visor: private video analytics as a cloud serviceiot.stanford.edu/retreat19/sitp19-visor.pdf ·...
TRANSCRIPT
![Page 1: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/1.jpg)
Visor: Private Video Analytics as a Cloud Service
Rishabh PoddarGanesh Ananthanarayanan, Srinath Setty,
Stavros Volos, and Raluca Ada Popa
UC Berkeley and Microsoft Research
![Page 2: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/2.jpg)
• Image processing
• Speech recognition
• Video analytics
• …
Machine learning as a service
�2
Data
ClientCloud platform
Results
![Page 3: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/3.jpg)
Key application: Video analytics
Decisions based on objects in videos
![Page 4: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/4.jpg)
Key application: Video analytics
�4
Decisions based on objects in videos • E.g. Raise an alert if a human at the main door
!
![Page 5: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/5.jpg)
Key application: Video analytics
�5
Decisions based on objects in videos • E.g. Raise an alert if a human at the main door • E.g. Change the traffic lights if less than 3 cars at the intersection
!
![Page 6: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/6.jpg)
Cloud platform
Client source
CPU
Video decoding
Video analytics pipeline
�6
Pipeline of video processing modules
Background subtraction
Bounding box detection
Object cropping
CNN classification
Objects
GPU
![Page 7: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/7.jpg)
�7
Pipeline of video processing modules
Video decoding
Background subtraction
Bounding box detection
Object cropping
CNN classification
ObjectsClient source
Cloud platform
CPU GPU
Cheap filters to discard useless frames • Filter out moving objects • CPU is under-utilized, unlike GPU
Video analytics pipeline
![Page 8: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/8.jpg)
�8
Pipeline of video processing modules
Video decoding
Background subtraction
Bounding box detection
Object cropping
CNN classification
ObjectsClient source
Cloud platform
CPU GPUResults
1.Red car 2.White van 3.Tree 4.…
Video analytics pipeline
![Page 9: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/9.jpg)
Problem: Privacy
�9
Video decoding
Background subtraction
Bounding box detection
Object cropping
CNN classification
ObjectsClient source
Cloud platform
CPU GPUResults
1.Red car 2.White van 3.Tree 4.…
Hackers / co-tenants curious employees
Video stream is proprietary to clients
![Page 10: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/10.jpg)
Related work: Privacy-preserving inference
�10
Cryptographic approaches: e.g. SMPC, Homomorphic encryption
![Page 11: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/11.jpg)
Related work: Privacy-preserving inference
�11
Cryptographic approaches: e.g. SMPC, Homomorphic encryption • High overhead
— Can’t sustain video frame rate
![Page 12: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/12.jpg)
Related work: Privacy-preserving inference
�12
Cryptographic approaches: e.g. SMPC, Homomorphic encryption • High overhead
— Can’t sustain video frame rate • Cannot be easily extended to video processing modules
![Page 13: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/13.jpg)
Related work: Privacy-preserving inference
�13
Cryptographic approaches: e.g. SMPC, Homomorphic encryption • High overhead
— Can’t sustain video frame rate • Cannot be easily extended to video processing modules
Trusted hardware-based approaches (enclaves): e.g. Slalom, Chiron
![Page 14: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/14.jpg)
Related work: Privacy-preserving inference
�14
Cryptographic approaches: e.g. SMPC, Homomorphic encryption • High overhead
— Can’t sustain video frame rate • Cannot be easily extended to video processing modules
Trusted hardware-based approaches (enclaves): e.g. Slalom, Chiron • Designed for CPU enclaves (using Intel SGX)
— Can’t sustain video frame rate
![Page 15: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/15.jpg)
Related work: Privacy-preserving inference
�15
Cryptographic approaches: e.g. SMPC, Homomorphic encryption • High overhead
— Can’t sustain video frame rate • Cannot be easily extended to video processing modules
Trusted hardware-based approaches (enclaves): e.g. Slalom, Chiron • Designed for CPU enclaves (using Intel SGX)
— Can’t sustain video frame rate • Side-channel leakage — e.g. memory access patterns
![Page 16: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/16.jpg)
Illustration of memory access pattern leakage
�16
Example: Object detection
Location of accessed pixels
Original image (processed within
SGX enclave)Input image Leakage Recovered image: Leaks shapes
