Defending Against Attacks on Main Memory Persistence∗
William Enck, Kevin Butler, Thomas Richardson, Patrick McDaniel, and Adam Smith
Systems and Internet Infrastructure Security (SIIS) Laboratory,
Department of Computer Science and Engineering, The Pennsylvania State University
Main memory contains transient information for all res-
ident applications. However, if memory chip contents sur-
vives power-off, e.g., via freezing DRAM chips, sensitive
data such as passwords and keys can be extracted. Main
memory persistence will soon be the norm as recent ad-
vancements in MRAM and FeRAM position non-volatile
memory technologies for widespread deployment in lap-
top, desktop, and embedded system main memory. Unfor-
tunately, the same properties that provide energy efficiency,
tolerance against power failure, and “instant-on” power-
up also subject systems to offline memory scanning. In
this paper, we propose a Memory Encryption Control Unit
(MECU) that provides memory confidentiality during sys-
tem suspend and across reboots. The MECU encrypts all
memory transfers between the processor-local level 2 cache
and main memory to ensure plaintext data is never writ-
ten to the persistent medium. The MECU design is out-
lined and performance and security trade-offs considered.
We evaluate a MECU-enhanced architecture using the Sim-
pleScalar hardware simulation framework on several hard-
ory accesses are delayed by less than 1 ns, with higher ac-
cess latencies (caused by resume state reconstruction) sub-
siding within 0.25 seconds of a system resume. In effect,
the MECU provides zero-cost steady state memory confi-
dentiality for non-volatile main memory.
Main memory containing sensitive information persists
for indefinite periods during system uptime . Recently,
Halderman et al.  demonstrated how to extend main
memory persistence by “freezing” DRAM chips to main-
tain memory cell state after the system is powered off, al-
lowing an adversary to retrieve any passwords or crypto-
graphic keys that were not overwritten before system shut-
∗This material is based upon work supported by the National Science
Foundation under Grant No. CCF-0621429, CNS-0627551, and CNS-
0643907. Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the author(s) and do not necessarily
reflect the views of the National Science Foundation.
down. While this attack provides an effective vector for key
retrieval, the adversary must have physical access before the
system is shut down. This precondition becomes unneces-
sary as new non-volatile memory technologies emerge.
Non-volatile memories such as MRAM (magnetic
RAM) and FeRAM (ferro-electric RAM)  provide en-
ergy efficiency, tolerance of power failure, and “instant-
on” power-up. These technologies are reaching maturity
and manufacturers are already selling chips with up to 4-
Mbit of storage [11, 12] to replace battery-backed SRAM
in embedded systems. Recent advancements in speed 
and capacity  make these technologies appropriate for
main memory in laptops, desktops, and embedded systems.
Because systems that use non-volatile main memory retain
all state across reboots and suspends, users need not en-
dure long boot cycles or memory restoration from slow sec-
ondary storage during resumption.
The characteristics of non-volatile main memory
(NVMM) that provide these advantages also introduce new
vulnerabilities–sensitive data can be extracted or modified
by an adversary who gains access to the memory while the
computer is not turned on or after reboot. Unlike the attack
described by Halderman et al., no freezing is required, and
the memory chips can be retrieved at any time. This work
ory while retaining the advantages of non-volatile memory.
Note that these techniques are also effective against frozen
volatile memory chips.
The remainder of this paper is structured as follows. Sec-
tion 2 discusses related work. Section 3 defines the problem
and threat model. Section 4 describes our solution. Sec-
tion 5 evaluates the performance impact of the MECU us-
ing SimpleScalar. Section 6 considers a number of practical
issues in the use of the MECU and its application to next
generation processors. Section 7 concludes.
2Secure Memory Systems
Operating systems and applications assume memory
does not survive across reboots.
such as passwords and cryptographic keys commonly re-
side in main memory . If this data is written to mag-
netic media (e.g., via swap operations), it may persist even
longer . Therefore, best practice recommends ensuring
memory plaintext never reaches disk. While data can be se-
curely deallocated  and crash reports can be cleansed ,
encrypted swap  is still required for reused data.
The introduction of NVMM invalidates a basic assump-
tion upon which operating system and application security
is based. Therefore, it is imperative that the underlying
architecture transparently preserve the security guarantees
upon which the systems where built, i.e., mechanisms must
be implemented within the hardware and BIOS. Our ap-
proach is unique in that it considers full memory encryption
without OS interaction and provides optimizations specific
to systems with NVMM. Many previous memory encryp-
tion architectures [8,17–19,22,31] were designed for a ver-
tical set of applications, e.g., Digital Rights Management
(DRM) and tamperproof computation for grid processing.
As such, only the memory segments of “protected” applica-
tions are encrypted. This DRM model has two significant
disadvantages: it often requires changes to the processor
instruction set, operating system, and/or applications, and
significant performance degradation results from processor
stalls necessary for protection againstonline attacks. A sim-
ilar side effect exists in architectures providing protection
against bus sniffing . Securing NVMM need not nec-
essarily require protection against online attacks, therefore
the associated performance penalty is avoidable.
