Cryptographic Protection of Random Access Memory: How Inconspicuous can Hardening Against the most Powerful Adversaries be?

Abstract

For both cloud and client applications, the protection of the confidentiality and integrity of remotely processed information is an increasingly common feature request. It is also a very challenging goal to achieve with reasonable costs in terms of memory overhead and performance penalty. In turn, this usually leads to security posture compromises in products. In this keynote we review the main technologies that have been proposed so far to solve this problem, as well as some new techniques and combinations thereof. We systematise the treatment of protecting data in use by starting with models of the adversaries, thus allowing us to define different, yet consistent protection levels. We perform a systematic evaluation of the storage and performance impacts, including the impact on systems where the measured benchmarks are the only running tasks and where they are just one task in a cloud server under full load. Using advanced techniques to compress counters can make it viable to store them on-chip -- for instance by adding on chip RAM that can be as small as to 1/256-th of the off-chip RAM. This allows for implementations of memory protection up to anti-replay with hitherto unattained penalties, especially in combination with the repurposing of ECC bits to store integrity tags. The performance penalty on a memory bandwidth saturated server can thus be contained to under 1%. This keynote is based on joint work with Ionut Mihalcea, David Schall, and Andreas Sandberg, and includes previous work with Matthias Boettcher, Mike Campbell, Hector Montaner, and Prakash Ramrakhyani.