Intel® Confidential Compute for TensorFlow Serving*
No code modifications, high-level security with no impact to functionality
This offer delivers the necessary tools to build a confidential compute image for TensorFlow Serving. The resulting image can be used for privacy preserving machine learning applications based on TensorFlow Serving. The image can be started on any Azure machine supporting Intel SGX – a Confidential Computing solution. Without impacting the functionality of TensorFlow Serving, this offer uses Confidential Computing to bring the following security benefits to TensorFlow Serving:
- Data protection: All input data and models are encrypted on disk, they are encrypted in the main memory, they are encrypted on the bus to the CPU, and hardware-based access controls only permit TensorFlow Serving to access plaintext data inside the CPU.
- Application Isolation: No other software on the system, e.g., the operating system, hypervisor, and firmware, have access to the processed data. Physical attacks, e.g., cold-boot attacks on RAM, are also mitigated as an attacker would only get access to encrypted data.
- Attestation: The attestation feature can be used to prove to a third party that the expected TensorFlow Serving application code and data is running, the software is executed on specific Confidential Computing hardware, and the hardware is patched to a specific level.
- Strict Trust Boundaries: The protections offered by Confidential Computing significantly reduce the attack surface for internal and external attackers. Not even the cloud provider can get access to the stored and processed data.
This offer uses the open-source project Gramine to convert an unprotected TensorFlow Serving image into an SGX-protected image. In general, Gramine can convert unmodified applications to SGX-protected applications, without the toll of manually porting the application to the SGX environment. Multiple offerings for Intel-curated confidential compute applications are available in the Azure marketplace that are protected by Gramine. Besides these prepared applications, Gramine can be used to easily convert dockerized applications to SGX-protected applications. With minor effort, any regular Linux application can be protected by Gramine.
Click on the “Get It Now” button on this website to build and run a graminized image of TensorFlow Serving in 15 minutes.