SLAPP: Poisoning Prevention in Federated Learning and Differential Privacy via Stateful Proofs of Execution

The rise of IoT-driven distributed data analytics, coupled with increasing privacy concerns, has led to a demand for effective privacy-preserving and federated data collection/model training mechanisms. In response, approaches such as Federated Learning (FL) and Local Differential Privacy (LDP) have been proposed and attracted much attention over the past few years. However, they still share the common limitation of being vulnerable to poisoning attacks wherein adversaries compromising edge devices feed forged (a.k.a. “poisoned”) data to aggregation back-ends, undermining the integrity of FL/LDP results. In this work, we propose a system-level approach to remedy this issue based on a novel security notion of Proofs of Stateful Execution ( $\mathsf {PoSX}$ ) for IoT/embedded devices’ software. To realize the $\mathsf {PoSX}$ concept, we design $\mathsf {SLAPP}$ : a System-Level Approach for Poisoning Prevention. $\mathsf {SLAPP}$ leverages commodity security features of embedded devices – in particular ARM TrustZone-M security extensions – to verifiably bind raw sensed data to their correct usage as part of FL/LDP edge device routines. As a consequence, it offers robust security guarantees against poisoning. Our evaluation, based on real-world prototypes featuring multiple cryptographic primitives and data collection schemes, showcases $\mathsf {SLAPP}$ ’s security and low overhead.