## **Application Memory Authentication\***

#### David Champagne, Reouven Elbaz and Ruby B. Lee

\* D. Champagne, R. Elbaz and R. B. Lee, "The Reduced Address Space (RAS) for Application Memory Authentication", In Proceedings of the 11<sup>th</sup> Information Security Conference (ISC'08), September 2008.

### Introduction

#### Background:

TPM, XOM, AEGIS, SP, SecureBlue want to provide trust in an application's computations and protect private information.

An adversary corrupting the memory space of an application can affect the trustworthiness of its computations.

#### **Security Model:**

✓ Threats:

- Physical attacks: Tampering with bus data or memory chip
- Software (SW) Attacks: Compromised OS

Assumptions:

- Processor chip is the security perimeter
- Application to protect is correctly written (no SW vulnerabilities)
- On-chip engine can authenticate initial state of application

#### Objective

Provide application memory authentication: What the application reads from a memory location is what it last wrote there.

## **Outline**

#### Introduction to memory integrity trees

#### Past Work:

- Building a tree over the physical address space (PAS Tree)
- ✓ Building a tree over the virtual address space (VAS Tree)

#### Proposed Approach

- A novel Reduced Address Space (RAS)
- ✓ Building a tree over the RAS (RAS Tree)
- Managing the RAS Tree with the Tree Management Unit (TMU)
- Performance evaluation

Conclusion

# **Addressing Nodes in an Integrity Tree**



## **Outline**

Introduction to memory integrity trees

Past Work:

Building a tree over the physical address space (PAS Tree)

- Building a tree over the virtual address space (VAS Tree)
- Proposed Approach
  - A novel Reduced Address Space (RAS)
  - ✓ Building a tree over the RAS (RAS Tree)
  - Managing the RAS Tree with the Tree Management Unit (TMU)
  - Performance evaluation

Conclusion

# Physical Address Space (PAS) Tree

Majority of past work implements a PAS Tree, where:

- Tree nodes form a contiguous memory region in the PAS
- An extra mechanism to protect paged data is needed

Problem: with untrusted OS, branch splicing attack can be carried out

Branch splicing attack: splicing of memory data via page table corruption

# **On-Chip Root Recomputation Example 1/2**











# **On-Chip Root Recomputation Example 2/2**











# **The Branch Splicing Attack**

#### Integrity Verification in a PAS Tree

#### Integrity Verification in a VAS Tree



## **Outline**

Introduction to memory integrity trees

Past Work:

Building a tree over the physical address space (PAS Tree)

Building a tree over the virtual address space (VAS Tree)

- Proposed Approach
  - A novel Reduced Address Space (RAS)
  - ✓ Building a tree over the RAS (RAS Tree)
  - Managing the RAS Tree with the Tree Management Unit (TMU)
  - Performance evaluation

Conclusion

# **VAS-Tree Traversal Issues**

- When OS is untrusted, VAS trees are implemented:
  - Tree nodes form a contiguous memory region in the VAS
- Problem: Tree must cover huge segment of memory space



This leads to huge integrity trees:

- Very large memory capacity overhead
- Very large initialization latencies

| Tree span                       | 32-bit                      | 40-bit               | 48-bit               | 56-bit               | 64-bit               |
|---------------------------------|-----------------------------|----------------------|----------------------|----------------------|----------------------|
| Total memory footprint (B)      | 5.7x10 <sup>9</sup>         | 1.5x10 <sup>12</sup> | 3.8x10 <sup>14</sup> | 9.6x10 <sup>16</sup> | 2.5x10 <sup>19</sup> |
| Initialization latency (cycles) | <b>7.4x10</b> <sup>10</sup> | 1.4x10 <sup>14</sup> | 3.5x10 <sup>16</sup> | 8.9x10 <sup>18</sup> | 2.3x10 <sup>21</sup> |

4-ary hash tree @ 2GHz

## **Outline**

Introduction to memory integrity trees

#### Past Work:

- Building a tree over the physical address space (PAS Tree)
- Building a tree over the virtual address space (VAS Tree)

#### Proposed Approach

- ✓ A novel Reduced Address Space (RAS)
- ✓ Building a tree over the RAS (RAS Tree)
- Managing the RAS Tree with the Tree Management Unit (TMU)
- Performance evaluation

