Securing untrusted memories in embedded systems

Embedded systems have become a pervasive part of our lives and they are now the driving force behind technological advancements in many commercial sectors such as health, automotive, manufacturing, etc. Due to our high dependability on such systems, it is essential that they are secure. However,...

Full description

Saved in:
Bibliographic Details
Main Author: Vig, Saru
Other Authors: Lam Siew Kei
Format: Thesis-Doctor of Philosophy
Language:English
Published: Nanyang Technological University 2020
Subjects:
Online Access:https://hdl.handle.net/10356/138253
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
id sg-ntu-dr.10356-138253
record_format dspace
institution Nanyang Technological University
building NTU Library
continent Asia
country Singapore
Singapore
content_provider NTU Library
collection DR-NTU
language English
topic Engineering::Computer science and engineering
spellingShingle Engineering::Computer science and engineering
Vig, Saru
Securing untrusted memories in embedded systems
description Embedded systems have become a pervasive part of our lives and they are now the driving force behind technological advancements in many commercial sectors such as health, automotive, manufacturing, etc. Due to our high dependability on such systems, it is essential that they are secure. However, commercially available embedded processors cannot guarantee secure storage in external memories, thereby exposing the vulnerability of the system to memory attacks. Protecting embedded systems from such malicious attacks poses an enormous challenge as existing memory security schemes contribute to excessive runtime overheads. This thesis aims to address this challenge by proposing compile-time and runtime strategies for securing untrusted memories from active memory attacks (e.g. replay, spoo ng and splicing attacks) that can compromise the con dentiality and integrity of the memory data. Architecture-aware algorithms are proposed to support the adaptation of memory integrity trees to application workloads. Security analysis is undertaken to ensure that the performance gains are achieved without compromising on the security strength. In order to investigate the potential of customizing memory integrity trees to application workloads for reducing the authentication overhead, we rst devised an approach to restructure the integrity trees at compile-time by analyzing the static memory access patterns. The nodes of the memory integrity tree are placed on di erent levels of the tree based on the frequency of memory accesses. We validated the e ectiveness of the proposed approach on the Altera NIOS II processor with an external DRAM. Experimental results using applications from widely-used benchmarks show that the proposed approach leads to an average runtime improvement of 18% over conventional memory protection schemes. Since not all application workloads are known at compile-time, we proposed a technique to dynamically customize the integrity tree based on the runtime memory access patterns. The proposed scheme enables the memory integrity tree to be dynamically restructured to signi cantly reduce the number of veri cation steps for the frequently accessed memory blocks, leading to overall reduction in the overhead for memory authentication. Experimental results show an average performance improvement of 30% compared to the conventional balanced integrity tree approach. Next, we proposed a memory authentication framework that combines architecturespeci c optimizations of the integrity tree with mechanisms that enable it to restructure at runtime based on memory access patterns. The integrity tree structure is customized based on the cache con guration in order to minimize the performance and energy overhead through speculative authentication. The framework is simulated with Multi2Sim targeting an Intel x86 processor to explore the impact of various cache con gurations on the memory authentication overhead. Experimental results show that an average performance gain of 30% can be obtained over the conventional balanced tree approach. In addition, the proposed framework enables the selection of optimal cache con gurations that can lead to reduced energy savings of over 40% without sacri cing performance. Finally, we proposed three schemes to improve the scalability of our dynamic skewed integrity tree approach. The rst scheme utilizes a dedicated Tree-Cache to cache memory integrity tree nodes. The tree is initialized using Van-Emde Boas (vEB) organization to take advantage of locality of reference. This led to a performance gain of approximately 15%. In the second scheme, we proposed a dynamic skew-and-split tree, DISSECT, which progressively adjust the tree height by varying the tree arity to reduce authentication overhead. DISSECT can mitigate the frequent over owing of counters that are used for encryption when the tree arity is increased. Experimental results show an average of 20% reduction in authentication time over the balanced tree approach. Finally, we evaluated the bene ts of integrating a cryptographic hardware module in the memory controller. This resulted in a 40-50% decrease in authentication time during memory authentication.
author2 Lam Siew Kei
author_facet Lam Siew Kei
Vig, Saru
format Thesis-Doctor of Philosophy
author Vig, Saru
author_sort Vig, Saru
