{"value":"2624-800X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,27]]}}}