#### Conclusion

# **Proposed Approach**

- The Reduced Address Space (RAS): a novel address space containing only pages necessary to the application's execution
  - RAS expands dynamically to fit the application's memory needs
  - RAS contains compact descriptions of memory regions not mapped in RAS, the Unmapped Page Ranges (UPRs)
- Compute integrity tree over RAS (a RAS tree) for dramatic reduction of memory and initialization overheads
- When application touches a previously unused page, on-chip logic expands RAS and adds branch to RAS tree

# The Reduced Address Space (RAS)

- RAS initially contains the application image authenticated at load-time.
- Page mapped into RAS when application touches it for the first time.
- Tree is built over RAS so span follows the execution of the application.
- This selective tree coverage allows dramatic reduction of all overheads.



## **Tree Expansion**



# **TMU: Tree Management Unit**

TMU: Architectural Support for building a Tree over a RAS:

- New TLB fields or TMU fields: RAS index (20 bits), Excluded bit (E) and the Mapped bit (M).
- A TLB for tree nodes

Authentication primitive and Check/Update logic



addr = RAS\_index || offset,

## **Performance Evaluation**

IPC hit less than 5% over no integrity tree and 2.5% over cached Merkle Tree.



Fig. 10. Comparisons of tree overheads for different memory spans for gcc



We can provide application memory authentication despite an untrusted OS

We reduced memory capacity overhead by 3 orders of magnitude on average

We reduced CPU time overhead for initialization by 3 orders of magnitude on average

## References

**[D. Champagne, R. Elbaz et al.]** "The Reduced Address Space (RAS) for Application Memory Authentication" In Proceedings of the 11th Information Security Conference (ISC'08), September 2008.

**[R. Elbaz, D. Champagne et al.]** "TEC-Tree: A Low Cost and Parallelizable Tree for Efficient Defense against Memory Replay Attacks," Cryptographic Hardware and embedded systems (CHES), September 2007.

**[B. Gassend et al.]** "Caches and Merkle Trees for Efficient Memory Authentication," High Performance Computer Architecture (HPCA-9), February 2003.

**[R. Merkle]** "Protocols for Public Key Cryptosystems," IEEE Symposium on Security and Privacy, 1980.

**[G. E. Suh et al.]** "AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing," Proc. of the 17th Int'l Conf. on Supercomputing (ICS), 2003.

**[C. Yan et al.]** "Improving Cost, Performance, and Security of Memory Encryption and Authentication", Int'l Symposium on Computer Architecture (ISCA'06), June 2006.

### **BACKUP SLIDES**

# **Root Recomputation Equations**

| Leaf Position to Verify | Root Recomputation Performed by<br>On-chip Authentication Engine                       |
|-------------------------|----------------------------------------------------------------------------------------|
| 1                       | $\underline{COMP1} = h\{ h[h(D1  D2)    H4]    H2 \}$                                  |
| 2                       | $COMP2 = h\{ h[h(D1    D2)    H4]    H2 \}$                                            |
| 3                       | $COMP3 = h\{ h[H3    h(D3    D4)]    H2 \}$                                            |
| 4                       | $COMP4 = h\{ h[ H3    h(D3    D4) ]    H2 \}$                                          |
| 5                       | $\underline{COMP5} = h\{ \text{ H1} \parallel h[ h(D5 \parallel D6) \parallel H6 ] \}$ |
| 6                       | $\underline{COMP6} = h\{ H1    h[ h(D5    D6)    H6 ] \}$                              |
| 7                       | $\underline{COMP7} = h\{ H1 \parallel h[ H5 \parallel h(D7 \parallel D8) ] \}$         |
| 8                       | $\underline{COMP8} = h\{ H1 \parallel h[ H5 \parallel h(D7 \parallel D8) ] \}$         |



X fetched from memory



leaf to verify (fetched from memory)

*COMPi* = root re**COMP**utation equation for leaf position i

# **Branch Splicing Attack**





Normal verification flow
Verification flow under

attack from malicious OS



P(X) = physical address of X V(X) = virtual address of X