{"id":"https://openalex.org/W7125772191","doi":"https://doi.org/10.3390/jcp6010023","title":"Trusted Yet Flexible: High-Level Runtimes for Secure ML Inference in TEEs","display_name":"Trusted Yet Flexible: High-Level Runtimes for Secure ML Inference in TEEs","publication_year":2026,"publication_date":"2026-01-27","ids":{"openalex":"https://openalex.org/W7125772191","doi":"https://doi.org/10.3390/jcp6010023"},"language":"en","primary_location":{"id":"doi:10.3390/jcp6010023","is_oa":true,"landing_page_url":"https://doi.org/10.3390/jcp6010023","pdf_url":"https://www.mdpi.com/2624-800X/6/1/23/pdf","source":{"id":"https://openalex.org/S4210232532","display_name":"Journal of Cybersecurity and Privacy","issn_l":"2624-800X","issn":["2624-800X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Cybersecurity and Privacy","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://www.mdpi.com/2624-800X/6/1/23/pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5123956623","display_name":"Nikolaos-Achilleas Steiakakis","orcid":null},"institutions":[{"id":"https://openalex.org/I142617266","display_name":"University of Crete","ror":"https://ror.org/00dr28g20","country_code":"GR","type":"education","lineage":["https://openalex.org/I142617266"]}],"countries":["GR"],"is_corresponding":false,"raw_author_name":"Nikolaos-Achilleas Steiakakis","raw_affiliation_strings":["Department of Computer Science, University of Crete, Voutes Campus, 70013 Heraklion, Greece"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Computer Science, University of Crete, Voutes Campus, 70013 Heraklion, Greece","institution_ids":["https://openalex.org/I142617266"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5012410630","display_name":"Giorgos Vasiliadis","orcid":"https://orcid.org/0000-0001-5470-4714"},"institutions":[{"id":"https://openalex.org/I28710699","display_name":"Hellenic Mediterranean University","ror":"https://ror.org/039ce0m20","country_code":"GR","type":"education","lineage":["https://openalex.org/I28710699"]},{"id":"https://openalex.org/I8901234","display_name":"Foundation for Research and Technology Hellas","ror":"https://ror.org/052rphn09","country_code":"GR","type":"facility","lineage":["https://openalex.org/I8901234"]}],"countries":["GR"],"is_corresponding":false,"raw_author_name":"Giorgos Vasiliadis","raw_affiliation_strings":["Department of Management Science and Technology, Hellenic Mediterranean University, 72100 Agios Nikolaos, Greece","Institute of Computer Science, FORTH (Foundation for Research & Technology\u2013Hellas), 70013 Heraklion, Greece"],"raw_orcid":"https://orcid.org/0000-0001-5470-4714","affiliations":[{"raw_affiliation_string":"Department of Management Science and Technology, Hellenic Mediterranean University, 72100 Agios Nikolaos, Greece","institution_ids":["https://openalex.org/I28710699"]},{"raw_affiliation_string":"Institute of Computer Science, FORTH (Foundation for Research & Technology\u2013Hellas), 70013 Heraklion, Greece","institution_ids":["https://openalex.org/I8901234"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":{"value":1000,"currency":"CHF","value_usd":1082},"apc_paid":{"value":1000,"currency":"CHF","value_usd":1082},"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.11032579,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"6","issue":"1","first_page":"23","last_page":"23"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.8392000198364258,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.8392000198364258,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.033399999141693115,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.031599998474121094,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.6654999852180481},{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.5990999937057495},{"id":"https://openalex.org/keywords/confidentiality","display_name":"Confidentiality","score":0.5436999797821045},{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.4375999867916107},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.3928999900817871},{"id":"https://openalex.org/keywords/inference-engine","display_name":"Inference engine","score":0.3862000107765198},{"id":"https://openalex.org/keywords/data-integrity","display_name":"Data