To address data poisoning attacks targeting IoT edge devices in federated learning (FL) and local differential privacy (LDP), this paper proposes the first system-level defense mechanism based on stateful execution proofs (PoSX). It innovatively integrates the ARM TrustZone-M trusted execution environment with cryptographic primitives—digital signatures, cryptographic hashing, and remote attestation—to establish verifiable binding between sensed data and their FL/LDP execution context. The mechanism enables lightweight remote attestation, achieving strong robustness on a real-world prototype: verification overhead ≤3.2%, communication overhead <1.8%, and compliance with real-time IoT constraints. To our knowledge, this is the first work to realize joint data-execution integrity assurance for FL/LDP on resource-constrained edge devices, thereby closing a critical security gap in privacy-preserving distributed learning at the network edge.

The rise in IoT-driven distributed data analytics, coupled with increasing privacy concerns, has led to a demand for effective privacy-preserving and federated data collection/model training mechanisms. In response, approaches such as Federated Learning (FL) and Local Differential Privacy (LDP) have been proposed and attracted much attention over the past few years. However, they still share the common limitation of being vulnerable to poisoning attacks wherein adversaries compromising edge devices feed forged (a.k.a. poisoned) data to aggregation back-ends, undermining the integrity of FL/LDP results. In this work, we propose a system-level approach to remedy this issue based on a novel security notion of Proofs of Stateful Execution (PoSX) for IoT/embedded devices' software. To realize the PoSX concept, we design SLAPP: a System-Level Approach for Poisoning Prevention. SLAPP leverages commodity security features of embedded devices - in particular ARM TrustZoneM security extensions - to verifiably bind raw sensed data to their correct usage as part of FL/LDP edge device routines. As a consequence, it offers robust security guarantees against poisoning. Our evaluation, based on real-world prototypes featuring multiple cryptographic primitives and data collection schemes, showcases SLAPP's security and low overhead.