No project description provided
Project description
Making AI Confidential & Transparent
Table of Contents
📜 About the project
Introduction
🛠️ BlindLlama makes it easy to use open-source LLMs by using Zero-trust AI APIs that abstract all the complexity of model deployment while ensuring users’ data is never exposed to us thanks to end-to-end protection with secure hardware.
🔐 To provide guarantees to developers that data sent to our managed infrastructure is not exposed, we have developed a Zero-trust architecture to serve AI models.
We currently serve Llama2 but will be making more open-source models available in the near future!
Our backend has two key properties:
-
Confidentiality: Your data is never accessible to us. We serve AI models inside hardened environments that do not expose data even to our admins. All points of access, such as SSH, logs, networks, etc., are blocked to ensure the isolation of data.
-
Transparency: We provide you with verifiable cryptographic proof that these controls are in place, thanks to the use of Trusted Platform Modules (TPMs).
Warning BlindLlama is still under development and does have the full security features.
Do not test our API with confidential information... yet!
You can follow our progress towards the next beta and 1.0 versions of BlindLLama on our roadmap.
We welcome contributions to our project from the community! Don't hesitate to raise issues on GitHub, reach out to us or see our guide on how to audit BlindLlama (coming soon!).
Architecture
BlindLlama is composed of two main parts:
- An open-source client-side Python SDK that verifies the remote Zero-trust AI models we serve are indeed guaranteeing data sent is not exposed to us.
- An open-source server that serves models without any exposure to us as the server is hardened and removed potential leakage channels from network to logs, and provides cryptographic proof those privacy controls are indeed in place using TPMs.
The server combines a hardened AI server with attested TLS using TPMs.
The client performs two main tasks:
- Verifying that the server it communicates with is the expected hardened AI server using attestation.
- Securely sending data to be analyzed by a remote AI model using attested TLS to ensure data is not exposed.
The server has two main tasks:
- It loads a hardened AI server which is inspected to ensure no data is exposed to the outside.
- It serves models using the hardened AI server that can be remotely verified using attestation.
Trust model
On this page, we will explain more precisely what components/parties have to be trusted when using BlindLlama.
To understand better which components and parties are trusted with BlindLlama, let’s start by examining what is trusted with regular AI services.
To do so, we will use the concept of a Trusted Computing Base (TCB), which refers to the set of all hardware, firmware, and software components that are critical to a system's security.
Trusted Computing Base with regular AI providers
We can imagine that an AI provider serves AI APIs to their users using a Cloud infrastructure. Then the parties to be trusted are:
-
The AI provider: they provide the software application that is in charge of applying AI models to users’ data.
-
The Cloud provider: they provide the infrastructure, Hypervisor, VMs and OS, to the AI provider.
-
The hardware providers: they provide the lowest physical components, CPU, GPU, TPMs, etc. to the Cloud provider who then manages those to resell infrastructure to the AI providers.
The higher the party in the stack, the closer they are to the data, and the more they are in a position to expose data.
In most scenarios today, there is often blind trust in the AI provider, aka we send data to them without any technical guarantees that they will do what they said they would do. For instance, the AI provider could say they just do inference on data, while they could actually train models on users’ data.
For privacy-demanding users that require more technical guarantees, they often choose not to send data to AI providers as they cannot trust them with their confidential data.
Trusted parties with BlindLlama
With BlindLlama, we remove the AI provider from the list of trusted parties. When models are served with BlindLlama, users' data cannot be seen by the AI provider because we use a Zero-trust AI infrastructure that removes the service/AI provider from the trust base. We can prove such controls are in place using TPM-based attestation.
👩🏻💻 Use cases
BlindLlama is meant to help developers working with sensitive data to easily get started with LLMs by using managed AI APIs that abstract the hardware and software complexity of model deployment while ensuring their data remains unexposed.
Several scenarios can be answered by using BlindLlama, such as:
- Benchmarking the best open-source LLMs against one’s private data to find out which one is the most relevant without having to do any provisioning
- Structuring medical documents
- Analysis or auto-completion of a confidential code base
✅ When should you use BlindLlama?
