Chenxu Wang (Research Institute of Trustworthy Autonomous Systems, Southern University of Science and Technology, China, Department of Computer Science and Engineering, Southern University of Science and Technology, China and Department of Computing, The Hong Kong Polytechnic University, China), Junjie Huang (Department of Computer Science and Engineering, Southern University of Science and Technology, China), Yujun Liang (Department of Computer Science and Engineering, Southern University of Science and Technology, China), Xuanyao Peng (Department of Computer Science and Engineering, Southern University of Science and Technology, China and University of Chinese Academy of Sciences, China), Yuqun Zhang (Department of Computer Science and Engineering, Southern University of Science and Technology, China), Fengwei Zhang (Department of Computer Science and Engineering, Southern University of Science and Technology, China and Research Institute of Trustworthy Autonomous Systems, Southern University of Science and Technology, China), Jiannong Cao (Department of Computing, The Hong Kong Polytechnic University, China), Hang Lu (University of Chinese Academy of Sciences, China), Rui Hou (State Key Laboratory of Cyberspace Security Defense, IIE, Chinese Academy of Sciences, China and University of Chinese Academy of Sciences, China), Shoumeng Yan (Ant Group), Tao Wei (Ant Group), Zhengyu He (Ant Group)
Accelerator trusted execution environment (TEE) is a popular technique that provides strong confidentiality, integrity, and isolation protection on sensitive data/code in accelerators. However, most studies are designed for a specific CPU or accelerator and thus lack generalizability. Recent TEE surveys partially summarize the threats and protections of accelerator computing, while they have yet to provide a guide to building an accelerator TEE and compare the pros and cons of their security solutions. In this paper, we provide a holistic analysis of accelerator TEEs over the years. We conclude a typical framework of building an accelerator TEE and summarize the widely-used attack vectors, ranging from software to physical attacks. Furthermore, we provide a systematization of accelerator TEE's three major security mechanisms: (1) access control, (2) memory encryption/decryption, and (3) attestation. For each aspect, we compare varied security solutions in existing studies and conclude their insights. Lastly, we analyze the factors that influence the TEE deployment on real-world platforms, especially on the trusted computing base (TCB) and compatibility issues.