title Securing untrusted memories in embedded systems
title_short Securing untrusted memories in embedded systems
title_full Securing untrusted memories in embedded systems
title_fullStr Securing untrusted memories in embedded systems
title_full_unstemmed Securing untrusted memories in embedded systems
title_sort securing untrusted memories in embedded systems
publisher Nanyang Technological University
publishDate 2020
url https://hdl.handle.net/10356/138253
_version_ 1683494617234800640
spelling sg-ntu-dr.10356-1382532020-10-28T08:40:45Z Securing untrusted memories in embedded systems Vig, Saru Lam Siew Kei School of Computer Science and Engineering Centre for High Performance Embedded Systems assklam@ntu.edu.sg Engineering::Computer science and engineering Embedded systems have become a pervasive part of our lives and they are now the driving force behind technological advancements in many commercial sectors such as health, automotive, manufacturing, etc. Due to our high dependability on such systems, it is essential that they are secure. However, commercially available embedded processors cannot guarantee secure storage in external memories, thereby exposing the vulnerability of the system to memory attacks. Protecting embedded systems from such malicious attacks poses an enormous challenge as existing memory security schemes contribute to excessive runtime overheads. This thesis aims to address this challenge by proposing compile-time and runtime strategies for securing untrusted memories from active memory attacks (e.g. replay, spoo ng and splicing attacks) that can compromise the con dentiality and integrity of the memory data. Architecture-aware algorithms are proposed to support the adaptation of memory integrity trees to application workloads. Security analysis is undertaken to ensure that the performance gains are achieved without compromising on the security strength. In order to investigate the potential of customizing memory integrity trees to application workloads for reducing the authentication overhead, we rst devised an approach to restructure the integrity trees at compile-time by analyzing the static memory access patterns. The nodes of the memory integrity tree are placed on di erent levels of the tree based on the frequency of memory accesses. We validated the e ectiveness of the proposed approach on the Altera NIOS II processor with an external DRAM. Experimental results using applications from widely-used benchmarks show that the proposed approach leads to an average runtime improvement of 18% over conventional memory protection schemes. Since not all application workloads are known at compile-time, we proposed a technique to dynamically customize the integrity tree based on the runtime memory access patterns. The proposed scheme enables the memory integrity tree to be dynamically restructured to signi cantly reduce the number of veri cation steps for the frequently accessed memory blocks, leading to overall reduction in the overhead for memory authentication. Experimental results show an average performance improvement of 30% compared to the conventional balanced integrity tree approach. Next, we proposed a memory authentication framework that combines architecturespeci c optimizations of the integrity tree with mechanisms that enable it to restructure at runtime based on memory access patterns. The integrity tree structure is customized based on the cache con guration in order to minimize the performance and energy overhead through speculative authentication. The framework is simulated with Multi2Sim targeting an Intel x86 processor to explore the impact of various cache con gurations on the memory authentication overhead. Experimental results show that an average performance gain of 30% can be obtained over the conventional balanced tree approach. In addition, the proposed framework enables the selection of optimal cache con gurations that can lead to reduced energy savings of over 40% without sacri cing performance. Finally, we proposed three schemes to improve the scalability of our dynamic skewed integrity tree approach. The rst scheme utilizes a dedicated Tree-Cache to cache memory integrity tree nodes. The tree is initialized using Van-Emde Boas (vEB) organization to take advantage of locality of reference. This led to a performance gain of approximately 15%. In the second scheme, we proposed a dynamic skew-and-split tree, DISSECT, which progressively adjust the tree height by varying the tree arity to reduce authentication overhead. DISSECT can mitigate the frequent over owing of counters that are used for encryption when the tree arity is increased. Experimental results show an average of 20% reduction in authentication time over the balanced tree approach. Finally, we evaluated the bene ts of integrating a cryptographic hardware module in the memory controller. This resulted in a 40-50% decrease in authentication time during memory authentication. Doctor of Philosophy 2020-04-29T12:51:21Z 2020-04-29T12:51:21Z 2020 Thesis-Doctor of Philosophy Vig, S. (2020). Securing untrusted memories in embedded systems. Doctoral thesis, Nanyang Technological University, Singapore. https://hdl.handle.net/10356/138253 10.32657/10356/138253 en This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License (CC BY-NC 4.0). application/pdf Nanyang Technological University