Deploying solutions in uncontrolled environments is part of the constraints in many sectors. In video surveillance, on speed cameras, in access control systems, in autonomous cars, even in our lifts and even our phones📱... Many IT systems are at the mercy of their proper functioning. The quality challenges of these systems can be categorised into two priorities:
The primary quality issues are related to resilience in real life conditions. How much stress can a system withstand under normal use?
The secondary issues of automation and excessive connectivity of more or less sensitive activities (smart city projects, connected objects, facial recognition identification, etc.) are of course linked to the protection of these systems against any malicious intrusion. What is the capacity of the infrastructure to resist a cyber-attack?
Firstly, the leakage of personal data raises the spectre of the GDPR (in Europe) on software with little or no protection. It is necessary to demonstrate at all costs that the anonymisation 👤 and security 👮 of the data are sufficient, at the risk of being fined 💸 by the CNIL (French data protection authority).
Secondly, the development of unique algorithms and artificial intelligence models 🤖 tricky to train but simple to copy makes it critical to defend against cyber attacks from an industrial perspective.
This article aims to expose the data protection issues of deploying on-premise and cloud intelligence solutions. It will also explain why the enclave solution proposed by Mithril security meets our specific needs.
Auxilia is developing an artificial intelligence add-on solution compatible with any type of RX machine. Because of the sensitivity of the analysed data, its system will not be able to be connected to the Internet. So goodbye to the secure Cloud servers of our favourite GAFAMs. We have to deploy our on-premise solution.
A corollary problem with on-site deployment is that the weights of our model must necessarily be housed on our hardware, whose environment we do not control.
Without protection, anyone with a USB key could copy it and then find the best adversarial attacks to fool our AI. A more experienced hacker could purely disable its operation by replacing all its weights with 0: nothing would be detected anymore 🧐...
Mithril Security has developed an open source BlindAI library, allowing AI models to be applied in Trusted Execution Environments (TEEs): enclaves.
Enclaves are known for their ability to protect data when analysed in uncontrolled environments, through physical protections of encryption and/or memory isolation 🧠 linked to sensitive data.
It is commonplace to use them when handling biometric data such as facial recognition, fingerprints or irises 👁. For example, Face ID and Touch ID use enclaves to securely store and analyse users' biometric fingerprints to identify them.
However, Apple's technology 🍎 is proprietary and only available for internal use in their products. However, an increasing number of Intel and AMD processors have the ability to create secure enclaves, allowing software vendors to create their own enclaves that exploit these secure CPUs.
BlindAI therefore uses Intel's enclave technology, called Intel Software Guard eXtension (SGX) to secure AI workloads. For example we can see in figure 1 how BlindAI can be used to secure biometric identification of people, especially when the server handling the data is in the Cloud ☁️.
In our case, the use of enclave is slightly different, as we don't want to deploy our model in the cloud and let our customers send their data outside, but rather deploy our AI on-premise inside an enclave.
This kills two birds with one stone:
Guarantee at all times that only the code and network weights predicted by Auxilia are used in production. This prevents, for example, a malicious user from entering false weights, which could compromise the model predictions and create unexpected false positives/negatives.
Protecting the network weights themselves, as these are only in clear inside the enclave, reducing the ability to create adversarial white box attacks.
This double protection is illustrated in Figure 2.
Most hardware, both edge and server-side, now have secure enclaves. When using Intel SGX, it is therefore all the easier to deploy them as their operation does not depend (too much) on the hardware configuration, as long as it has an 8th generation Intel i7 processor at least.
The strength 💪 of the enclave also comes from the ease with which it can be transposed to a cloud mode of operation: calculations would no longer be done in situ, but on a secure remote server. This means that AIRIS device figure 1 can be an on-site hardware, as well as a local or web server, which facilitates the scalability of the infrastructure.
In the case of the web server, the enclave technology allows the client to ensure that the images sent to the server cannot be read by the cloud provider (AWS, GCP etc...), nor by the AI provider (Auxilia). To know more about it, don't hesitate to read the blogposts 📖 of Mithril on the subject.
The only downside for now is that the GPUs for creating secure enclaves are not yet publicly available, but will be available in the future with the release of the Nvidia H100.
In a future blogpost, we will explain the mechanisms that guarantee the authenticity and watertightness of enclaves.