While many previous systems do not directly provide
full memory encryption appropriate for efficiently protect-
ing systems with NVMM, lessons can be learned from their
evolution. Execute Only Memory (XOM) , an early ar-
chitecture designed to protect DRM applications, encrypted
data directly, resulting in significant performance degrada-
tion. Suh et al.  improved performance by applying a
variant of counter mode encryption to generate one time
pads in parallel with memory lookups. However, in order
to protect against online attacks, the secure processor must
bytes of memory (for systems with 64-byte cache lines).
The counters must be stored within the secure processor to
avoid the overhead of performing two memory accesses per
cache miss. As these storage requirements are often im-
practical, subsequent architectures minimized on-chip stor-
age using caches  and prediction algorithms [25, 28].
Unfortunately, these techniques still result in a significant
memory bottleneck throughout system run time. Further,
storing counters in memory is insecure, therefore Yan et
al.  ensure counter integrity using hash trees similar to
architectures designed by Suh et al. [13,31]. In addition to
ensuring counter integrity, Yan et al. also split the counter
into major and minor portions, thereby further decreasing
storage size. While their architecture provides improved
performance, the overhead due to processor stalls is con-
stant throughout the system operation. Additionally, an ar-
chitecture designed to protect the entire main memory must
be careful when storing counters to memory, otherwise the
counters may become inaccessible.
These preceding approaches fail to preserve the secu-
rity guarantees that modern operating systems will place
on NVMM. These operating systems require that the mem-
ory architecture defend against offline physical attacks and
avoid run-time processor stalls–a unique combination of
feature and performance that no memory system has pre-
viously achieved. Furthermore, the architecture must sup-
port all legacy software and hardware interfaces, including
DMA and multiprocessors [24,29], and do so within a mod-
est component footprint. We explore how these features
are simultaneously achieved within our MECU-enhanced
architecture in the following sections.
3 Non-Volatile Main Memory
Consider a commodity desktop machine with power
managementcapabilities. Duringnormaloperation, thesys-
tem is active, i.e., usable for processing data, performing
reads and writes from memory, etc. When the system is
not in use, it can move into a state of low power consump-
tion, either automatically or through user invoked suspen-
sion. There are two different suspend modes: powered sus-
pend and unpowered suspend (commonly known as hiber-
nate). When a volatile memory system enters powered sus-
pend mode, power-intensive components (e.g., displays and
disk drives) are turned off, while reduced power is applied
to others (e.g., main memory). Importantly, memory con-
tents persists while in the low power state. When a sys-
tem with volatile memory is placed into hibernate mode,
main memory is transferred to secondary storage (e.g., disk)
and power cut off, effectively zeroing the physical memory.
When the system is resumed, the memory is restored from
secondary storage. Conversely, architectures with NVMM
need not provide any facilities to retain memory state within
(even across system reboots).
Two attack vectors are enabled by the introduction of
NVMM into current architectures—an online attack where
a booted operating system accesses a previously booted op-
erating system’s memory, and an offline attack where the
physical memory is probed by an adversary while the sys-
tem is powered off, e.g., through regular read-out ports or
via more sophisticated techniques such as optical probing of
the memory with a laser and electromagnetic analysis .
We do not seek to protect main memory in normal oper-
ation, as solutions already exist . Additionally, we do
not consider hibernation as solutions such as encrypt-on-
For clarity in distinguishing between a reboot and suspend,
we introduce the concept of an OS instance. We assume that
the system has the ability to suspend operations as it tran-
sitions into suspend mode and to subsequently resume its
their drive heads to avoid crashing them into disk platters if
power is lost .
We have designed an efficient MECU to achieve the
same level of security provided by traditional volatile main
memory systems, and evaluated the performance impact us-
ing the SimpleScalar framework. Introducing the MECU
into a system’s architecture introduces overhead of only 9%
in the worst case and less than 2% for average workloads
for a period of less than 0.25 s after system resumption,
based on a moderately-specified desktop. During regular
operation, the costs of encryption and decryption are less
than 1 ns. In effect, the MECU provides zero-cost steady
state encryption of main memory. As non-volatile memory
technologies emerge, systems can reap the benefits of non-
volatility while maintaining security.
 Advanced Micro Devices, Inc.
tion technology (IOMMU) specification, rev 1.00, Feb.
 S. Bellovin. Security problems in the TCP/IP protocol suite.
Computer Communications Review, 2(19), Apr. 1989.
 P. Broadwell, M. H. N., and Sastry. Scrash: A System for
Generating Secure Crash Information. In Proceedings of the
12th USENIX Security Symposium, pages 273–284, 2003.
 D. Burger, T. M. Austin, and S. Bennett. Evaluating Future
Microprocessors: The SimpleScalar Tool Set. Technical Re-
port CS-TR-1996-1308, 1996.