and positions of all objectsInput image Leakage
![Page 17: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/17.jpg)
Visor
�17
![Page 18: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/18.jpg)
�18
1 Hybrid enclave architecture (CPU + GPU) for secure computation
2 Remove memory side-channel leakage via data-obliviousness
Redesign all components such that memory access patterns
are independent of data
Key ideas
![Page 19: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/19.jpg)
Client
Cloud platform
Operating System (untrusted)
CPU
CPU enclave (Intel SGX)
�19
Hybrid trusted execution environment (TEE)
Application (trusted)
• Intel SGX (CPU TEE)
![Page 20: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/20.jpg)
GPU enclave (Graviton)
�20
Client
Hybrid trusted execution environment (TEE)
Operating System (untrusted)
Application (trusted) GPU runtime Trusted
process
Cloud platform
CPU enclave (Intel SGX)
CPU
Other processes (untrusted)
GPU
• Intel SGX (CPU TEE) + Graviton (GPU TEE)
![Page 21: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/21.jpg)
�21
Visor: Hybrid TEE for video analytics
Cloud platformCPU enclave (Intel SGX)
GPU enclave (Graviton)
Client source
• Ported to SGX using Graphene (extended to support required ioctl calls)
![Page 22: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/22.jpg)
�22
Fram
e de
code
r
Cloud platformCPU enclave (Intel SGX)
GPU enclave (Graviton)
Client sourceEncrypted
video streamO
bjec
t det
ectio
n m
odul
es
• Ported to SGX using Graphene (extended to support required ioctl calls)
CN
N c
lass
ifier
GPU
runt
ime
Object bufferObjects
Results
Visor: Hybrid TEE for video analytics
![Page 23: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/23.jpg)
�23
Sources of leakage
Fram
e de
code
r
Cloud platformCPU enclave (Intel SGX)
GPU enclave (Graviton)
Client sourceEncrypted
video streamO
bjec
t det
ectio
n m
odul
es
• Ported to SGX using Graphene (extended to support required ioctl calls)
Object buffer
CN
N c
lass
ifier
GPU
runt
ime
Objects
Results
![Page 24: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/24.jpg)
�24
Sources of leakage
Fram
e de
code
r
GPU
runt
ime
CN
N c
lass
ifier
Cloud platformCPU enclave (Intel SGX)
GPU enclave (Graviton)
Client sourceEncrypted
video streamO
bjec
t det
ectio
n m
odul
esObjects
Object buffer
1
Encrypted traffic pattern • E.g. leaks times of activity in video stream
Results
![Page 25: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/25.jpg)
�25
Sources of leakage
Fram
e de
code
r
GPU
runt
ime
CN
N c
lass
ifier
Cloud platformCPU enclave (Intel SGX)
GPU enclave (Graviton)
Client sourceEncrypted
video streamO
bjec
t det
ectio
n m
odul
esObjects
Object buffer
2
SGX side-channel leakage • Vast majority of known attacks on SGX
exploit memory access pattern leakage
Results
![Page 26: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/26.jpg)
�26
Sources of leakage
Fram
e de
code
r
GPU
runt
ime
CN
N c
lass
ifier
Cloud platformCPU enclave (Intel SGX)
GPU enclave (Graviton)
Client sourceEncrypted
video streamO
bjec
t det
ectio
n m
odul
esObjects
Object buffer
CPU-GPU communication pattern • Number / size of objects in frames
3
Results
![Page 27: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/27.jpg)
�27
Sources of leakage
Fram
e de
code
r
GPU
runt
ime
CN
N c
lass
ifier
Cloud platformCPU enclave (Intel SGX)
GPU enclave (Graviton)
Client sourceEncrypted
video streamO
bjec
t det
ectio
n m
odul
esObjects
Object buffer
Graviton side-channel leakage • Similar in principle to SGX side-channel
leakage
4
Results
![Page 28: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/28.jpg)
�28
Sources of leakage
Fram
e de
code
r
GPU
runt
ime
CN
N c
lass
ifier
Cloud platformCPU enclave (Intel SGX)
GPU enclave (Graviton)
Client sourceEncrypted
video streamO
bjec
t det
ectio
n m
odul
esObjects
Object buffer
Results
1 2 3 4
![Page 29: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/29.jpg)
Roadmap
�29
2 SGX memory side-channels
1 Input traffic pattern
3 CPU-GPU communication pattern
4 Graviton memory side-channels
![Page 30: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/30.jpg)
Roadmap
�30
2 SGX memory side-channels
1 Input traffic pattern
3 CPU-GPU communication pattern
4 Graviton memory side-channels
Pad frames to an upper bound while enabling a bandwidth /
performance trade-off
1
![Page 31: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/31.jpg)
�31
2 SGX memory side-channels
1 Input traffic pattern
3 CPU-GPU communication pattern
4 Graviton memory side-channels
Roadmap
Develop novel data-oblivious video processing algorithms
2
![Page 32: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/32.jpg)
Roadmap
�32
2 SGX memory side-channels
