Addressing Cross-PMO and Data-at-Rest Vulnerabilities in Persistent Memory

Abstract

(Approved for Public Release)New non-volatile memory (NVM) technologies, including STT-RAM, PRAM, and Memristors, provide scaling potentials, high capacity at low cost, and low idle power. These characteristics make them attractive for use as future main memory, either for augmenting or replacing DRAM. The first of such products, Intel Optane PMEM, was brought to market in 2019 as DIMM-accessible memory products. Even though recently Intel discontinued its product line, other NVM products provide alternatives, including battery-backed DRAM, as well as CXLlinked SSDs that serve as memory pool in scale-out servers. PM security has been drawing increasing attentions. However, research efforts on PM security have been mostly concentrated on providing PM memory encryption and preventing malicious repeated writes from damaging PM. However, PM data needs to be protected from malicious accesses, both while they are being actively used and while at rest. While such risks are not covered in research much, they are critical for PM security because ofthree factors: (1) data corruption in PM is persistent hence costlier, (2) recovery from data corruption is challenging, and as this proposal demonstrates, (3) the corruption may transmit from one process to another and from one PMO to another. These security risks call for novel solutions for PM security.In our own prior work, we have uncovered the following threats to the security of PMOs. In a cross-run threat, the attackers can stitch together information about a PMO, over several attach sessions of the PMO for anapplication. In a cross-process threat, if a PMO is shared (either simultaneously or successively) by multiple processes, the attackers can use a vulnerable process to affect the other through corrupting the shared PMO.In this project we address two previously-unidentified threats: inter-PMO threat, and data at-rest threat. In an inter-PMO threat, an attacker may utilize a process to gain control of another process, even though they do not share a PMO, by utilizing a third (transmitter) process, which has some PMO sharing withthe first and second processes. Another threat is that a PMO sits in physical memory for a long time, and much of its life is spentat rest, much like files in SSD or disks. In addition to vulnerabilities to memory corruption while in use, this proposal addresseshow to protect them while not in use (at rest), where it is subject to illegal disclosure or corruption by software (OS, hypervisor) and by hardware (e.g. physical attacks). Therefore, for data in PM to be truly secure, it needs to have protection while at rest. This project has a three-year research plan to address the inter-PMO and data-at-rest threats of PMO with various novel solutions insystem software, architecture, and programming model. The project consist of the following research and development tasks of (1) developing protection and recovery techniques against Cross-PMO attacks, (2) exploring efficient techniques for PMO checkpointing and recovery, and (3) investigating techniques to protect PMO data at rest, against disclosure and memory corruption. We will build experimental testbed with (1) Linux OS and runtime at both the kernel and user space with various protection techniques built in, (2) workstations and servers with PM using Intel Optane PMem as well as battery-backed DRAM, and (3) a set of microbenchmark and a set of benchmark suites and applications.

Document Details

Document Type

DoD Grant Award

Publication Date

Jan 12, 2023

Source ID

N000142312136

Entities

Tags