Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Poisoning Prevention in Federated Learning and Differential Privacy via Stateful Proofs of Execution

Norrathep Rattanavipanon, Ivan De Oliveira Nunes

TL;DR

This work introduces Proofs of Stateful Execution ($PoSX$) to overcome the input and state limitations of classic PoX in poisoning-prone FL and LDP deployments. It then presents SLAPP, a system-level approach implemented on ARM TrustZone-M, which delegates the heavy security work to a small, immutable Secure World RoT while the Non-Secure World runs application logic. By enabling input validation and state preservation, SLAPP achieves poisoning-free LDP-DC+ and FL-DC+ with modest overhead, demonstrated through real-world MCU prototypes and case studies. The approach is compatible with existing privacy-preserving schemes and can be extended with symmetric or post-quantum cryptography and server-side defenses, offering practical, scalable poisoning prevention for edge IoT deployments.

Abstract

The rise in IoT-driven distributed data analytics, coupled with increasing privacy concerns, has led to a demand for effective privacy-preserving and federated data collection/model training mechanisms. In response, approaches such as Federated Learning (FL) and Local Differential Privacy (LDP) have been proposed and attracted much attention over the past few years. However, they still share the common limitation of being vulnerable to poisoning attacks wherein adversaries compromising edge devices feed forged (a.k.a. poisoned) data to aggregation back-ends, undermining the integrity of FL/LDP results. In this work, we propose a system-level approach to remedy this issue based on a novel security notion of Proofs of Stateful Execution (PoSX) for IoT/embedded devices' software. To realize the PoSX concept, we design SLAPP: a System-Level Approach for Poisoning Prevention. SLAPP leverages commodity security features of embedded devices - in particular ARM TrustZoneM security extensions - to verifiably bind raw sensed data to their correct usage as part of FL/LDP edge device routines. As a consequence, it offers robust security guarantees against poisoning. Our evaluation, based on real-world prototypes featuring multiple cryptographic primitives and data collection schemes, showcases SLAPP's security and low overhead.

Poisoning Prevention in Federated Learning and Differential Privacy via Stateful Proofs of Execution

TL;DR

This work introduces Proofs of Stateful Execution () to overcome the input and state limitations of classic PoX in poisoning-prone FL and LDP deployments. It then presents SLAPP, a system-level approach implemented on ARM TrustZone-M, which delegates the heavy security work to a small, immutable Secure World RoT while the Non-Secure World runs application logic. By enabling input validation and state preservation, SLAPP achieves poisoning-free LDP-DC+ and FL-DC+ with modest overhead, demonstrated through real-world MCU prototypes and case studies. The approach is compatible with existing privacy-preserving schemes and can be extended with symmetric or post-quantum cryptography and server-side defenses, offering practical, scalable poisoning prevention for edge IoT deployments.

Abstract

The rise in IoT-driven distributed data analytics, coupled with increasing privacy concerns, has led to a demand for effective privacy-preserving and federated data collection/model training mechanisms. In response, approaches such as Federated Learning (FL) and Local Differential Privacy (LDP) have been proposed and attracted much attention over the past few years. However, they still share the common limitation of being vulnerable to poisoning attacks wherein adversaries compromising edge devices feed forged (a.k.a. poisoned) data to aggregation back-ends, undermining the integrity of FL/LDP results. In this work, we propose a system-level approach to remedy this issue based on a novel security notion of Proofs of Stateful Execution (PoSX) for IoT/embedded devices' software. To realize the PoSX concept, we design SLAPP: a System-Level Approach for Poisoning Prevention. SLAPP leverages commodity security features of embedded devices - in particular ARM TrustZoneM security extensions - to verifiably bind raw sensed data to their correct usage as part of FL/LDP edge device routines. As a consequence, it offers robust security guarantees against poisoning. Our evaluation, based on real-world prototypes featuring multiple cryptographic primitives and data collection schemes, showcases SLAPP's security and low overhead.
Paper Structure (29 sections, 3 equations, 8 figures, 3 tables, 2 algorithms)

This paper contains 29 sections, 3 equations, 8 figures, 3 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. On the Insufficiency of Classic $\sf{PoX}$ to Avert Poisoning
  3. Our Contributions
  4. Background
  5. Privacy-Preserving Data Collection Schemes
  6. ARM TrustZone-M Security Extensions
  7. System Model and Assumptions
  8. Network and Usage Model
  9. Adversary Model
  10. Device Model
  11. $\sf{PoSX}$ and Associated Definitions
  12. $\sf{SLAPP}$: Realizing $\sf{PoSX}$ with TrustZone-M
  13. Overview of $\sf{SLAPP}$ Workflow
  14. $\sf{SLAPP}$ in Detail
  15. $\sf{PoSX}$ Security Analysis
  16. ...and 14 more sections

Figures (8)

  • Figure 1: Poisoning in FL/LDP-based systems
  • Figure 2: Overview of $\sf{SLAPP}$ workflow
  • Figure 3: Resource usage across all approaches
  • Figure 4: Execution time with varying $PMEM$ size
  • Figure 5: Sum of the runtimes of multiple data collection rounds performed over a longer period with multiple readings.
  • ...and 3 more figures

Theorems & Definitions (4)

  • definition 1: PoX Security apex
  • definition 2: IV-$\sf{PoX}$ Security
  • definition 3: SP-$\sf{PoX}$ Security
  • definition 4: $\sf{PoSX}$ Security