Abstract
Memory encryption has yet to be used at the core of operating system designs to provide confidentiality of code and data. As a result, numerous vulnerabilities exist at every level of the software stack. Three general approaches have evolved to rectify this problem. The most popular approach is based on complex hardware enhancements; this allows all encryption and decryption to be conducted within a well-defined trusted boundary. Unfortunately, these designs have not been integrated within commodity processors and have primarily been explored through simulation with very few prototypes. An alternative approach has been to augment existing hardware with operating system enhancements for manipulating keys, providing improved trust. This approach has provided insights into the use of encryption but has involved unacceptable overheads and has not been adopted in commercial operating systems. Finally, specialized industrial devices have evolved, potentially adding coprocessors, to increase security of particular operations in specific operating environments. However, this approach lacks generality and has introduced unexpected vulnerabilities of its own. Recently, memory encryption primitives have been integrated within commodity processors such as the Intel i7, AMD bulldozer, and multiple ARM variants. This opens the door for new operating system designs that provide confidentiality across the entire software stack outside the CPU. To date, little practical experimentation has been conducted, and the improvements in security and associated performance degradation has yet to be quantified. This article surveys the current memory encryption literature from the viewpoint of these central issues.
- T. Arnold, and L. Doorn 2004. The IBM PCIXCC: A new cryptographic coprocessor for the IBM eserver. IBM Journal of Research and Development. 120--126. Google ScholarDigital Library
- E. Barrantes, D. Ackley, S. Forrest, T. Palmer, D. Sefanovic, and D. Zovi 2003. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS’03). 281--289. Google ScholarDigital Library
- R. Best 1979. Microprocessor for executing enciphered programs. U.S. patent 4,168,396. (18 September 1979).Google Scholar
- R. Best 1980. Preventing software piracy with crypto-microprocessors. In Proceedings of the IEEE Spring Compcon. 466--469.Google Scholar
- R. Best 1981. Crypto microprocessor for executing enciphered programs. U.S. patent 4,278,837. (14 July 1981).Google Scholar
- R. Best 1984. Crypto microprocessor that executes enciphered programs. U.S. patent 4,465,901. (14 August 1984).Google Scholar
- A. Boileau 2006. Hit by a bus: Physical access attacks with firewire. Presented at Ruxcon.Google Scholar
- D. Brink 2009. Full-Disk Encryption on the Rise. Aberdeen Research Group Report.Google Scholar
- E. Casey, G. Fellows, M. Geiger, and G. Stellatos 2011. The growing impact of full disk encryption on digital forensics. Digital Investigation 8, 2, 129--134.Google ScholarCross Ref
- S. Chari, C. Jutla, J. Rao, and P. Rohatgi 1999. Towards sound approaches to counteract power analysis attacks. In Proceedings of the 19th Annual International Cryptology Conference (CRYPTO’99). 398--412. Google ScholarDigital Library
- B. Chen, and R. Morris 2003. Certifying program execution with secure processors. In Proceedings of the 9th Conference on Hot Topics in Operating Systems. 23--29. Google ScholarDigital Library
- X. Chen, R. Dick, and A. Choudhary 2008. Operating system controlled processor-memory bus encryption. In Proceedings of DATE. Google ScholarDigital Library
- S. Chhabra, B. Rogers, Y. Solihin, and M. Prvulovic 2011. SecureMe: A hardware-software approach to full system security. In Proceedings of the International Conference on Supercomputing (ICS). Google ScholarDigital Library
- S. Chhabra, and Y. Solihin 2011. i-NVMM: A secure non-volatile main memory system with incremental encryption. In Proceedings of the International Symposium on Computer Architecture (ISCA). Google ScholarDigital Library
- S. Chhabra, Y. Solihin, R. Lal, and M. Hoekstra 2010. An analysis of secure processor architectures. In Transactions on Computational Science VII. Marina L. Gavrilova and C. J. Kenneth Tan (Eds.). Lecture Notes in Computer Science. Springer-Verlag, Berlin. 101--121. Google ScholarDigital Library
