AI and machine learning systems are increasingly deployed in cloud environments where they face threats to both the confidentiality of models and data, and the integrity of their computations. This project focuses on securing AI systems through a systems perspective — combining trusted execution environments (TEEs), hardware-based isolation, and principled security architectures.
Our work spans several complementary directions: we developed practical frameworks for privacy-preserving machine learning using Intel SGX, enabling unmodified PyTorch applications to run with encrypted models and data in untrusted clouds. We extended this to foundation model deployments, demonstrating less than 10% overhead for full Llama 2 inference pipelines inside Intel SGX and TDX enclaves. We systematically analyzed the threat landscape of compound AI systems — multi-component pipelines combining foundation models with retrieval, tool use, and agents — identifying how software-hardware attack gadgets can be composed for adversarial threat amplification. To address model supply chain integrity, we developed techniques for verifying model integrity and accuracy within trusted execution environments, and proposed endorsement services that enable dynamic discovery and attestation of trusted AI services.