 P. M. Chen, W. T. Ng, S. Chandra, C. Aycock, G. Rajamani,
and D. Lowell. The Rio File Cache: Surviving Operating
System Crashes. In ASPLOS, 1996.
 J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and
M. Rosenblum. Understanding Data Lifetime via Whole
System Simulation. In USENIX Security Symposium, 2004.
 J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum. Shred-
ding Your Garbage: Reducing Data Lifetime Through Se-
cure Deallocation. In USENIX Security Symposium, 2005.
 G. Duc and R. Keryell. CryptoPage: an Efficient Secure
Architecture with Memory Encryption, Integrity and Infor-
mation Leakage Protection. In ACSAC, 2006.
 EE Times.NEC claims world’s fastest MRAM.
articleID=204400328, November 30, 2007.
 R. Elbaz, L. Torres, G. Sassatelli, P. Guillemin, C. Anguille,
C. Buatois, and J. Rigaud. Hardware Engines for Bus En-
cryption: a Survey of Existing Techniques. In DATE, 2005.
 Freescale Semiconductor.
 Fujitsu.Fujitsu Starts Volume Production of 2 Mbit
news/pr/fme_20070418.html, April 18, 2007.
 B. Gassend, G. E. Suh, D. Clarke, M. van Dijk, and S. De-
vadas. Caches and hash trees for efficient memory integrity
verification. In HPCA-9, 2003.
AMD I/O virtualiza-
Fast Non-Volatile RAM Prod-
 P. Gutmann. Secure Deletion of Data from Magnetic and
Solid-StateMemory. InUSENIXSecuritySymposium, 1996.
 J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson,
W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum,
and E. W. Felten. Lest We Remember: Cold Boot Attacks
on Encryption Keys. In USENIX Security Symposium, 2008.
 C. Hampel. High-Speed DRAMs keep pace with high-speed
memory/hampel-rambus.htm. Accessed Jan. 2006.
 T. Kgil, L. Falk, and T. Mudge. ChipLock: Support for Se-
cure Microarchitectures. ACM SIGARCH Computer Archi-
tecture News, 33(1):134–143, Apr. 2005.
 R. B. Lee, P. C. S. Kwan, J. P. McGregor, J. Dwoskin, and
Z. Wang. Architecture for Protecting Critical Secrets in Mi-
croprocessors. In ISCA, 2005.
 D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh,
J. Mitchell, and M. Horowitz.
Copy and Tamper Resistant Software. In ISCA, 2000.
 G. Muller, N. Nagel, C.-U. Pinnow, and T. Rohr. Emerging
Non-Volatile Memory Technologies. In ESSDERC, 2003.
 Physorg. Toshiba develops new MRAM device which opens
the way to giga-bits capacity. http://www.physorg.
com/news113591322.html, November 6, 2007.
 J. Platte and E. Naroska. A Combined Hardware and Soft-
ware Architecture for Secure Computing. In Proceedings of
the 2nd Conference on Computing frontiers, May 2005.
 N. Provos. Encrypting Virtual Memory. In Proceedings of
the 9th USENIX Security Symposium, Aug. 2000.
 B. Rogers, M. Prvulovic, and Y. Solihin. Efficient data pro-
tection for distributed shared memory multiprocessors. In
 B. Rogers, Y. Solihin, and M. Prvulovic.
decryption: Hiding the Latency Overhead of Memory En-
cryption.ACM SIGARCH Computer Architecture News,
33(1):27–33, Mar. 2005.
 D. Samyde, S. Skorobogatov, R. Anderson, and J.-J.
Quisquater. On a New Way to Read Data from Memory. In
Proceedings of IEEE Security in Storage Workshop, 2003.
 W. Sereinig.Motion-Control: the Power Side of Disk
Drives. In ICCD, 2001.
 W. Shi, H.-H. S. L, M. Ghosh, C. Lu, and A. Boldyreva.
High Efficiency Counter Mode Security Architecture via
Prediction and Precomputation. In ISCA, 2005.
 W. Shi, H.-H. S. Lee, M. Ghosh, and C. Lu. Architectural
support for high speed protection of memory integrity and
confidentiality in multiprocessor systems. In PACT, 2004.
 Standard Performance Evaluation Corp. SPEC CPU2000
V1.3. http://www.spec.org/cpu2000/, 2000.
 G. E. Suh, D. Clarke, B. Gassend, M. van Gijk, and S. De-
vadas. Efficient memory integrity verification and encryp-
tion for secure processors. In MICRO-36, 2003.
 C. Yan, B. Rogers, D. Englender, Y. Solihin, and
M. Prvulovic. Improving cost, performance, and security
of memory encryption and authentication. In ISCA, 2006.
 J. Yang, L. Gao, and Y. Zhang. Improving Memory Encryp-
tion Performance in Secure Processors. IEEE Trans. Comp.,
54(5):630–640, May 2005.
Architectural Support for