1 Input traffic pattern
3 CPU-GPU communication pattern
4 Graviton memory side-channels
Fixed communication schedule using dummy items, while minimizing GPU utilization
3
![Page 33: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/33.jpg)
Roadmap
�33
2 SGX memory side-channels
1 Input traffic pattern
3 CPU-GPU communication pattern
4 Graviton memory side-channels
Data-oblivious CNN implementation
4
![Page 34: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/34.jpg)
Roadmap
�34
2 SGX memory side-channels
1 Input traffic pattern
3 CPU-GPU communication pattern
4 Graviton memory side-channels
![Page 35: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/35.jpg)
�35
2 SGX memory side-channels
1 Input traffic pattern
3 CPU-GPU communication pattern
4 Graviton memory side-channels
Roadmap 2
![Page 36: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/36.jpg)
Preventing SGX memory side-channels
�36
Redesign algorithms so that memory access patterns are independent of secret data
![Page 37: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/37.jpg)
Preventing SGX memory side-channels
�37
Redesign algorithms so that memory access patterns are independent of secret data
• Identical set of operations per pixel
![Page 38: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/38.jpg)
Preventing SGX memory side-channels
�38
Redesign algorithms so that memory access patterns are independent of secret data
• Identical set of operations per pixel • Design algorithms with structured memory accesses for efficiency
![Page 39: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/39.jpg)
Preventing SGX memory side-channels
�39
Redesign algorithms so that memory access patterns are independent of secret data
• Identical set of operations per pixel • Design algorithms with structured memory accesses for efficiency
Implemented using a small set of oblivious primitives • Assumption: Register-to-register operations are data-oblivious • Wrappers around x86’s CMOV
![Page 40: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/40.jpg)
Preventing SGX memory side-channels
�40
Data-oblivious primitives • oselect — conditional assignment
mov rcx, cond mov rdx, x mov rax, y test rcx, rcx cmovz rax, rdx retn
oselect(cond,x,y)if (cond) {
y = x; }
Can perform dummy operations by setting cond
to false
![Page 41: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/41.jpg)
Preventing SGX memory side-channels
�41
Data-oblivious primitives1 • oselect — conditional assignment • osort — sorting using a bitonic network • oaccess — array accesses
1Ohrimenko et al.: “Oblivious multi-party machine learning on trusted processors” (Usenix Security ‘16)
![Page 42: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/42.jpg)
Illustration: Bounding box detection
�42
Video decoding
Background subtraction
Bounding box detection
Object cropping
CNN classification
ObjectsClient source
Cloud platform
CPU GPU
�42
![Page 43: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/43.jpg)
Illustration: Bounding box detection
�43�43
Input: Binary image Output: Bounding boxes of all objects
Binary image
![Page 44: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/44.jpg)
Illustration: Bounding box detection
�44�44
Input: Binary image Output: Bounding boxes of all objects
Algorithm: Border following 1. Scan image row-wise until a white pixel
Binary image
![Page 45: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/45.jpg)
Illustration: Bounding box detection
�45�45
Input: Binary image Output: Bounding boxes of all objects
Algorithm: Border following 1. Scan image row-wise until a white pixel
2. Examine neighbors and follow the borderclock-wise to obtain edge contour
Binary image
![Page 46: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/46.jpg)
Illustration: Bounding box detection
�46�46
Input: Binary image Output: Bounding boxes of all objects
Algorithm: Border following 1. Scan image row-wise until a white pixel
2. Examine neighbors and follow the borderclock-wise to obtain edge contour
3. Compute bounding box for each contour
Binary image
![Page 47: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/47.jpg)
Illustration: Bounding box detection
�47�47
Input: Binary image Output: Bounding boxes of all objects
Algorithm: Border following 1. Scan image row-wise until a white pixel
2. Examine neighbors and follow the borderclock-wise to obtain edge contour
3. Compute bounding box for each contour
Leakage: Shape and location of each object
Binary image
![Page 48: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/48.jpg)
Oblivious Algorithm: 1. Scan image row-wise
2. For each white pixel:
a. Assign smallest label of its already-scanned neighbors, or a new label.
