Abstract
The Ubiquitous adoption of domain-specific acceleration for deep neural networks (DNNs) has exposed them to security threats and memory vulnerabilities. Since performance is critical, DNN accelerators rarely employ high-overhead, authentication-based countermeasures (such as an integrity tree), making them vulnerable to integrity-based memory adversaries [1], [2]. Although recent accelerators incorporate specialized low-overhead integrity solutions, these rely on specific accelerator characteristics, making them incompatible to be used with a processor in a shared secure-memory framework.In this paper, we introduce FlexTEE, a flexible security framework that dynamically adapts to the runtime characteristics of both processor and DNN accelerator to significantly reduce Bonsai Merkle Tree (BMT)-based integrity overheads for the accelerator. The unique memory access patterns of DNN accelerators i.e., the strided access patterns caused by accelerator data tiling lead to frequent metadata accesses from the memory, causing excessive BMT utilization overhead. Leveraging this insight, we propose a novel, processor-transparent, metadata address mapping scheme that reorganizes metadata-data relationship for the accelerator, transforming disjoint metadata accesses into sequential accesses for the encryption engine. This reorganization significantly reduces BMT authentication overhead for DNN accelerators with the same security guarantees. For CPU workloads, FlexTEE achieves comparable performance to conventional processor-TEE implementations with minimal resource overhead. For accelerators, FlexTEE reduces BMT verification costs by up to 87% compared to regular BMT-based accelerators. Additionally, it enhances system throughput by up to 30% on popular DNN models, outperforming state-of-the-art secure accelerators.