Confidential machine learning with program compartmentalization

What is claimed is: 1. A computer-implemented method for implementing confidential machine learning (ML) with program compartmentalization, comprising: implementing a development stage to design an ML program, including annotating source code of the ML program to generate an ML program annotation; performing program analysis based on the development stage, including compiling the source code of the ML program based on the ML program annotation, the program analysis further comprising identifying confidential code and data for loading on an enclave for confidential execution of the ML model by performing lexical and syntax analysis and by identifying a set of program statements upon which annotated confidential program statements are dependent as a confidential part of the program based on edges of a control and data dependency graph; inserting binary code based on the program analysis, including inserting run-time code into a confidential part of the ML program and a non-confidential part of the ML program; and generating an ML model by executing the ML program with the inserted binary code to protect the confidentiality of the ML model and the ML program from attack. 2. The method of claim 1 , wherein the ML program annotation informs a compiler regarding which statements need confidentiality protection. 3. The method of claim 1 , wherein the ML model is generated in a binary format for training or deployment on one or more computing devices. 4. The method of claim 1 , wherein performing the program analysis further includes: identifying communication channels across a boundary of the enclave; and determining one or more of the communication channels that need confidentiality protection, wherein less than all of the communication channels are determined to need confidentiality protection. 5. The method of claim 4 , wherein the communication channels include control and data paths. 6. The method of claim 4 , wherein the run-time code securely launches the enclave with the confidential part in isolation from the non-confidential part, and wherein inserting the binary code further include inserting additional run-time code into the communication channels to enable secure communication. 7. The method of claim 4 , further comprising partitioning the ML program into the confidential part and the non-confidential part. 8. A computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method for implementing confidential machine learning with program compartmentalization, the method performed by the computer comprising: implementing a development stage to design an ML program, including annotating source code of the ML program to generate an ML program annotation; performing program analysis based on the development stage, including compiling the source code of the ML program based on the ML program annotation, the program analysis further comprising identifying confidential code and data for loading on an enclave for confidential execution of the ML model by performing lexical and syntax analysis and by identifying a set of program statements upon which annotated confidential program statements are dependent as a confidential part of the program based on edges of a control and data dependency graph; inserting binary code based on the program analysis, including inserting run-time code into a confidential part of the ML program and a non-confidential part of the ML program; and generating an ML model by executing the ML program with the inserted binary code to protect the confidentiality of the ML model and the ML program from attack. 9. The computer program product of claim 8 , wherein the ML program annotation informs a compiler regarding which statements need confidentiality protection. 10. The computer program product of claim 8 , wherein the ML model is generated in a binary format for training or deployment on one or more computing devices. 11. The computer program product of claim 8 , wherein performing the program analysis further includes: identifying communication channels across a boundary of the enclave; and determining one or more of the communication channels that need confidentiality protection, wherein less than all of the communication channels are determined to need confidentiality protection. 12. The computer program product of claim 11 , wherein the communication channels include control and data paths. 13. The computer program product of claim 11 , wherein the run-time code securely launches the enclave with the confidential part in isolation from the non-confidential part, and wherein inserting the binary code further include inserting additional run-time code into the communication channels to enable secure communication. 14. The computer program product of claim 11 , wherein the method further includes partitioning the ML program into the confidential part and the non-confidential part. 15. A system for implementing confidential machine learning with program compartmentalization, comprising: a memory device having program code stored thereon; and at least one processor device operatively coupled to the memory device and configured to execute program code stored on the memory device to: implement a development stage to design an ML program by annotating source code of the ML program to generate an ML program annotation; perform program analysis based on the development stage by compiling the source code of the ML program based on the ML program annotation, the program analysis further comprising identifying confidential code and data for loading on an enclave for confidential execution of the ML model by performing lexical and syntax analysis and by identifying a set of program statements upon which annotated confidential program statements are dependent as a confidential part of the program based on edges of a control and data dependency graph; insert binary code based on the program analysis by inserting run-time code into a confidential part of the ML program and a non-confidential part of the ML program; and generate an ML model by executing the ML program with the inserted binary code to protect the confidentiality of the ML model and the ML program from attack. 16. The system of claim 15 , wherein the ML program annotation informs a compiler regarding which statements need confidentiality protection. 17. The system of claim 15 , wherein the ML model is generated in a binary format for training or deployment on one or more computing devices. 18. The system of claim 15 , wherein the at least one processor device is further configured to perform the program analysis by: identifying communication channels across a boundary of the enclave; and determining one or more of the communication channels that need confidentiality protection, wherein less than all of the communication channels are determined to need confidentiality protection. 19. The system of claim 18 , wherein the communication channels include control and data paths. 20. The system of claim 18 , wherein: the at least one processor device is further configured to execute program code stored on the memory device to partition the ML program into the confidential part and the non-confidential part; the run-time code securely launches the enclave with the confidential part in isolation from the non-confidential part; and the at least one processor device is further