b. Update “parents” of all white neighbors to record that they are connected
c. Update bounding box of assigned label
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
Illustration: Bounding box detection
�48�48
Binary image
![Page 49: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/49.jpg)
Oblivious Algorithm: 1. Scan image row-wise
2. For each white pixel:
a. Assign smallest label of its already-scanned neighbors, or a new label.
b. Update “parents” of all white neighbors to record that they are connected
c. Update bounding box of assigned label
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
Illustration: Bounding box detection
�49�49
Binary image
![Page 50: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/50.jpg)
Oblivious Algorithm: 1. Scan image row-wise
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parents” of all white neighbors to record that they are connected
c. Update bounding box of assigned label
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
Illustration: Bounding box detection
�50�50
Binary image
![Page 51: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/51.jpg)
Oblivious Algorithm: 1. Scan image row-wise
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update bounding box of assigned label
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
Illustration: Bounding box detection
�51�51
Binary image
0 1 2 3 4 5 6 … … NParents
![Page 52: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/52.jpg)
Illustration: Bounding box detection
�52�52
Binary image
0 1 2 3 4 5 6 … … N
Parents
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labelsBounding box coordinates
LeftRight
TopBottom
![Page 53: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/53.jpg)
Illustration: Bounding box detection
�53�53
Binary image
0 1 2 3 4 5 6 … … N
Parents
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labelsBounding box coordinates
LeftRight
TopBottom
![Page 54: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/54.jpg)
Illustration: Bounding box detection
�54�54
Binary image
0
Parents
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
0000
Bounding box coordinates
LeftRight
TopBottom
0 1 2 3 4 5 6 … … N0
![Page 55: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/55.jpg)
Illustration: Bounding box detection
�55�55
Binary image
0 0 0 0 0 0 0 0 0 00 1
0 10 10 10 1
Bounding box coordinates
LeftRight
TopBottom
0 1 2 3 4 5 6 … … N0 1 Parents
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
![Page 56: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/56.jpg)
Illustration: Bounding box detection
�56�56
Binary image
0 0 0 0 0 0 0 0 0 00 1 1
0 10 20 10 1
Bounding box coordinates
0 1 2 3 4 5 6 … … N0 1 Parents
LeftRight
TopBottom
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
![Page 57: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/57.jpg)
Illustration: Bounding box detection
�57�57
Binary image
0 0 0 0 0 0 0 0 0 00 1 1 0 0 0 0 2
0 1 70 2 70 1 20 1 2
Bounding box coordinates
0 1 2 3 4 5 6 … … N0 1 2 Parents
LeftRight
TopBottom
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
![Page 58: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/58.jpg)
Illustration: Bounding box detection
�58�58
Binary image
0 0 0 0 0 0 0 0 0 00 1 1 0 0 0 0 2 2
0 1 70 2 80 1 20 1 2
Bounding box coordinates
0 1 2 3 4 5 6 … … N0 1 2 Parents
LeftRight
TopBottom
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
