Verifiable and Confidential DNN Inference on Low-End Edge Devices

AIPR assessment

This is a hard, competitive systems-security problem, not a niche toy setting. Low-end confidential and verifiable inference on TrustZone-M has a crowded prior-art space, so the combination of a new runtime abstraction, protocol support, and a hardware implementation matters. The strengths reinforce each other: the abstraction is conceptually new for this platform, the overhead is measured on real hardware, and the prototype is open-sourced. The weaknesses also reinforce each other: the security

Abstract

Deploying deep neural network (DNN) inference on low-end edge devices raises two key challenges: protecting model confidentiality against a potentially compromised edge system and enabling verifiable inference without incurring prohibitive overhead. Existing approaches either house partial models and inference software within trusted execution environments (TEEs), resulting in high cost and an application-dependent trusted computing base (TCB), or execute in untrusted environments, providing little security. In this work, we present VECODI, a framework for verifiable and confidential DNN inference on constrained edge devices. At its core, VECODI introduces SHANGRI-LA, a new execution abstraction on TrustZone-M TEEs that establishes a third runtime environment with privileges strictly between the Secure and Non-Secure Worlds. VECODI leverages SHANGRI-LA to execute untrusted inference code in the Non-Secure World while using minimal application-agnostic Secure-World support to protect model confidentiality and enable verifiability (with respect to proper execution of inference code and model parameters) of inference results. We realize VECODI on a real-world NUCLEO-L552ZE-Q development board and open-source its prototype. Our results show VECODI's small TCB, memory footprint, and runtime overhead, making it a practical option for secure inference in low-end edge devices.

Score Breakdown

More from this week

• RealDocBench: A Benchmark for Field-Level QA and Layout Understanding on Real-World Regulated Documents
• GitInject: Real-World Prompt Injection Attacks in AI-Powered CI/CD Pipelines
• vla.cpp: A Unified Inference Runtime for Vision-Language-Action Models
• ScaleDisturb: Exploiting Temporal Asymmetry to Amplify Read Disturbance in Modern DRAM Chips
• The CIFAR Synthetic Evidence Corpus for Detecting AI-Generated Evidence

More in Machine Learning

• STAR-KV: Low-Rank KV Cache Compression via Soft Thresholding for Adaptive Rank Control
• HASTE: Hardware-Aware Dynamic Sparse Training for Large Output Spaces
• LeAP: Learnable Adaptive Permutation for Feature Selection in Heterogeneous and Sparse Recommender Systems
• TriAxialKV: Toward Extreme Low-Precision KV-Cache Quantization for Agentic Inference Tasks
• DynMuon: A Dynamic Spectral Shaping View of Muon