AI Vault : S3 Lab - Software & Systems Security Laboratory

AI Vault

The AI Vault project designs and develops new trusted execution environments (TEEs) tailored to run artificial intelligence and machine learning programs confidentially on modern AI platforms end-to-end, including cloud, edge, and embedded devices.

TEE technologies, such as Intel SGX, AMD SEV, and ARM TrustZone, provide strong security guarantees against powerful attacks with hardware assistance. However, due to the data-intensive nature of AI/ML programs and the hardware limitations of TEEs, it is challenging to protect them using TEE technologies without significantly sacrificing security and/or performance. The goal of this project is to overcome these challenges to practically enable confidential AI and ML execution on modern AI platforms in production.

Recent News

Sep. 11, 2025: DLS code is publicly available
Aug. 14, 2025: DLS paper is accepted to NDSS 2026
Feb. 26, 2025: TZ-DATASHIELD conference talk at NDSS 2025
Feb. 20, 2025: TZ-DATASHIELD code is publicly available
Oct. 31, 2024: TZ-DATASHIELD paper is accepted to NDSS 2025
Jap. 23, 2024: T-Slices code is publicly available
Dec. 7, 2023: GEVisor code is publicly available (at Purdue Security Lab)
Sep. 19, 2023: GEVisor paper is accepted to SOCC 2023
Dec. 17, 2022: T-Slices paper is accepted to CODASPY 2023
Jun. 10, 2022: AI Vault is featured in two news articles, Industrial Cybersecurity Pulse and Texas A&M Engineering Experiment Station News
Oct. 21, 2020: Vessels conference talk at SOCC 2020
Aug. 8, 2020: Vessels paper is accepted to SOCC 2020

Available Work

DLS: an attack framework to extract DNN architectures from enclaves with single-stepping attacks (paper, code)
TZ-DATASHIELD: a compartmentalization framework for protecting sensitive data in embedded systems with ARM TrustZone (paper, code)
GEVisor: a small hypervisor to build a trusted GPU execution environment (paper, code)
T-Slices: trusted deep learning prediction with ARM TrustZone (paper, code)
Vessels: a deep learning framework for confidential prediction using Intel SGX (paper)

Acknowledgments

This project is supported in part by the Electronics and Telecommunications Research Institute, the Texas A&M Engineering Experiment Station on behalf of its SecureAmerica Institute, and the Agency for Defense Development.

current people

Chung Hwan Kim
Faculty

Zelun Kong
PhD student

alumni

Minkyung Park
UNIST

Deeprangshu Pal
Samsung Electronics America

Md Shihabul Islam
Data Security Technologies

Alex Armstrong
Lawrence Livermore National Laboratory

Benjamin Stark
Los Alamos National Laboratory

Vasuki Shankar
Nvidia

publications

DNN Latency Sequencing: Extracting DNN Architectures from Intel SGX Enclaves with Single-Stepping Attacks
Minkyung Park, Zelun Kong, Dave (Jing) Tian, Z. Berkay Celik, and Chung Hwan Kim
In NDSS 2026 [ pdf :: slides :: code :: bibtex ]

TZ-DATASHIELD: Automated Data Protection for Embedded Systems via Data-Flow-Based Compartmentalization
Zelun Kong, Minkyung Park, Le Guan, Ning Zhang, and Chung Hwan Kim
In NDSS 2025 [ pdf :: slides :: code :: bibtex ]

Building GPU TEEs using CPU Secure Enclaves with GEVisor
Xiaolong Wu, Dave (Jing) Tian, and Chung Hwan Kim
In SOCC 2023 [ pdf :: slides :: code :: bibtex ]

Confidential Execution of Deep Learning Inference at the Untrusted Edge with ARM TrustZone
Md Shihabul Islam, Mahmoud Zamani, Chung Hwan Kim, Latifur Khan, and Kevin Hamlen
In CODASPY 2023 [ pdf :: slides :: code :: bibtex ]

Vessels: Efficient and Scalable Deep Learning Prediction on Trusted Processors
Kyungtae Kim, Chung Hwan Kim, Junghwan Rhee, Xiao Yu, Haifeng Chen, Dave (Jing) Tian, and Byoungyoung Lee
In SOCC 2020 [ pdf :: slides :: bibtex ]