- You want to get started with LLMs that are complex to deploy, such as Llama 2 70B
- You don’t want to manage that infrastructure as it requires too much time, expertise and/or budget
- You don’t want to expose your data to a third party AI provider that manages the infrastructure for you due to privacy/compliance issues
❌ What is not covered by BlindLlama?
- BlindLlama is simply a drop-in replacement to query a remotely hosted model instead of having to go through complex local deployment. We do not cover training from scratch, but we will cover fine-tuning soon.
- BlindLlama allows you to quickly and securely leverage models which are open-source, such as Llama 2, StarCoder, etc. Proprietary models from OpenAI, Anthropic, and Cohere are not supported yet as we would require them to modify their backend to offer a Zero-trust AI infrastructure like ours.
- BlindLlama’s trust model implies some level of trust in Cloud providers and hardware providers since we leverage secure hardware available and managed by Cloud providers (see our trust model section for more details).
BlindLlama virtually provides the same level of security, privacy, and control as solutions provided by Cloud providers like Azure OpenAI Services.
🚀 Getting started
- Check out our Quick tour, which will enable you to play with an example using the Llama 2 model while ensuring your data remains private and without the hassle of provisioning!
- Find out more about How we protect your data
- Refer to our Concepts guide for more information on key concepts
- Learn more about BlindLlama's design with our BlindLlama 101 guide
📚 Advanced security
We created the BlindLlama whitepaper to cover the architecture and security features behind BlindLLama in greater detail.
The whitepaper is intended for an audience with security expertise.
You can read or download the whitepaper here!
🎯 Roadmap
There are three key milestones planned for the BlindLlama project.
BlindLlama Alpha (non-secure) launch:
The alpha launch of BlindLlama provides an API for the Llama2-70b model which you can query with our python SDK.
Users can test out and query our API but should not yet send any confidential data to the API as it is does not yet have full implementation of security features.
The server-side code includes the backbones for our attestation feature (which means we can prove the server is deploying the expected code to end users) but this feature will be fully launched in the following beta phase.
Expected launch date: week ending 08/09/2023
BlindLlama Beta launch:
The beta version adds the full implementation of TPM-based attestation, meaning our API can be fully verified remotely. This version will not yet have full hardening of server-side environment or audit and thus is not yet recommended in production!
Provisional launch date: week ending 06/10/2023
BlindLlama 1.0 audit-ready launch:
A fully-secure version of BlindLlama ready for audit, with a fully hardened server environment.
Provisional launch date: week ending 08/12/2023
You can check out more details about these stages and our progress to achieveing these milestones on our official roadmap.
🦙 Who made BlindLlama?
BlindLlama is developed by Mithril Security, a startup focused on democratizing privacy-friendly AI using secure hardware solutions.
We have already had our first project, BlindAI, an open-source Rust inference server that deploys ONNX models on Intel SGX secure enclaves, audited by Quarkslab.
BlindLlama builds on the foundations of BlindAI but provides much faster performance and focuses on serving managed models directly to developers instead of helping AI engineers to deploy models.
📇 Contact
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file blind_llama-0.1.3.tar.gz
.
File metadata
- Download URL: blind_llama-0.1.3.tar.gz
- Upload date:
- Size: 22.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.6.1 CPython/3.10.12 Linux/5.15.0-78-generic
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | f2d5a53016d0ffb7b8ef9acd4c287a71abffebd59fa393bd345c72ab083b912c |
|
MD5 | 86f894ef99945fd42650f2d87dfe6f8a |
|
BLAKE2b-256 | 1acab0dce0b6402b2dc22b317dac2bc68a362c9c5ae9a0cf6ac145dbf6e82a6f |
File details
Details for the file blind_llama-0.1.3-py3-none-any.whl
.
File metadata
- Download URL: blind_llama-0.1.3-py3-none-any.whl
- Upload date:
- Size: 19.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.6.1 CPython/3.10.12 Linux/5.15.0-78-generic
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5640c4380684d84be013cc71b5f03575f4eba6f7a63f9548952e74e1e67449a2 |
|
MD5 | e124ddd5d444bfa975bdc7dd957d53bd |
|
BLAKE2b-256 | 8b263485075047f174d581e108019ed01882948852b2284c11447c60950ddb29 |