- J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum 2004. Understanding data lifetime via whole system simulation. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
- S. Conrad, G. Dorn, and P. Craiger 2010. Forensic analysis of a Sony Playstation 3 gaming console. In Advances in Digital Forensics VI. K. P. Chow and S. Shenoi (Eds.). AICT 337, 65--76.Google Scholar
- Dallas Semiconductor. 1997. Secure Microcontroller Data Book. Dallas, TX.Google Scholar
- G. Duc, and R. Keryell 2006. CryptoPage: An efficient secure architecture with memory encryption, integrity and information leakage protection. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google ScholarDigital Library
- A. Dunn, O. Hofmann, B. Waters, and E. Witchel 2011. Cloaking malware with the trusted platform module. In Proceedings of the 29th USENIX Conference on Security. 26. Google ScholarDigital Library
- R. Elbaz, L. Torres, G. Sassatelli, P. Guillemin, C. Anguille, M. Bardouillet, C. Buatois, and J. Rigaud 2005. Hardware engines for bus encryption: A survey of existing techniques. In Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE). Google ScholarDigital Library
- W. Enck, K. Butler, T. Richardson, P. Mcdaniel, and A. Smith 2008. Defending against attacks on main memory persistence. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’08). Google ScholarDigital Library
- L. Gao, J. Yang, M. Chroball, Y. Zhang, S. Nguyen, and H. Lee 2006. A low cost memory remapping scheme for address bus protection. In Proceedings of the 15th International Conference on Parallel Architecture Compilation Techniques (PACT). Google ScholarDigital Library
- S. Gueron 2010. Intel Advanced Encryption Standard (AES) Instructions Set. Intel Technical Report.Google Scholar
- S. Gueron, G. Gerzon, I. Anati, J. Doweck, M. Maor, and L. Cho 2012. A tweakable encryption mode for memory encryption with protection against replay attacks. WO patent number 2012040679. (29 March 2012).Google Scholar
- S. Gueron, U. Savagaonkar, F. Mckeen, C. Rozas, D. Durham, J. Doweck, O. Mulla, I. Anati, Z. Greenfield, and M. Maor 2013. Method and apparatus for memory encryption with integrity check and protection against replay attacks. WO patent number 2013002789. (3 January 2013).Google Scholar
- P. Gutmann 2000. An open-source cryptographic coprocessor. In Proceedings of the 2000 USENIX Security Symposium. Google ScholarDigital Library
- J. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino, A. Feldman, J. Appelbaum, and E. Felten 2008. Lest we remember: Cold boot attacks on encryption keys. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
- D. Hayes, and S. Qureshi 2009. Implications of Microsoft vista operating system for computer forensics investigations. In Proceedings of the IEEE Systems, Applications and Technology Conference. 1--9.Google ScholarCross Ref
- J. Hennessy, and D. Patterson 2006. Computer Architecture, Fourth Edition: A Quantitative Approach. Morgan Kaufmann Publishers, San Francisco, CA. Google ScholarDigital Library
- M. Henson, and S. Taylor 2013a. Beyond full disk encryption: Protection on security enhanced commodity processors. In Proceedings of the 11th International Conference on Applied Cryptography and Network Security (ACNS’13). Google ScholarDigital Library
- M. Henson, and S. Taylor 2013b. Attack mitigation through memory encryption of security enhanced commodity processors. D. Hart (Ed.). In Proceedings of the 8th International Conference on Information Warfare and Security (ICIW’13). 265--268.Google Scholar
- D. Hong, L. Batten, S. Lim, and N. Dutt 2011. DynaPoMP: Dynamic policy-driven memory protection for SPM-based embedded systems. In Proceedings of the Workshop on Embedded Systems Security. Google ScholarDigital Library
- N. Howgrave-Graham, J. Dyer, and R. Gennaro 2001. Pseudo-random number generation on the IBM 4758 secure crypto coprocessor. In Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems (CHES ’01), LNCS 2162, Springer-Verlag, 93--102. Google ScholarDigital Library
- V. Jannepally, and S. Sohoni 2009. Fast encryption and authentication for cache-to-cache transfers using GCM-AES. In Proceedings of the International Conference on Sensors, Security, Software and Intelligent Systems.Google Scholar