integrity","score":0.3693000078201294},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.35109999775886536},{"id":"https://openalex.org/keywords/cryptography","display_name":"Cryptography","score":0.34790000319480896}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8610000014305115},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.6654999852180481},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.5990999937057495},{"id":"https://openalex.org/C71745522","wikidata":"https://www.wikidata.org/wiki/Q2476929","display_name":"Confidentiality","level":2,"score":0.5436999797821045},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.48190000653266907},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.4375999867916107},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.4075999855995178},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.3928999900817871},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.3926999866962433},{"id":"https://openalex.org/C46743427","wikidata":"https://www.wikidata.org/wiki/Q1341685","display_name":"Inference engine","level":3,"score":0.3862000107765198},{"id":"https://openalex.org/C33762810","wikidata":"https://www.wikidata.org/wiki/Q461671","display_name":"Data integrity","level":2,"score":0.3693000078201294},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.35109999775886536},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.34790000319480896},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.32839998602867126},{"id":"https://openalex.org/C70388272","wikidata":"https://www.wikidata.org/wiki/Q5968558","display_name":"IBM","level":2,"score":0.31290000677108765},{"id":"https://openalex.org/C12725497","wikidata":"https://www.wikidata.org/wiki/Q810247","display_name":"Baseline (sea)","level":2,"score":0.3034999966621399},{"id":"https://openalex.org/C519991488","wikidata":"https://www.wikidata.org/wiki/Q28865","display_name":"Python (programming language)","level":2,"score":0.30059999227523804},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.29989999532699585},{"id":"https://openalex.org/C2776831232","wikidata":"https://www.wikidata.org/wiki/Q966812","display_name":"Trusted Computing","level":2,"score":0.29649999737739563},{"id":"https://openalex.org/C198370458","wikidata":"https://www.wikidata.org/wiki/Q586459","display_name":"Type inference","level":3,"score":0.2856999933719635},{"id":"https://openalex.org/C147346212","wikidata":"https://www.wikidata.org/wiki/Q5492632","display_name":"Trusted computing base","level":4,"score":0.2833999991416931},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.2809999883174896},{"id":"https://openalex.org/C153180980","wikidata":"https://www.wikidata.org/wiki/Q19776675","display_name":"Commit","level":2,"score":0.27000001072883606},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.25870001316070557},{"id":"https://openalex.org/C129916263","wikidata":"https://www.wikidata.org/wiki/Q1141183","display_name":"Backward chaining","level":4,"score":0.2574999928474426},{"id":"https://openalex.org/C33884865","wikidata":"https://www.wikidata.org/wiki/Q1254335","display_name":"Cryptographic protocol","level":3,"score":0.2558000087738037},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.25380000472068787}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.3390/jcp6010023","is_oa":true,"landing_page_url":"https://doi.org/10.3390/jcp6010023","pdf_url":"https://www.mdpi.com/2624-800X/6/1/23/pdf","source":{"id":"https://openalex.org/S4210232532","display_name":"Journal of Cybersecurity and Privacy","issn_l":"2624-800X","issn":["2624-800X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Cybersecurity and Privacy","raw_type":"journal-article"},{"id":"pmh:oai:doaj.org/article:77c318ecdccc4d6d8749d1785b56427c","is_oa":false,"landing_page_url":"https://doaj.org/article/77c318ecdccc4d6d8749d1785b56427c","pdf_url":null,"source":{"id":"https://openalex.org/S4306401280","display_name":"DOAJ (DOAJ: Directory of Open Access Journals)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Journal of Cybersecurity and Privacy, Vol 6, Iss 1, p 23 (2026)","raw_type":"article"}],"best_oa_location":{"id":"doi:10.3390/jcp6010023","is_oa":true,"landing_page_url":"https://doi.org/10.3390/jcp6010023","pdf_url":"https://www.mdpi.com/2624-800X/6/1/23/pdf","source":{"id":"https://openalex.org/S4210232532","display_name":"Journal of Cybersecurity and