ConfidentialML

A privacy-preserving machine learning inference service that runs XGBoost models inside Intel SGX enclaves. Built with Go and EGo, this project demonstrates how to protect both ML models and inference data from unauthorized access—even from the infrastructure operator.

The Problem

Traditional ML deployments face a fundamental trust problem:

• Model owners worry about IP theft when deploying to third-party infrastructure
• Data owners can't verify their sensitive data isn't being logged or exfiltrated
• Infrastructure operators become liability vectors for data breaches

Confidential computing solves this by creating hardware-enforced trust boundaries.

How It Works

┌─────────────────────────────────────────────────────────────┐
│                    SGX Enclave (Trusted)                    │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
│  │   XGBoost   │  │   Sealing   │  │    Attestation      │  │
│  │   Engine    │  │   Service   │  │      Service        │  │
│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
│         ↑               ↑                    ↑              │
│         │               │                    │              │
│  ┌──────┴───────────────┴────────────────────┴───────────┐  │
│  │                    HTTP API                           │  │
│  └───────────────────────────────────────────────────────┘  │
└─────────────────────────────────────────────────────────────┘
                              ↑
                              │ TLS
                              ↓
                    ┌─────────────────┐
                    │     Clients     │
                    └─────────────────┘

Core Security Features

• Runtime Encryption: All data in enclave memory is encrypted by the CPU
• Sealing: Models encrypted at rest with hardware-derived keys
• Remote Attestation: Cryptographic proof the enclave is running expected code

Project Structure

confidential-ml/
├── cmd/
│   ├── server/          # Enclave server entry point
│   └── client/          # Demo client with attestation
├── internal/
│   ├── api/             # HTTP handlers and types
│   ├── model/           # XGBoost inference engine
│   ├── sealing/         # SGX sealing service
│   └── attestation/     # Remote attestation service
├── scripts/
│   └── train_model.py   # Model training script
├── data/
│   └── iris_model.json  # Pre-trained demo model
├── enclave.json         # EGo enclave configuration
└── Makefile             # Build automation

Quick Start

Prerequisites

• Go 1.21+
• EGo SDK
• Python 3.9+ (for model training)

Build & Run

# Train a model (optional - pre-trained model included)
make train-model

# Build the enclave (simulation mode)
make build-sim

# Run the server
make run-sim

# In another terminal, test with the client
make run-client

API Endpoints

| Endpoint | Method | Description | |-----------------------|--------|------------------------------------| | /health | GET | Health check | | /model/upload | POST | Upload XGBoost model (JSON format) | | /model/predict | POST | Run inference on input features | | /attestation/report | GET | Get SGX attestation report |

Example Usage

Upload a Model

curl -X POST http://localhost:8080/model/upload \
  -H "Content-Type: application/json" \
  -d @data/iris_model.json

Run Inference

curl -X POST http://localhost:8080/model/predict \
  -H "Content-Type: application/json" \
  -d '{"features": [5.1, 3.5, 1.4, 0.2]}'

Response:

{
  "predictions": [0.9939, 0.0041, 0.0020],
  "model_id": "iris-classifier"
}

Verify Attestation

curl http://localhost:8080/attestation/report

Use Cases

This architecture applies to any scenario where you need to process sensitive data with proprietary models:

• Healthcare: Run diagnostic models on patient data without exposing either
• Finance: Credit scoring on encrypted financial records
• Insurance: Risk assessment without revealing actuarial models
• Multi-party ML: Collaborative inference where no party trusts the others

Simulation vs Production

The project runs in simulation mode by default, which doesn't require SGX hardware. For production:

1. Deploy to SGX-enabled hardware (Azure DCsv3, bare metal with SGX)
2. Build with make build instead of make build-sim
3. Sign the enclave with a production key
4. Enable remote attestation verification in clients

Technical Details

XGBoost Integration

Uses xgboost-go for native Go inference. Models trained with Python XGBoost export to JSON format for cross-platform compatibility.

Sealing Implementation

Models are encrypted using SGX sealing with MRENCLAVE policy—only the exact same enclave code can decrypt. This protects against:

• Disk theft
• Unauthorized code modifications
• Rollback attacks (with monotonic counters)

Memory Constraints

SGX enclaves have limited encrypted memory (EPC). The default configuration allocates 512MB heap, suitable for small-to-medium models. Larger models may require:

• EPC paging (performance impact)
• Model quantization
• Ensemble partitioning

Resources

• EGo Documentation
• Intel SGX Developer Guide
• XGBoost JSON Model Format
• Confidential Computing Consortium

License

MIT

---

Built as an educational reference for confidential computing patterns. Not audited for production security.