- B. Kaplan 2007. RAM Is Key: Extracting Disk Encryption Keys from Volatile Memory. Master's Thesis. Carnegie Mellon University.Google Scholar
- T. Kgil, L. Falk, and T. Mudge 2005. ChipLock: Support for secure microarchitectures. ACM SIGARCH, 33, 1. Google ScholarDigital Library
- P. Kocher, J. Jaffe, and B. Jun 1999. Differential power analysis. In Proceedings of the CRYPTO 19th Annual International Cryptology Conference. 388--397. Google ScholarDigital Library
- M. Kuhn 1988. Cipher instruction search attack on the bus-encryption security microcontroller DS5002FP. IEEE Transactions on Computing. 47, 1153--2257. Google ScholarDigital Library
- M. Lee, M. Ahn, and E. Kim 2007. I2SEMS: Interconnects-independent security enhances shared memory multiprocessor systems. In Proceedings of the International Conference on Parallel Architectures and Compilation Techniques (PACT). Google ScholarDigital Library
- D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz 2000. Architectural support for copy and tamper resistant software. In Proceedings of the 9th Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 168--177. Google ScholarDigital Library
- H. Lipman, P. Rogaway, and D. Wagner 2000. Comments to NIST concerning AES modes of operations:ctr-mode encryption.Google Scholar
- L. Martin 2010. XTS: A mode of AES for encrypting hard disks. IEEE Security & Privacy 8, 3 (May-June 2010), 68--69. Google ScholarDigital Library
- H. Mel, and D. Baker 2001. Cryptography Decrypted. Addison-Wesley, Upper Saddle River, NJ.Google Scholar
- T. Muller, F. Freiling, and A. Dewald 2011. TRESOR runs encryption securely outside RAM. In Proceedings of the 20th USENIX Conference on Security. Google ScholarDigital Library
- V. Nagarajan, R. Gupta, and A. Krishnaswamy 2007. Compiler-assisted memory encryption for embedded processors. In Proceedings of HiPPEAC. 7--22. Google ScholarDigital Library
- D. Osvik, A. Shamir, and E. Tromer 2006. Cache attacks and countermeasures: The case of AES. In Proceedings of the 2006 Cryptographers’ Track at the RSA Conference on Topics in Cryptology. 1--20. Google ScholarDigital Library
- P. Peterson 2010. Cryptkeeper: Improving security with encrypted RAM. In Proceedings of the IEEE International Conference on Technologies for Homeland Security (HST). 120--126.Google ScholarCross Ref
- J. Platte, R. Diaz, and E. Naroska 2006. A new encryption and hashing scheme for the security architecture for microprocessors. Communications and Multimedia Security. 4237, 120--129. Google ScholarDigital Library
- J. Rabaiotti, and C. Hargreaves 2010. Using a software exploit to image RAM on an embedded system. Digital Investigation. Google ScholarDigital Library
- A. Ravi, A. Raghunathan, and S. Chakradhar 2004. Tamper resistance mechanisms for secure embedded systems. In Proceedings of the IEEE International Conference on VLSI Design. Google ScholarDigital Library
- B. Rogers, Y. Chenyu, S. Chhabra, M. Prvulovic, and Y. Solihin 2008. Single level integrity and confidentiality protection for distributed shared memory multiprocessors. In Proceedings of the 14th International Symposium on High Performance Computer Architecture. 161--172.Google ScholarCross Ref
- B. Rogers, S. Chhabra, Y. Solihin, and M. Prvulovic 2007. Using address independent seed encryption and bonsai merkle trees to make secure processors OS and performance friendly. In Proceedings of the 40th International Symposium on Microarchitecture. IEEE Computer Society, 183--196. Google ScholarDigital Library
- B. Rogers, M. Prvulovic, and Y. Solihin 2006. Efficient data protection for distributed shared memory multiprocessors. In Proceedings of the 15th International Conference on Parallel Architectures and Compilation Techniques (PACT). Google ScholarDigital Library
- B. Rogers, Y. Solihin, and M. Prvulovic 2005. Memory predecryption: Hiding the latency overhead of memory encryption. ACM SIGARCH Computer Architecture News, 33, 1 (March 2005), 27--33. Google ScholarDigital Library
- S. Romanosky, R. Telang, and A. Acquisti 2008. Do Data Breach Disclosure Laws Reduce Identity Theft? Carnegie Mellon Technical Report.Google Scholar