![Page 59: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/59.jpg)
Illustration: Bounding box detection
�59�59
Binary image
0 0 0 0 0 0 0 0 0 00 1 1 0 0 0 0 2 2 00 0 1 1 1 1 1
0 1 70 6 80 1 20 2 2
Bounding box coordinates
0 1 2 3 4 5 6 … … N0 1 1 Parents
LeftRight
TopBottom
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
![Page 60: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/60.jpg)
Illustration: Bounding box detection
�60�60
Binary image
0 0 0 0 0 0 0 0 0 00 1 1 0 0 0 0 2 2 00 0 1 1 1 1 1 1 0 00 0 1 1 1 1 1 1 0 00 0 0 0 1 1 0 0 0 00
0 1 70 7 80 1 20 4 2
Bounding box coordinates
0 1 2 3 4 5 6 … … N0 1 1 Parents
LeftRight
TopBottom
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
![Page 61: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/61.jpg)
Illustration: Bounding box detection
�61�61
Binary image
0 0 0 0 0 0 0 0 0 00 1 1 0 0 0 0 2 2 00 0 1 1 1 1 1 1 0 00 0 1 1 1 1 1 1 0 00 0 0 0 1 1 0 0 0 00 3 3
0 1 7 10 7 8 20 1 2 50 4 2 5
Bounding box coordinates
0 1 2 3 4 5 6 … … N0 1 1 3 Parents
LeftRight
TopBottom
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
![Page 62: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/62.jpg)
Illustration: Bounding box detection
�62�62
Binary image
0 0 0 0 0 0 0 0 0 00 1 1 0 0 0 0 2 2 00 0 1 1 1 1 1 1 0 00 0 1 1 1 1 1 1 0 00 0 0 0 1 1 0 0 0 00 3 3 1
0 1 7 10 7 8 20 1 2 50 5 2 5
Bounding box coordinates
0 1 2 3 4 5 6 … … N0 1 1 1 Parents
LeftRight
TopBottom
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
![Page 63: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/63.jpg)
Illustration: Bounding box detection
�63�63
Binary image
0 0 0 0 0 0 0 0 0 00 1 1 0 0 0 0 2 2 00 0 1 1 1 1 1 1 0 00 0 1 1 1 1 1 1 0 00 0 0 0 1 1 0 0 0 00 3 3 1 1 1 1 1 1 0
0 1 7 10 8 8 20 1 2 50 5 2 5
Bounding box coordinates
0 1 2 3 4 5 6 … … N0 1 1 1 Parents
LeftRight
TopBottom
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
![Page 64: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/64.jpg)
Illustration: Bounding box detection
�64�64
Binary image
0 0 0 0 0 0 0 0 0 00 1 1 0 0 0 0 2 2 00 0 1 1 1 1 1 1 0 00 0 1 1 1 1 1 1 0 00 0 0 0 1 1 0 0 0 00 3 3 1 1 1 1 1 1 00 0 0 0 0 0 0 0 0 00 0 0 4 4 4 4 0 0 00 0 0 4 4 4 4 0 0 00 0 0 0 0 0 0 0 0 0
0 1 7 1 30 8 8 2 60 1 2 5 70 5 2 5 8
Bounding box coordinates
0 1 2 3 4 5 6 … … N0 1 1 1 4 Parents
LeftRight
TopBottom
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
![Page 65: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/65.jpg)
Illustration: Bounding box detection
�65�65
Binary image
0 0 0 0 0 0 0 0 0 00 1 1 0 0 0 0 2 2 00 0 1 1 1 1 1 1 0 00 0 1 1 1 1 1 1 0 00 0 0 0 1 1 0 0 0 00 3 3 1 1 1 1 1 1 00 0 0 0 0 0 0 0 0 00 0 0 4 4 4 4 0 0 00 0 0 4 4 4 4 0 0 00 0 0 0 0 0 0 0 0 0
0 1 7 1 30 8 8 2 60 1 2 5 70 5 2 5 8
Bounding box coordinates
0 1 2 3 4 5 6 … … N0 1 1 1 4 Parents
LeftRight
TopBottom
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
![Page 66: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/66.jpg)
Illustration: Bounding box detection
�66�66
Binary image
0 0 0 0 0 0 0 0 0 00 1 1 0 0 0 0 1 1 00 0 1 1 1 1 1 1 0 00 0 1 1 1 1 1 1 0 00 0 0 0 1 1 0 0 0 00 1 1 1 1 1 1 1 1 00 0 0 0 0 0 0 0 0 00 0 0 4 4 4 4 0 0 00 0 0 4 4 4 4 0 0 00 0 0 0 0 0 0 0 0 0
0 1 7 1 30 8 8 2 60 1 2 5 70 5 2 5 8
Bounding box coordinates
0 1 2 3 4 5 6 … … N0 1 1 1 4 Parents
LeftRight
TopBottom
Oblivious Algorithm: 1. Scan image row-wise.
