Securing ML models

Whitebox attacks require the attacker to gain access to the target AI model. Blackbox attacks require the attacker to interact with the target AI model. Knox ML Model Protection enables developers to protect their AI models against whitebox attacks by removing the attacker’s access to model parameters. It does this by encrypting ML models, wrapping those models alongside a usage policy, and mediating all decryption and usage of those wrapped models.

Knox ML Model Protection consists of the following components:

  • Knox ML Encryption Tool—The Knox ML Encryption Tool converts an ML model file and policy information into a Wrapped ML Model file. The input ML model file can be either a Tensorflow Saved Model(.pb) or a TFLite (.tflite) model.
  • Knox ML Platform Service—The Knox ML Platform Service is a service component available on Samsung Knox devices. This on-device service interfaces with TrustZone and hardware acceleration features to securely load and execute machine learning models. Android apps running on Samsung devices can communicate with the Knox ML Service through Knox ML APIs in the Knox SDK.
  • Knox ML Trusted Applet—The Knox ML Trusted Applet runs in TrustZone to get access to on-device decryption keys. This Trusted Applet integrates with the Samsung Knox Trusted Boot process to ensure that decryption keys are only available when running on trusted firmware.
  • Model Protection Key Server—The Model Protection Key Server provisions decryption keys to each device. This server requires that the client device provide a valid Knox Attestation result before provisioning the decryption key. Decryption keys are provisioned to the Knox ML Trusted Applet to prevent them from being leaked.

Wrapping model files

The Knox ML Encryption Tool is responsible for wrapping ML models so they can be securely transferred to the Knox ML service running on target devices. ML models are wrapped using the following hierarchy of keys and data:

  • Model Origin Key—This key is provisioned to devices to decrypt Wrapped ML Model files. An ECIES-SECP256R1-AES256-CBC-PKCS5 Model Origin Key is transferred from an HSM to the Knox ML Trusted Applet through a one-time initialization process. During the initialization process, the Model Origin Key is transferred to the Knox ML Trusted Applet over a client-attested, server-authenticated TLS session. The transfer can only be initiated by the Knox ML Service, as validated through Knox Attestation. During the transfer, the Model Origin Key is additionally encrypted using an RSA-PKCS1.5 key that must be derived from a valid Device Root Key. The public component of the Model Origin Key is included with the Knox ML Encryption Tool.
  • Model Root Key—This key is used to derive two per-model keys: (1) a model decryption key and (2) a model verification key. The Model Root Key is randomly generated when creating a Wrapped ML Model file. This key is then encrypted with the Model Origin Key using ECIES-SECP256R1-AES256-CBC-PKCS5, then included within the Wrapped ML Model file. The Knox ML Trusted Applet is able to decrypt this key once it receives the appropriate Model Origin Key.
  • Model Decryption Key—This key is derived using HMAC-SHA256 from (1) the Model Root Key and (2) a salt value that is randomly generated when creating the Wrapped ML Model file, and (3) a constant string. This key is used directly to encrypt the machine learning model file using AES256-GCM. The Model Decryption Key is unique and distinct for each Wrapped ML Model. To support parallel decryption, large models are split into multiple blocks. Each block is encrypted using AES256-GCM using a distinct IV, and the block index used for ordering is included as part of the Authenticated Additional Data.
  • Policy File—The Policy File dictates which apps can run the ML model.
Share it: