Article
Security Refresh: Protecting Phase-Change Memory against Malicious Wear Out.
IEEE Micro
01/2011;
31:119-127.
pp.119-127
Source: DBLP
0
0
·
0 Bookmarks
·
23 Views
-
Citations (0)
-
Cited In (0)
Data provided are for informational purposes only. Although carefully collected, accuracy cannot be guaranteed.
The impact factor represents a rough estimation of the journal's impact factor and does not reflect the actual
current impact factor.
Publisher conditions are provided by RoMEO. Differing provisions from the publisher's actual policy or licence
agreement may be applicable.
Page 1
..................................................................................................................................................................................................................
SECURITY REFRESH: PROTECTING
PHASE-CHANGE MEMORY AGAINST
MALICIOUS WEAR OUT
..................................................................................................................................................................................................................
AS DYNAMIC RAM SCALING APPROACHES ITS PHYSICAL LIMIT, PHASE-CHANGE
MEMORY IS THE MOST MATURE AND WELL-STUDIED OPTION FOR POTENTIAL DRAM
REPLACEMENT. HOWEVER, MALICIOUS WEAR-OUT ATTACKS CAN EXPLOIT PCM’S LIMITED
WRITE ENDURANCE. TO ADDRESS THIS, A LOW-COST WEAR-LEVELING SCHEME CAN
DYNAMICALLY RANDOMIZE THE DATA ADDRESSES ACROSS THE ENTIRE ADDRESS SPACE
AND OBFUSCATE THEIR ACTUAL LOCATIONS FROM USERS AND SYSTEM SOFTWARE.
......Given the grim prospect of
technology scaling in flash memories and
dynamic RAM (DRAM), designers are
seeking alternative memory technologies to
continue the prophecy of Moore’s law for
memories. Among them, phase-change mem-
ory (PCM) has shown the most promise.
Unfortunately, PCM faces serious chal-
lenges of reliability and usability if we cannot
adequately address its wear-out issues caused
by either malicious attacks or worst-case
accessing scenarios. Essentially, adversaries
can render a PCM device totally useless in
a matter of minutes because it has a faster ac-
cess speed than flash and shorter endurance
than DRAM.
Several recent studies have attempted to
address this issue by either reducing PCM’s
write frequency or using wear-leveling tech-
niques to evenly distribute PCM writes. Al-
though these techniques can extend PCM’s
lifetime under normal operations, most fail
to prevent adversaries from writing malicious
code deliberately designed to wear out and
fail PCM. For instance, schemes to reduce
write frequency do not prevent an adversary
from intentionally wearing out the target
memory bits due to their deterministic pat-
terns.1,2In wear-leveling schemes,3,4on the
other hand, a rush of writes to the same loca-
tion can be dispersed to different locations by
changing the physical memory mappings
with an address translation layer. Still, such
prior methods have inherent weaknesses
caused by regular shuffling patterns, coarse-
grained shuffling, and static randomization.
By exploiting these weaknesses, adversaries
can extract the additional translation layer’s
mapping information and focus on attacking
target bits.5Furthermore, if the underlying
operating systems is compromised (such as
via simple buffer overflow), it will let adver-
saries manipulate all processes and easily ex-
ploit side channels, which deduces useful
mapping information and accelerates the
wear out of targeted PCM blocks.
To protect PCM from such malicious
attacks, we propose a low-cost hardware
Nak Hee Seong
Georgia Institute
of Technology
Dong Hyuk Woo
Intel Labs
Hsien-Hsin S. Lee
Georgia Institute
of Technology
0272-1732/11/$26.00?c 2011 IEEE Published by the IEEE Computer Society
............................................................
119
Page 2
mechanism called Security Refresh. By con-
stantly and dynamically migrating a data
block to different memory locations, Security
Refresh avoids information leak while obfus-
cating the actual data placement from users
and system software. Through dynamic ran-
domization, Security Refresh can circumvent
intentional, malicious attacks with the pres-
ence of a compromised operating system
and prevent potential information from leak-
ing through side channels.
Security Refresh overview
Before explaining our approach, we first
clarify the terminology we use in this article.
To support virtual memory, an operating sys-
tem usually uses page tables to translate a
program’s virtual address into a physical ad-
dress. On the other hand, a memory control-
ler translates the physical address into a
memory address, which consists of rank ID,
bank ID, row address, and column address.
In addition to these two address spaces,
for our Security Refresh technique, we define
one more address space: the refreshed or
remapped memory address (RMA), inside a
PCM bank to dissociate a memory address
fromtheactual
Figure 1a). After receiving an address access
datalocation(see
command in the memory address from the
memory controller, each PCM bank recalcu-
lates its own internal row and column ad-
dress in RMA. Similar to DRAM refresh,
which prevents charge leaking from a
DRAM cell, the Security Refresh technique
prevents address information leaked from
PCM accesses by dynamically randomizing
mapping between memory addresses and
RMAs. Moreover, rather than refreshing
based on time in DRAM cells, our scheme
refreshes a PCM region based on their
usage—the number of writes. The Security
Refresh controller (SRC) both remaps a mem-
ory address into an RMA and periodically
changes the mapping between these two ad-
dress domains with extremely low-overhead
hardware.
We treat one PCM bank as one region.
As Figure 1a shows, one region consists of
many memory blocks (for simplicity, we
show only four in the figure). A memory
block should be no smaller than a cache
line to keep address lookup simple. For
every r writes (r ¼ 2 in Figure 1b), the
SRC will refresh a memory block by poten-
tially remapping it to a new PCM location
using a randomly generated key. We call
this number of writes r, which denotes the
Security Refresh interval
Time
Security Refresh round
A write
Refresh
MA0
Refresh
MA1
Refresh
MA3
Refresh
MA2
Refresh
MA1
Refresh
MA0
Refresh
MA3
Refresh
MA2
Refresh
MA1
Refresh
MA0
??
??
??
??
Map
MA0
MA1
MA2
MA3
(a)
(b)
A
B
C
D
RMA0
Region
Memory
block
RMA1
RMA2
RMA3
Figure 1. Security Refresh overview. This technique includes regions that consist of many
memory blocks (a). Our approach adds the remapped memory address (RMA), and every
memory block in a region is refreshed in a security refresh round (b).
.............................................................
120
IEEE MICRO
...............................................................................................................................................................................................
TOP PICKS
Page 3
security
DRAM’s refresh rate. The refresh operations
continue for all memory blocks in each re-
gion. A security refresh round is a complete it-
eration of refreshing every memory block in
a region, which is similar to DRAM’s refresh
period. To begin another security refresh
round, the SRC generates a new random
key and uses it together with the key from
its previous refresh round.
refreshintervalanalogousto
Security Refresh algorithm
We use an example to walk through our
algorithm. Figure 2 depicts an example of
one security refresh round. From Figure 2a
to 2e, we start from an initial state with
eight successive security refreshes for eight
memory blocks within one PCM region. In
each subfigure, the left column shows mem-
ory addresses of these blocks with their data
in capital letters, and the right column
shows the RMAs and the actual data place-
ment in PCM.
Figure 2a shows the initial state in which
all eight RMAs were generated by exclusive-
ORing (XORing) their corresponding
memory addresses with a key k0, where
k0¼ 4. For example, the memory address
MA0 (000) XOR k0(100) is mapped to
RMA4 (100) in the physical PCM. Also
note that Figure 2a has reached the end of
a security refresh round because all the
memory addresses have been refreshed
with k0. With each security refresh, a cur-
rent refresh pointer (CRP) register points
to the candidate memory address to be
refreshed (see the shaded boxes in Figure 2).
The CRP is incremented after each security
refresh.
Uponthenextsecurityrefresh(Figure2b),
a new security refresh round initiates because
CRP has reached the first memory address in
a region. Consequently, a hardware random
number generator will generate a new key
(k1¼ 6) in the SRC for refreshing all mem-
ory addresses in the current round. At this
point, MA0 is refreshed and remapped
from RMA4 to RMA6. Because the data
(A) of MA0 is now moved to RMA6
where the data (C) of MA2 used to be, C
should be evicted from RMA6 and stored
elsewhere. Interestingly, due to the nature
of XOR, MA2 will actually be mapped to
RMA4 using the new key (2 ? k1¼ 4)—
that is, the RMA of MA0 from the previous
round (0 ? k0¼ 4). This security refresh,
essentially, swaps data between MA0 and
MA2 in their PCM locations. We call
thisthe
pairwise
(see the ‘‘Pairwise remapping property’’
sidebar for more details). The SRC will
be responsible for reading and writing two
memory blocks to physically swap the
data between them.
Similarly, in the next security refresh
(Figure 2c),datafor MA1 and MA3 (avictim
evicted by MA1) in PCM are swapped
between RMA5 and RMA7.
In Figure 2d, CRP points to MA2, which
is supposed to be remapped after its security
remapping property
k0 (=4)
k1 (=6)
CRP
A
B
C
D
E
F
G
H
0
1
2
3
4
5
6
7
(a)
0
1
2
3
4
5
6
7
A
B
C
D
E
F
G
H
MA RMA
A
B
C
D
E
F
G
H
0
1
2
3
4
5
6
7
(b)
0
1
2
3
4
5
6
7
C
B
H
E
F
G
A
D
A
B
C
D
F
G
H
E
0
1
2
3
4
5
6
7
(c)
0
1
2
3
4
5
6
7
G
H
D
A
B
E
F
C
A
B
C
D
F
G
H
E
0
1
2
3
4
5
6
7
(d)
0
1
2
3
4
5
6
7
G
H
D
A
B
E
F
C
A
B
C
D
E
F
G
H
0
1
2
3
4
5
6
7
(e)
0
1
2
3
4
5
6
7
G
H
D
A
B
E
F
C
Figure 2. Example of a security refresh round. Each complete round consists of an initial state (a), first refresh (b), second
refresh (c), third refresh (d), and final state (e). With each security refresh, a current refresh pointer (CRP) register points
to the candidate memory address (MA) to be refreshed (see the shaded boxes).
.............................................................
JANUARY/FEBRUARY 2011
121
Page 4
refresh. However, it has been swapped previ-
ously (Figure 2b) in the current security
refresh round. Thus, we do not swap again
but simply increment the CRP pointer. We
test whether a memory address has already
been swapped in the current round by
exploiting the pairwise remapping property.
We simply XOR the current candidate
memory address with the keys used in the
prior refresh round and the current round.
If the outcome is smaller than CRP, the
memory block has been swapped in the
current round. For instance, in Figure 2d,
we XOR MA2 with 4 (k0) and 6 (k1) giving
a result of 0 (2 ? 4 ? 6 ¼ 0). Because
it is smaller than CRP, it indicates
that MA2 has been swapped in the current
refresh round.
We refresh the next five memory blocks
in the same manner. After the eighth secu-
rity refresh in the current round, CRP will
wrap around and reach MA0 again, com-
pleting the current security refresh round
(Figure 2e). Upon the next refresh, a
new key k2will be generated and a new
round starts using k1and k2. k0will no
longer be needed. For each refresh
round, only the two most recent keys
are needed.
Key selection for address translation
To correctly find the data location in
PCM, we need to translate a given memory
address to its current RMA using the right
key. The most straightforward way to find
the right key is to add one bit in SRC for
each memory address to indicate whether it
must be translated using the key from the
previous refresh round or the current key.
Even though 1-bit per block seems small,
for a 1-Gbyte PCM region with 16-Kbyte
memory blocks, we will need 8 Kbytes (or
216 bits) of extra space. In fact, hardware
overhead for maintaining each block’s trans-
lation information is the main reason why
the table-based approach can’t support fine-
granularity segments.4
Fortunately, in our scheme, using the
pairwise remapping property along with the
linearly increasing CRP value property lets
us determine the right key without any
table. In particular, when a memory control-
ler wants to read from or write to a memory
address Cm, we need to use the current key
...............................................................................................................................................................................................
Pairwise remapping property
The pairwise remapping property lets us exchange a pair of memory
blocks with only two keys. For our address remapping, assume that we
use a binary operation ? closed on a set S, which satisfies the following
properties for all x, y, and z, which are the elements of S, where S is a
set of possible addresses in a phase-change memory (PCM) region.
? Associative property: (x ? y) ? z ¼ x ? (y ? z).
? Commutative property: x ? y ¼ y ? x.
? Self-inverse property: x ? x ¼ e, where e is an identity element
so that x ? e ¼ x.
Basically, we find a remapped memory address (Ar) for a given mem-
ory address (Am) by simply performing this binary operation between a
memory address and a randomly generated key (k) of the same
length—that is, Am? k ¼ Ar. We used the notations in this proof
as follows.
? kpis a previous key generated in the previous security refresh
round.
? kcis a current key generated in the current security refresh round.
? Amis a memory address to be refreshed in the current refresh.
?
Arcis an RMA mapped to Amwith kp(Arp¼ Am? kp).
?
? Bmis a memory address mapped to Arcwith kp, thus to be evicted
by Am.
?
?
Arcis an RMA mapped to Amwith kc(Arc¼ Am? kc).
Brpis an RMA mapped to Bmwith kp(Brp¼ Bm? kp).
Brcis an RMA mapped to Bmwith kc(Brc¼ Bm? kc).
