Persistent Memory Object Security

Abstract

New non-volatile memory (NVM) technologies, including STT-RAM, PRAM, and Memristors, provide scaling potentials, high capacity at low cost, and low idle power. These characteristics make them attractive for use as future main memory, either for augmenting or replacing DRAM. One NVM example is 3D Xpoint, which was brought to market in 2017 by Intel and Micron as IO products and in 2019 as memory products (a DIMM accessible via load/store instructions). The latter provides a capacity of 3TB per socket. These new non-volatile main memory (NVMM) technologies are byte-addressable and have access latencies much closer to DRAM than storage. The existence of NVMM requires rethinking of the way systems view data versus processing. In contrast to files that are persistent but slow, and data structures which are fast but temporary, we propose a new abstraction, which we call Persistent Memory Objects (PMOs). A PMO merges aspects of a file (metadata, namespace, permission, and translation), as well as data structures (structured, supporting pointers, and access through load/store instructions). The fundamental operations on PMOs include attaching or detaching them to/from a process address space. While there are many technical challenges that need to be overcome to realize the full potential of PMOs, this proposal focuses on the security aspect of PMOs. Specifically, the introduction of PMOs substantially increase the attack surface of persistent data, exposing it to memory corruption and disclosure attacks. Furthermore, the adversary can combine leakage of information obtained from different runs of the attack target application.Finally, PMOs are likely shared by multiple processes that may not necessarilyco-operate. A change in the PMO made by one process may affect the behavior (and security) of another process, which indirectly breaks down inter-process isolation. This project has a three-year research plan to address the security challenges described above. This project will design and implement proof-of-concept OS data structures that keep track of PMOs, supporting hierarchical naming and key-based read/write/execute permission settings. It will implement three system calls for PMO access API: attach() to locate a sufficiently-sized virtual address region to map the PMO to a process address space, detach() to invalidate the page table mapping in the process address space to thePMO in the physical memory, and Psync() to make durable any changes to the PMO atomically. We will reduce memory exposure time (MET) for a process that works on a PMO. The main hypothesis is that by reducing MET to a bare minimum, we improve PMO security. To achieve this, a compiler will automatically wrap each PMO method with attach() and detach(). We will embed a page table subtree into a PMO itself. We will design OS virtual memory mechanism to ensure atomic durability of the PMO PT subtree, while preservingcurrent page table walk mechanism. Aprototype integrated with Linux DAX multiple page sizes will be constructed. To evaluate the performance of PMO security protection, we will run Whisper benchmarks, varying the transaction sizes. To evaluate the security of our PMO implementations, we will focus on qualitative evaluation (by adding vulnerabilities and attacks) and quantitative evaluation (based on MET reduction).

Document Details

Document Type

DoD Grant Award

Publication Date

Dec 16, 2019

Source ID

N000142012750

Entities

Tags