Paper 2022/1472

Cryptographic Protection of Random Access Memory: How Inconspicuous can Hardening Against the most Powerful Adversaries be?

Abstract

For both cloud and client applications, the protection of the confidentiality and integrity of remotely processed information is an increasingly common feature request. It is also a very challenging goal to achieve with reasonable costs in terms of memory overhead and performance penalty. In turn, this usually leads to security posture compromises. In this paper we review the main technologies that have been proposed so far to address this problem, as well as some new techniques and combinations thereof. We systematise the treatment of the protection of data in use by starting with models of the adversaries, thus allowing us to define different, yet consistent protection levels. Several different schemes for memory protection are benchmarked for each protection level. We evaluate storage and performance impacts when the benchmarks are the only running tasks and when simulating a server under load. To make just one example of our results: Using advanced techniques to compress counters can make it viable to store them on-chip -- for instance by adding on-chip DRAM that can be as small as to 1/256th of the off-chip memory. This allows for implementations of memory protection providing full confidentiality, integrity and anti-replay protection with hitherto unattained penalties, especially in combination with the repurposing of ECC bits to store integrity tags. The performance penalty on a server with a saturated memory subsystem can thus be contained under 2% with a memory overhead of 1/256 and even under 1% with a memory overhead of 1/128.