According to the associative and self-inverse properties, when Am
newly occupies Arc, Bmcan be easily detected by performing ? between
Arcand kpbecause Arc? kp¼ (Bm? kp) ? kp¼ Bm. More interest-
ingly, the new location (Brc) that Bmshould be mapped to with kcis
the old location (Arp) that Amused to be mapped to with kpbecause
Brc¼ Bm? kc¼ (Arc? kp) ? kc¼ ((Am? kc) ? kp) ? kc¼ Am?
kp¼ Arp. In short, we can simultaneously map a pair of memory
addresses into their new RMA locations by simply swapping the physical
data of their old PCM blocks. Consequently, the actual swapping oper-
ations in a security refresh round will be done by one-half of all security
refresh operations.
The simplest function that satisfies all three properties is an
exclusive-OR (XOR), although we have proved that any function satisfying
these three properties can be used as the refresh and remapping func-
tion. For this article, we use XOR.
.............................................................
122
IEEE MICRO
...............................................................................................................................................................................................
TOP PICKS
Page 5
(kc) in the following two cases; otherwise,
we use the key from the previous refresh
round (kp).
? If Cmis less than the value of CRP, we
should use the current key (kc) because
Cmhas already been refreshed in the
current security refresh round.
? If Cm? kp? kcis less than the value of
CRP, we should use the current key,
too. Although this is not intuitive,
we want to detect in this condition
whether Cmis a victim that is evicted
when another memory address, Dm, is
remapped to the old RMA value of
Cm—that is, Cm? kp. As we explained
earlier,we canreconstructDmbysimply
performing an XOR operation between
the RMA value and the current key,
which is (Cm? kp) ? kc. If we compare
Dm against the value of CRP, we
can detect whether Cmwas a victim
that was already remapped when Dm
was remapped.
The two conditions for key selection can
help determine whether a current security re-
fresh will perform a swapping operation to
remap a pair of memory addresses. If CRP
points to a memory address that has been al-
ready remapped to an RMA with the current
key, it means that the memory address has al-
ready been remapped and a swapping opera-
tion isn’t required. In other words, when Cm
is CRP, the first condition (Cm< CRP) is al-
ways false but the second condition
(Cm? kp? kc< CRP) can be used for the
decision. If it’s true, a current refresh doesn’t
perform a swapping operation.
Implementing security refresh trade-offs
So far, we’ve discussed how Security Re-
fresh works and its advantage from the stand-
point of malicious wear out. However, there
are several trade-offs in the PCM design
space. For example, if the total number of
writes required to start a new security refresh
round is larger than the PCM write endur-
ance limit, an adversary could wear out a
PCM block before a new refresh round is
triggered. On the other hand, extra PCM
writes are induced for swapping two blocks
upon remapping. Frequent swaps might
unnecessarily increase the total number of
PCM writes, even for normal applications,
leading to performance degradation. Thus,
we must carefully examine Security Refresh’s
design trade-offs to maximize its robustness
while minimizing the write overheads and
its performance penalty.
To quantify the trade-off, we used simple
analytical models to estimate robustness and
write overhead. From our analysis, we made
the following observations:
? A larger region distributes localized
writes across a larger memory space.
? A large region requires a shorter refresh
interval to increase the frequency of
randomized mapping changes. Other-
wise, if one refresh round is too long,
it might inadvertently leave a mapping
unchanged for too long as well, making
potential side-channel attacks possible.
? A shorter refresh interval will, nonethe-
less, inflict higher write overheads due
to its more frequent swapping, which
can lead to a higher performance
penalty.
Given the first observation, we began by
evaluating a region size as large as a PCM
bank, as Figure 3a illustrates. We didn’t eval-
uate multiple banks in a PCM chip as a re-
gion to let a memory controller exploit
bank-level parallelism for better scheduling.
As our second and third observations ex-
plain, we found that a bank-sized region’s
write overhead was undesirably high in the
one-level scheme in Figure 3a, which moti-
vated us to investigate other enhancements.
Two-level security refresh
To address the issues of write overheads
and performance penalty while still exploit-
ing a large region size, we propose the hierar-
chical, two-level Security Refresh scheme
illustrated in Figure 3b. In lieu of using a
small refresh interval, we broke a region
into multiple, smaller subregions. Each sub-
region contains its own subregion SRC to
perform address remapping itself based on
an inner-level refresh interval. In addition,
we use an outer-level region SRC to distrib-
ute writes across the entire region with its
own refresh interval. The rationale behind
.............................................................
JANUARY/FEBRUARY 2011
123
View other sources
Hide other sources
-
Available from gatech.edu
-
Available from gatech.edu
-
Available from gatech.edu
