SPOILER: TEE-Shielded DNN Partitioning of On-Device Secure Inference with Poison Learning

TL;DR

SPOILER is a novel search-before-training framework that fundamentally decouples the TEE sub-network from the backbone via hardware-aware neural architecture search (NAS) and identifies a lightweight TEE architecture strictly optimized for hardware constraints, maximizing parallel efficiency.

Abstract

Deploying deep neural networks (DNNs) on edge devices exposes valuable intellectual property to model-stealing attacks. While TEE-shielded DNN partitioning (TSDP) mitigates this by isolating sensitive computations, existing paradigms fail to simultaneously satisfy privacy and efficiency. The training-before-partition paradigm suffers from intrinsic privacy leakage, whereas the partition-before-training paradigm incurs severe latency due to structural dependencies that hinder parallel execution. To overcome these limitations, we propose SPOILER, a novel search-before-training framework that fundamentally decouples the TEE sub-network from the backbone via hardware-aware neural architecture search (NAS). SPOILER identifies a lightweight TEE architecture strictly optimized for hardware constraints, maximizing parallel efficiency. Furthermore, we introduce self-poisoning learning to enforce logical isolation, rendering the exposed backbone functionally incoherent without the TEE component. Extensive experiments on CNNs and Transformers demonstrate that SPOILER achieves state-of-the-art trade-offs between security, latency, and accuracy.

Figures (8)

• Figure 1: The evolution of TSDP paradigms. (a) TBP transforms the entire open-source model (purple) into private parameters (blue) through full training, exposing the whole architecture as an attack surface. (b) PBT localizes the attack surface by training only the TEE-isolated layers (blue) while retaining the public backbone (purple), yet it still fails to address (model) structural dependencies and hardware heterogeneity. (c) SPOILER (ours) introduces the SBT paradigm, which actively searches for a hardware-aware architecture (via (❶) NAS) for TEE and enforces logical isolation for REE through (❷) self-poisoning learning.
• Figure 2: Illustration of the two-step model stealing pipeline. In Step 1 (model initialization), the adversary initializes a shadow model by combining a public pre-trained model with parameters exposed in the REE. In Step 2 (model stealing), the adversary trains a surrogate model via knowledge distillation using query responses from the victim model, effectively cloning its functionality.
• Figure 3: Taxonomy of TSDP methodologies. Executing the whole model in the TEE (❶) incurs prohibitive latency. TBP methods partition layers (❷) or weights (❸) after training. To prevent leakage, some apply obfuscation to REE weights and inputs (❹). PBT methods isolate components pre-training via slicing (❺) or dual branches (❻). However, these fail due to leakage, overhead, or rigidity. In contrast, SPOILER employs hardware-aware NAS and self-poisoning to optimize security and efficiency (❼).
• Figure 4: Motivational analysis on NVIDIA Jetson Orin. (a) Accuracy of surrogate models under three settings: targeting a model trained with $\mathcal{L}$ (blue) and $-\mathcal{L}$ (red), and a randomly initialized model (green). Notably, as the ratio of private weights exposed in the REE rises, the accuracy of the baseline surrogate (blue) increases, indicating intrinsic leakage in TBP methods. In contrast, the adversarial and random models yield low accuracy due to a lack of task-aware information. (b) The latency of cryptographic obfuscation significantly exceeds that of TEE-REE data transfer; however, the data transfer cost itself remains a non-negligible latency bottleneck.
• Figure 5: Search space and workflow of SPOILER. The search space consists of parameter-free adapters and lightweight blocks designed for TEE constraints.