- W. Shi, H. Lee, M. Ghosh, and C. Lu 2004. Architectural support for high speed protection of memory integrity and confidentiality in multiprocessor systems. In Proceedings of the 13th International Conference on Parallel Architecture and Compilation Techniques (PACT). Google ScholarDigital Library
- P. Simmons 2011. Security through amnesia: A software-based solution to the cold boot attack on disk encryption. In Proceedings of the 27th Annual Computer Security Applications Conference. Google ScholarDigital Library
- S. Smith 2004. Magic boxes and boots: Security in hardware. IEEE Computer Software 37, 10, 106--109. Google ScholarDigital Library
- M. Steil 2005. 17 mistakes Microsoft made in the Xbox security system. In Proceedings of the 22nd Chaos Communication Congress.Google Scholar
- M. Steil, and F. Domke 2008. The Xbox 360 Security System and Its Weaknesses. Google TechTalk, Available at http://www.youtube.com/watch?v=uxjpmc8ZIxM.Google Scholar
- L. Su, S. Courcambick, P. Guillemin, C. Schwarz, and R. Pascalet 2009a. SecBus: Operating system controlled hierarchical page-based memory bus protection. EDAA.Google Scholar
- L. Su, A. Martinez, P. Guillemin, S. Cerdan, R. Pacalet 2009b. Hardware mechanism and performance evaluation of hierarchical page-based memory bus protection. In Proceedings of the Conference on Design, Automation and Test in Europe (DATE).Google Scholar
- G. Suh, D. Clarke, B. Gassend, M. Dijk, and S. Devadas 2003. Aegis: Architecture for tamper-evident and tamper-resistant processing. In Proceedings of the 17th International Conference on Supercomputing. Google ScholarDigital Library
- G. Suh, D. Clarke, B. Gassend, M. Dijk, and S. Devadas 2005. Efficient memory integrity verification and encryption for secure processors. In Proceedings of the 36th International Symposium on Microarchitecture. Google ScholarDigital Library
- G. Suh, C. O’Donell, and S. Devadas 2007. Aegis: A single-chip secure processor. In IEEE Design and Test of Computers. Google ScholarDigital Library
- G. Vandana 2008. Exploring Trusted Platform Module Capabilities: A Theoretical Experimental Study. Ph.D. Dissertation.Google Scholar
- C. Yan, B. Rogers, D. Englender, Y. Solihin, and M. Prvulovic 2006. Improving cost performance and security of memory encryption and authentication. In Proceedings of the 33rd International Symposium on Computer Architecture. Google ScholarDigital Library
- J. Yang, L. Gao, and Y. Zhang 2005. Improving memory encryption performance in secure processors. IEEE Transactions on Computing. Google ScholarDigital Library
- Y. Zhang, L. Gao, J. Yang, X. Zhang, and R. Gupta 2005. SENSS: Security enhancement to symmetric shared memory multiprocessors. In Proceedings of the 11th International Symposium on High-Performance Computer Architecture. Google ScholarDigital Library
- X. Zhuang, T. Zhang, and S. Pande 2004. Hide: An infrastructure for efficiently protecting information leakage on the address bus. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 72--84. Google ScholarDigital Library
Index Terms
- Memory encryption: A survey of existing techniques
Recommendations
Anonymous and provably secure certificateless multireceiver encryption without bilinear pairing
Recently, numerous multireceiver identity-based encryption or identity-based broadcast encryption schemes have been introduced with bilinear pairing and probabilistic map-to-point MTP function. As the bilinear pairing and MTP functions are expensive ...
Accelerating memory decryption and authentication with frequent value prediction
CF '07: Proceedings of the 4th international conference on Computing frontiersThis paper presents a novel architectural technique to hide fetch latency overhead of hardware encrypted and authenticated memory. A number of recent secure processor designs have used memory block encryption and authentication to protect un-trusted ...
Identity based online/offline encryption and signcryption schemes revisited
InfoSecHiComNet'11: Proceedings of the First international conference on Security aspects in information technologyConsider the situation where a low power device with limited computational power has to perform cryptographic operation in order to do secure communication to the base station where the computational power is not limited. The most obvious way is to ...
Comments