Attackers may attempt to access memory of a computer system for any number of reasons including (1) obtaining confidential data (e.g., corporate trade secrets, personal identity data), (2) software piracy by uncovering secrets for licensing control of the software, (3) multimedia content breach (e.g. high-definition videos), and (4) modifying or injecting code/data to change program execution flow. Attackers may attempt to access the memory in any number of ways.
Attackers may perform a cold boot attack by pulling out physical memory of a computer system and scanning it using another machine to steal content (e.g., secrets, keys, files, content, identities) directly from memory. In order for processors to support trusted services, content protection and device authentication, it is essential for computer platforms to prevent cold boot attacks. Furthermore, as processors, for area and power efficiency, move the important microcode to memory, attacks on memory can fundamentally compromise the processor architecture, steal trade secrets and even inject malicious code at the micro-code level.
Attackers may also directly probe main memory or dynamic random access memory (DRAM) in a computer in order to discover sensitive and/or secret data stored in the main memory. In these hardware attacks, the hackers possess the hardware platform and the main memory (or DRAM) and may use sophisticated lab equipment (e.g., logic probes on the memory bus) to read the data out of the main memory (or DRAM).
Attackers may launch active attacks on memory by injecting code/data to the DRAM. The attackers may add malicious devices (e.g. field programmable gate arrays (FPGAs)) on a QuickPath Interconnect (QPI) bus to access memory directly.
Main memory is increasingly becoming non-volatile (e.g. Phase Change Memories and Flash) and even external, further increasing its susceptibility to attack. For example, network/back-plane memories allow DRAM to be shared by processors/blades across a data center, making man-in-the-middle attacks on the memory transactions as trivial as accessing a mirror port on a network switch.
In order to prevent the various attacks on memory requires encryption, integrity checking and anti-replay checking of the system's main memory. The mechanisms for ensuring confidentiality and providing high integrity memory, like error correcting codes for robust memory, require on-package/uncore memory cryptography circuits on, for example, a central processing unit (CPU). The cryptography circuits on the CPU may encrypt data at the CPU before the data are evicted from the CPU to the main memory. Thus, the memory stores the ciphertext of the data. Hackers attempting to access the data cannot uncover the plaintext of the data if they cannot subvert the underlying cryptographic schemes or the unique keys that may be fused into the CPU die at manufacture time.
In addition to data encryption, the cryptography circuits contained on the CPU may also generate a cryptographic integrity check value (ICV) over the data. Both the encrypted data and the ICVs may be stored in the main memory. When the CPU reads from the main memory, the CPU checks for ICV correctness prior to accepting the encrypted data. If the attackers use the active hardware manipulation to modify the data, the ICV check will fail and the CPU will detect data modification. If the memory were only encrypted, the attackers could change the bit pattern such that an unpredictable bit pattern is injected into the CPU cache (and may compromise the state of the machine).
Attackers may be able to capture encrypted data and the associated ICVs and replay these values, for example, to get around content that has restricted usage (e.g., movies that are allowed to be played only a certain number or times). Restricted usage content may store a value associated with usage at a location in memory. The value may be checked prior to allowing access to the content and then may be updated after the content is accessed (e.g., the movie played) and the new value may be stored at the location in memory. A hacker may capture a previous usage value from the memory and replay the value when the program attempts to access the usage value. If the attacker captures an old usage value that has the correct ICV and encryption they can use this old data to continuously access (e.g., play) the content.
Anti-replay mechanisms may be implemented to prevent this play-back attack. These anti-replay mechanisms may require computation and storage of a version tree or cryptographic hash tree that assures old memory contents cannot be replayed. These data structures amplify the read/write overheads by orders of magnitude significantly increasing memory latency and reducing throughput to main memory. Alternatively, the CPU may store all the ICV values inside the CPU package so that an attacker cannot access them. However, this solution may not be practical as it could require excessive CPU memory and multiple read/writes for every data access. For example, one ICV (e.g. 16-byte) may be stored for each cacheline in memory (e.g. 64-byte).