SSS-DIMM: Removing Redundant Data Movement in Trusted DIMM-Based Near-Memory-Processing Kernel Offloading via Secure Space Sharing

IF 5.6 2区计算机科学 Q1 COMPUTER SCIENCE, THEORY & METHODS

IEEE Transactions on Parallel and Distributed Systems Pub Date : 2025-06-04 DOI:10.1109/TPDS.2025.3576438

Weiyi Sun;Jianfeng Zhu;Mingyu Gao;Zhaoshi Li;Shaojun Wei;Leibo Liu

{"title":"SSS-DIMM: Removing Redundant Data Movement in Trusted DIMM-Based Near-Memory-Processing Kernel Offloading via Secure Space Sharing","authors":"Weiyi Sun;Jianfeng Zhu;Mingyu Gao;Zhaoshi Li;Shaojun Wei;Leibo Liu","doi":"10.1109/TPDS.2025.3576438","DOIUrl":null,"url":null,"abstract":"DIMM-based Near-Memory-Processing (NMP) kernel offloading enables a program to execute in computation-enabled DIMM buffer chips, bypassing the bandwidth-constrained CPU main memory bus for high performance. Yet, it also enables programs to access memory without restrictions and protection from CPU, resulting in potential security hazards. To protect general NMP kernel offloading even with malicious privileged software, a heterogeneous TEE is required. However, for architectural design simplification, the conventional heterogeneous TEE design isolates host CPU process from NMP kernel’s memory and vice versa, such that CPU TEE and trusted NMP driver can protect CPU processes and NMP kernels in complete separation. Such isolation results in redundant input/output data movement between the two isolated memory spaces, with half of the movement performed by host CPU. Worsened by limited CPU memory bandwidth, we identify that such redundancy severely bottlenecks the performance of many potential NMP applications. To overcome this bottleneck, we propose to abandon isolation and share the NMP kernel memory with its host CPU process. Based on this idea, we design <underline>SSS-DIMM</u>, an efficient TEE for DIMM-based NMP kernel offloading that removes the redundant data movement via <underline>S</u>ecure <underline>S</u>pace <underline>S</u>haring. SSS-DIMM resolves the two security challenges faced by memory sharing: to provide consistent security guarantees on CPU processes and NMP kernels with CPU TEE and the NMP driver for both memory ownership (allocation) and views (mapping), and to ensure that cryptography metadata be securely shared and synchronized between CPU and NMP unit. Our evaluation shows that SSS-DIMM maintains both security and high performance.","PeriodicalId":13257,"journal":{"name":"IEEE Transactions on Parallel and Distributed Systems","volume":"36 8","pages":"1810-1827"},"PeriodicalIF":5.6000,"publicationDate":"2025-06-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Parallel and Distributed Systems","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/11023175/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

Abstract

DIMM-based Near-Memory-Processing (NMP) kernel offloading enables a program to execute in computation-enabled DIMM buffer chips, bypassing the bandwidth-constrained CPU main memory bus for high performance. Yet, it also enables programs to access memory without restrictions and protection from CPU, resulting in potential security hazards. To protect general NMP kernel offloading even with malicious privileged software, a heterogeneous TEE is required. However, for architectural design simplification, the conventional heterogeneous TEE design isolates host CPU process from NMP kernel’s memory and vice versa, such that CPU TEE and trusted NMP driver can protect CPU processes and NMP kernels in complete separation. Such isolation results in redundant input/output data movement between the two isolated memory spaces, with half of the movement performed by host CPU. Worsened by limited CPU memory bandwidth, we identify that such redundancy severely bottlenecks the performance of many potential NMP applications. To overcome this bottleneck, we propose to abandon isolation and share the NMP kernel memory with its host CPU process. Based on this idea, we design SSS-DIMM, an efficient TEE for DIMM-based NMP kernel offloading that removes the redundant data movement via Secure Space Sharing. SSS-DIMM resolves the two security challenges faced by memory sharing: to provide consistent security guarantees on CPU processes and NMP kernels with CPU TEE and the NMP driver for both memory ownership (allocation) and views (mapping), and to ensure that cryptography metadata be securely shared and synchronized between CPU and NMP unit. Our evaluation shows that SSS-DIMM maintains both security and high performance.

查看原文本刊更多论文

ssss - dimm：通过安全空间共享消除基于可信内存的近内存处理内核卸载中的冗余数据移动

基于内存的NMP （Near-Memory-Processing）内核卸载使程序能够在支持计算的DIMM缓冲芯片中执行，从而绕过带宽受限的CPU主存总线，获得高性能。然而，它也使程序可以不受CPU的限制和保护而访问内存，从而导致潜在的安全隐患。为了保护一般的NMP内核卸载，即使使用恶意特权软件，也需要一个异构TEE。然而，为了简化体系结构设计，传统的异构TEE设计将主机CPU进程与NMP内核的内存隔离开来，反之亦然，这样CPU TEE和可信NMP驱动程序可以完全隔离CPU进程和NMP内核。这种隔离导致在两个隔离的内存空间之间进行冗余的输入/输出数据移动，其中一半的移动由主机CPU执行。由于有限的CPU内存带宽，我们发现这种冗余严重瓶颈了许多潜在的NMP应用程序的性能。为了克服这个瓶颈，我们建议放弃隔离并与其主机CPU进程共享NMP内核内存。基于这一思想，我们设计了SSS-DIMM，这是一种高效的TEE，用于基于dimm的NMP内核卸载，通过安全空间共享消除冗余数据移动。ssss - dimm解决了内存共享面临的两个安全挑战：通过CPU TEE和NMP驱动程序对内存所有权（分配）和视图（映射）提供对CPU进程和NMP内核一致的安全保证，确保加密元数据在CPU和NMP单元之间安全共享和同步。我们的评估表明，SSS-DIMM保持了安全性和高性能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Parallel and Distributed Systems 工程技术-工程：电子与电气

CiteScore

11.00

自引率

9.40%

发文量

281

审稿时长

5.6 months

期刊介绍： IEEE Transactions on Parallel and Distributed Systems (TPDS) is published monthly. It publishes a range of papers, comments on previously published papers, and survey articles that deal with the parallel and distributed systems research areas of current importance to our readers. Particular areas of interest include, but are not limited to: a) Parallel and distributed algorithms, focusing on topics such as: models of computation; numerical, combinatorial, and data-intensive parallel algorithms, scalability of algorithms and data structures for parallel and distributed systems, communication and synchronization protocols, network algorithms, scheduling, and load balancing. b) Applications of parallel and distributed computing, including computational and data-enabled science and engineering, big data applications, parallel crowd sourcing, large-scale social network analysis, management of big data, cloud and grid computing, scientific and biomedical applications, mobile computing, and cyber-physical systems. c) Parallel and distributed architectures, including architectures for instruction-level and thread-level parallelism; design, analysis, implementation, fault resilience and performance measurements of multiple-processor systems; multicore processors, heterogeneous many-core systems; petascale and exascale systems designs; novel big data architectures; special purpose architectures, including graphics processors, signal processors, network processors, media accelerators, and other special purpose processors and accelerators; impact of technology on architecture; network and interconnect architectures; parallel I/O and storage systems; architecture of the memory hierarchy; power-efficient and green computing architectures; dependable architectures; and performance modeling and evaluation. d) Parallel and distributed software, including parallel and multicore programming languages and compilers, runtime systems, operating systems, Internet computing and web services, resource management including green computing, middleware for grids, clouds, and data centers, libraries, performance modeling and evaluation, parallel programming paradigms, and programming environments and tools.