This work addresses the challenge of simultaneously ensuring model confidentiality and result verifiability in deep neural network inference on resource-constrained edge devices, where existing solutions are often hindered by an overly large trusted computing base (TCB) or insufficient security guarantees. To overcome these limitations, the authors propose VECODI, a novel framework featuring SHANGRI-LA—an intermediate execution abstraction situated between ARM TrustZone-M’s secure and non-secure worlds. This design leverages a minimal, application-agnostic secure world to jointly enforce both confidentiality and verifiability, substantially reducing the TCB. Implemented on the NUCLEO-L552ZE-Q development board, the prototype demonstrates low memory footprint, minimal runtime overhead, and strong security properties, making it well-suited for deployment in low-end edge environments.

Deploying deep neural network (DNN) inference on low-end edge devices raises two key challenges: protecting model confidentiality against a potentially compromised edge system and enabling verifiable inference without incurring prohibitive overhead. Existing approaches either house partial models and inference software within trusted execution environments (TEEs), resulting in high cost and an application-dependent trusted computing base (TCB), or execute in untrusted environments, providing little security. In this work, we present VECODI, a framework for verifiable and confidential DNN inference on constrained edge devices. At its core, VECODI introduces SHANGRI-LA, a new execution abstraction on TrustZone-M TEEs that establishes a third runtime environment with privileges strictly between the Secure and Non-Secure Worlds. VECODI leverages SHANGRI-LA to execute untrusted inference code in the Non-Secure World while using minimal application-agnostic Secure-World support to protect model confidentiality and enable verifiability (with respect to proper execution of inference code and model parameters) of inference results. We realize VECODI on a real-world NUCLEO-L552ZE-Q development board and open-source its prototype. Our results show VECODI's small TCB, memory footprint, and runtime overhead, making it a practical option for secure inference in low-end edge devices.