In the cloud virtualized infrastructure, multiple tenants may co-exist in the same physical host, sharing the host's physical DRAM memory and disk storage. Virtualization technology used in the cloud creates the illusion of having multiple virtual machines (VMs) within the same physical host by means of sharing and multiplexing the host resources which include its multiple CPU cores, physical memory, and hard disk. FIG. 1 shows three VMs which belong to different users that are allocated portions of physical memory and hard disk.
In the cloud, the VMs are allocated on demand and dynamically to different users. A VM may stay running for some period of time (minutes, hours, or days) and then get terminated by a user. Once terminated, its resources are re-allocated to a newly provisioned VM. Each time a new VM is allocated, its resources are allocated from the older VM resources, as shown in FIG. 2.
FIG. 2 illustrates resource allocation after termination of VM2 and provisioning of VM4. FIG. 2(a) shows that the memory and disk resources of VM2 are available for use after VM2 termination. In FIG. 2(b), a new virtual machine is provisioned by user 4 (VM4) and has been allocated the memory and disk resources of VM2. Once VM4 is running, the user of this VM can have access to the content of DRAM and disk storage which was used by the older user. The new user can simply take memory images and snapshots and then perform offline forensic analysis to extract sensitive information of the older user. This indeed poses a serious data privacy problem.
As has been illustrated, a critical security problem and data privacy issue can exist if the DRAM content is not sanitized or wiped out before being allocated to a newly provisioned VM. The cloud provider has to provide a total isolation and protection of user data during run time and after termination. If the data in physical memory and hard disk are not properly sanitized and deleted at run time and after deletion, sensitive information can be leaked, thereby jeopardizing the privacy of the cloud users and their data. Sensitive information may include confidential documents and images, passwords, encryption keys, personal information and records, banking and credit card information, metadata, etc.
The cloud computing platform is just one example of contexts where physical memory is shared between multiple users. A single physical machine can also provide access to multiple users in a sequential manner such that different sessions are initiated and terminated for different users. If data stored on the physical memory by one user is not deleted, this data can be accessed by a subsequent user accessing the machine.
To date, wiping out the DRAM and disk storage, if done, is performed using software by means of zeroing out DRAM content using software. At boot time of the newly provisioned VM, the software would write zeroes or random data to the DRAM. The zeroing out method involves the CPU to carry out sequential memory-write operations of zeros to all physical memory locations. This is considerably slow and expensive operation especially. For a small size, it may take a few seconds to wipe out 1 GB DRAM. For larger-size VMs, the DRAM portion can be as big as 64 GB or more. For this, wiping out the memory using software may take a few minutes. Such time is not acceptable in some contexts such as by the cloud user as it prolongs the launch and boot time of VM instances.
Other methods can zero out the memory using software at user session/VM termination (and not at boot time). Still, this solution is not adequate and will slow down enormously the availability of the freed memory to be allocated to newly provisioned users/VMs.
In short, software solutions that deal with zeroing out the physical memory at boot up or after termination are not adequate solutions, due to the computation overhead cost. That is, such software solutions will be considerably slow considering the size of the allocated RAM which can be in tens of gigabytes. Such solutions may take minutes, and will stretch the bootup time enormously. Equally, it is also imperative to shorten the termination time of a machine (such as a VM) so that freed resources can be allocated quickly to newly provisioned VMs.
Further, it will be understood to the persons skilled in the art that DRAM provides maximum memory density at cost of access time. Basic DRAM cell 3 consists of one nMOS transistor and one capacitor (FIG. 3). The transistor is used to control access to the storage element (capacitor). The memory state is stored as charge on the capacitor. Since the charge on the capacitor can leak away hence, the need for refreshing when DRAM is used. The refreshing time is determined by the time the capacitor can maintain enough charge to indicate logic one. In addition to refreshing DRAM, read access is destructive which means when the cell gets access for read the data stored is disturbed and another operation need to be performed to re-store data.
Memory controller keeps track of memory array access and refreshing times. It is proposed to utilize this hardware feature that already exists to zeroing DRAM content. This provides hardware managed solution which is much faster than the software counterpart. The implementation of the proposed scheme can vary based on the tradeoff between memory availability, area overhead, and design complexity.
The array size can be static for all programs and will depend on the total memory size or it can be dynamic based on number of programs and overall system performance. FIG. 4 depicts a typical memory array organization with a major interface where N+M are address bits and D is the data interface.