2. For each white pixel:
a. Assign a label — smallest already-scanned neighbor, or a new label.
b. Update “parent” of each neighboring label to record that they are connected
c. Update label’s bounding box
3. For each black pixel: same set of operations, but with dummy values (zeros)
4. Merge all connected labels
![Page 67: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/67.jpg)
Illustration: Bounding box detection
�67�67
Binary image
Enhancement via parallelization
![Page 68: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/68.jpg)
Illustration: Bounding box detection
�68�68
Binary image
Enhancement via parallelization 1. Divide the image into strips
![Page 69: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/69.jpg)
Illustration: Bounding box detection
�69�69
Binary image
Enhancement via parallelization 1. Divide the image into strips
2. Detect bounding boxes per strip in parallel
![Page 70: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/70.jpg)
Illustration: Bounding box detection
�70�70
Binary image
Enhancement via parallelization 1. Divide the image into strips
2. Detect bounding boxes per strip in parallel
3. Merge connected boxes across strip boundaries
![Page 71: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/71.jpg)
Performance highlights
�71
![Page 72: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/72.jpg)
Setup
�72
Testbed • Intel i7-8700K with 6 cores at 3.7 GHz • NVIDIA GTX 780 GPU with 2304 CUDA cores operating at 863 MHz
![Page 73: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/73.jpg)
Setup
�73
Testbed • Intel i7-8700K with 6 cores at 3.7 GHz • NVIDIA GTX 780 GPU with 2304 CUDA cores operating at 863 MHz
Workload • 4 real video streams of resolution 1280 x 720 and 1024 x 768
— traffic cameras, security cameras
![Page 74: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/74.jpg)
Setup
�74
Testbed • Intel i7-8700K with 6 cores at 3.7 GHz • NVIDIA GTX 780 GPU with 2304 CUDA cores operating at 863 MHz
Workload • 4 real video streams of resolution 1280 x 720 and 1024 x 768
— traffic cameras, security cameras
Baseline • Insecure video pipeline (without enclaves / obliviousness)
![Page 75: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/75.jpg)
Overhead of side-channel protection
�75
Net t
hrou
ghpu
t (fra
mes
/s)
0
50
100
150
200
CNN model used in pipelineAlexNet ResNet-18 ResNet-50 VGG-16 VGG-19
BaselineOblivious
![Page 76: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/76.jpg)
Net t
hrou
ghpu
t (fra
mes
/s)
0
50
100
150
200
CNN model used in pipelineAlexNet ResNet-18 ResNet-50 VGG-16 VGG-19
BaselineOblivious
Overhead of side-channel protection
�76
Performance bottleneck shifts to the GPU with heavier models
![Page 77: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/77.jpg)
Net t
hrou
ghpu
t (fra
mes
/s)
0
50
100
150
200
CNN model used in pipelineAlexNet ResNet-18 ResNet-50 VGG-16 VGG-19
BaselineOblivious
Overhead of side-channel protection
�77
Performance bottleneck shifts to the GPU with heavier models, leaving more legroom for obliviousness on the CPU
5.9x 5.1x 2.5x 2.2x 2.2x
![Page 78: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/78.jpg)
Overhead of enclaves
�78
Net l
aten
cy (m
s)
0
250
500
750
1000
Frame resolution1280 x 720 320 x 180
BaselineBaseline + enclavesOblivious + enclaves
![Page 79: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/79.jpg)
Overhead of enclaves
�79
Net l
aten
cy (m
s)
0
250
500
750
1000
Frame resolution1280 x 720 320 x 180
BaselineBaseline + enclavesOblivious + enclaves
![Page 80: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/80.jpg)
Overhead of enclaves
�80
Limited CPU enclave memory size increases baseline latency for large framesNe
t lat
ency
(ms)
0
250
500
750
1000
Frame resolution1280 x 720 320 x 180
BaselineBaseline + enclavesOblivious + enclaves
7.8x
2.5x
![Page 81: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/81.jpg)
Overhead of enclaves
�81
Net l
aten
cy (m
s)
0
250
500
750
1000
Frame resolution1280 x 720 320 x 180
BaselineBaseline + enclavesOblivious + enclaves
2.4x
1.5x
Limited CPU enclave memory size increases baseline latency for large frames
![Page 82: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/82.jpg)
• Hybrid enclaves for running MLaaS applications such
as video analytics pipelines
• Data-oblivious algorithms to remove memory side-
channels
• Overhead of oblivious techniques limited to 2x—6x
�82
Summary [email protected]
![Page 83: Visor: Private Video Analytics as a Cloud Serviceiot.stanford.edu/retreat19/sitp19-visor.pdf · Visor: Private Video Analytics as a Cloud Service Rishabh Poddar Ganesh Ananthanarayanan,](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9c122e55156728867990db/html5/thumbnails/83.jpg)
Thanks!
�83