Privacy","issn_l":"2624-800X","issn":["2624-800X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Cybersecurity and Privacy","raw_type":"journal-article"},"sustainable_development_goals":[{"score":0.6419376134872437,"display_name":"Industry, innovation and infrastructure","id":"https://metadata.un.org/sdg/9"}],"awards":[{"id":"https://openalex.org/G4108230744","display_name":null,"funder_award_id":"101120726","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"}],"funders":[{"id":"https://openalex.org/F4320320300","display_name":"European Commission","ror":"https://ror.org/00k4n6c32"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W7125772191.pdf","grobid_xml":"https://content.openalex.org/works/W7125772191.grobid-xml"},"referenced_works_count":12,"referenced_works":["https://openalex.org/W2606882085","https://openalex.org/W2795435272","https://openalex.org/W2904364493","https://openalex.org/W2979832172","https://openalex.org/W2982827547","https://openalex.org/W3001001866","https://openalex.org/W3033350094","https://openalex.org/W3113852572","https://openalex.org/W4223560074","https://openalex.org/W4385412355","https://openalex.org/W4389279156","https://openalex.org/W4394804988"],"related_works":[],"abstract_inverted_index":{"Machine":[0],"learning":[1],"inference":[2,36,104,140,198],"is":[3,199],"increasingly":[4],"deployed":[5],"on":[6,45,175],"shared":[7],"and":[8,15,56,85,131,146,153,170,201,212,219],"cloud":[9],"infrastructures,":[10],"where":[11],"both":[12],"user":[13],"inputs":[14],"model":[16,124,133,143],"parameters":[17],"are":[18,72],"highly":[19],"sensitive.":[20],"Confidential":[21],"computing":[22],"promises":[23],"to":[24,49,58,80],"protect":[25],"these":[26],"assets":[27],"using":[28],"Trusted":[29],"Execution":[30],"Environments":[31],"(TEEs),":[32],"yet":[33],"existing":[34],"TEE-based":[35],"systems":[37],"remain":[38],"fundamentally":[39],"constrained:":[40],"they":[41],"rely":[42],"almost":[43],"exclusively":[44],"low-level,":[46],"memory-unsafe":[47],"languages":[48],"enforce":[50],"confinement,":[51],"sacrificing":[52],"developer":[53,217],"productivity,":[54],"portability,":[55],"access":[57],"modern":[59],"ML":[60,103],"ecosystems.":[61],"At":[62],"the":[63,100,204],"same":[64],"time,":[65],"mainstream":[66],"high-level":[67,185],"runtimes,":[68],"such":[69],"as":[70],"Python,":[71],"widely":[73],"considered":[74],"incompatible":[75],"with":[76,150,209],"enclave":[77],"execution":[78,130],"due":[79],"their":[81],"large":[82],"memory":[83],"footprints":[84],"unsafe":[86],"model-loading":[87],"mechanisms":[88],"that":[89,106,161,183,195],"permit":[90],"arbitrary":[91],"code":[92,129],"execution.":[93,137],"To":[94],"bridge":[95],"this":[96],"gap,":[97],"we":[98],"present":[99],"first":[101],"Python-based":[102,196],"system":[105],"executes":[107],"entirely":[108],"inside":[109],"Intel":[110],"SGX":[111],"enclaves":[112],"while":[113,215],"safely":[114],"supporting":[115],"untrusted":[116,207],"third-party":[117],"models.":[118],"Our":[119,157],"design":[120],"enforces":[121],"standardized,":[122],"declarative":[123],"representations":[125],"(ONNX),":[126],"eliminating":[127],"deserialization-time":[128],"confining":[132],"behavior":[134],"through":[135],"interpreter-mediated":[136],"The":[138],"entire":[139],"pipeline":[141],"(including":[142],"loading,":[144],"execution,":[145],"I/O)":[147],"remains":[148],"enclave-resident,":[149],"cryptographic":[151],"protection":[152],"integrity":[154,213],"verification":[155],"throughout.":[156],"experimental":[158],"results":[159],"show":[160],"Python":[162],"incurs":[163],"modest":[164],"overheads":[165],"for":[166],"small":[167],"models":[168,208],"(\u224817%)":[169],"outperforms":[171],"a":[172],"low-level":[173],"baseline":[174],"larger":[176],"workloads":[177],"(97%":[178],"vs.":[179],"265%":[180],"overhead),":[181],"demonstrating":[182],"enclave-resident":[184],"runtimes":[186],"can":[187],"achieve":[188],"competitive":[189],"performances.":[190],"Overall,":[191],"our":[192],"findings":[193],"indicate":[194],"TEE":[197],"practical":[200],"secure,":[202],"enabling":[203],"deployment":[205],"of":[206],"strong":[210],"confidentiality":[211],"guarantees":[214],"maintaining":[216],"productivity":[218],"ecosystem":[220],"advantages.":[221]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-01-28T00:00:00"}