No sugar but all the taste! Memory encryption without architectural support

Panagiotis Papadopoulos, Giorgos Vasiliadis, Giorgos Christou, Evangelos Markatos, Sotiris Ioannidis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Citations (Scopus)

Abstract

The protection of in situ data, typically require solutions that involve different kinds of encryption schemes. Even though the majority of these solutions prioritize the protection of cold data stored on secondary devices, it has been shown that sensitive information like passwords, secrets, and private data can be easily exfiltrated from main memory as well, by adversaries with physical access. As such, the protection of hot data that reside on main memory is equally important. In this paper, we aim to investigate whether it is possible to achieve memory encryption without any architectural support at a reasonable performance cost. In particular, we propose the first of its kind software-based memory encryption approach, which ensures that sensitive data will remain encrypted in main memory at all times. Our approach is based on commodity off-the-shelf hardware, and is totally transparent to legacy applications. To accommodate different applications needs, we have built two versions of main memory encryption: Full and Selective Memory Encryption. Additionally, we provide a new memory allocation library that allows programmers to manage granular sensitive memory regions according to the specific requirements of each application. We conduct an extensive quantitative evaluation and characterization of the overheads of our software-based memory encryption, using both micro-benchmarks and real-world application workloads. Our results show that the performance overheads due to memory encryption are tolerable in real-world network scenarios, below 17% for HTTP and 27% for HTTPS.

Original languageEnglish
Title of host publicationComputer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings
PublisherSpringer Verlag
Pages362-380
Number of pages19
ISBN (Print)9783319663982
DOIs
Publication statusPublished - 1 Jan 2017
Event22nd European Symposium on Research in Computer Security, ESORICS 2017 - Oslo, Norway
Duration: 11 Sep 201715 Sep 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10493 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other22nd European Symposium on Research in Computer Security, ESORICS 2017
CountryNorway
CityOslo
Period11/9/1715/9/17

Fingerprint

Sugars
Encryption
Cryptography
Data storage equipment
Architecture
Storage allocation (computer)
HTTP
Software
Quantitative Evaluation
Password
Computer networks
Real-world Applications
Workload
Hardware
Benchmark
Scenarios

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Papadopoulos, P., Vasiliadis, G., Christou, G., Markatos, E., & Ioannidis, S. (2017). No sugar but all the taste! Memory encryption without architectural support. In Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings (pp. 362-380). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10493 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-66399-9_20

No sugar but all the taste! Memory encryption without architectural support. / Papadopoulos, Panagiotis; Vasiliadis, Giorgos; Christou, Giorgos; Markatos, Evangelos; Ioannidis, Sotiris.

Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings. Springer Verlag, 2017. p. 362-380 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10493 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Papadopoulos, P, Vasiliadis, G, Christou, G, Markatos, E & Ioannidis, S 2017, No sugar but all the taste! Memory encryption without architectural support. in Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10493 LNCS, Springer Verlag, pp. 362-380, 22nd European Symposium on Research in Computer Security, ESORICS 2017, Oslo, Norway, 11/9/17. https://doi.org/10.1007/978-3-319-66399-9_20
Papadopoulos P, Vasiliadis G, Christou G, Markatos E, Ioannidis S. No sugar but all the taste! Memory encryption without architectural support. In Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings. Springer Verlag. 2017. p. 362-380. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-66399-9_20
Papadopoulos, Panagiotis ; Vasiliadis, Giorgos ; Christou, Giorgos ; Markatos, Evangelos ; Ioannidis, Sotiris. / No sugar but all the taste! Memory encryption without architectural support. Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings. Springer Verlag, 2017. pp. 362-380 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{29c74f32460c4be7a344073e1f2a6e3a,
title = "No sugar but all the taste! Memory encryption without architectural support",
abstract = "The protection of in situ data, typically require solutions that involve different kinds of encryption schemes. Even though the majority of these solutions prioritize the protection of cold data stored on secondary devices, it has been shown that sensitive information like passwords, secrets, and private data can be easily exfiltrated from main memory as well, by adversaries with physical access. As such, the protection of hot data that reside on main memory is equally important. In this paper, we aim to investigate whether it is possible to achieve memory encryption without any architectural support at a reasonable performance cost. In particular, we propose the first of its kind software-based memory encryption approach, which ensures that sensitive data will remain encrypted in main memory at all times. Our approach is based on commodity off-the-shelf hardware, and is totally transparent to legacy applications. To accommodate different applications needs, we have built two versions of main memory encryption: Full and Selective Memory Encryption. Additionally, we provide a new memory allocation library that allows programmers to manage granular sensitive memory regions according to the specific requirements of each application. We conduct an extensive quantitative evaluation and characterization of the overheads of our software-based memory encryption, using both micro-benchmarks and real-world application workloads. Our results show that the performance overheads due to memory encryption are tolerable in real-world network scenarios, below 17{\%} for HTTP and 27{\%} for HTTPS.",
author = "Panagiotis Papadopoulos and Giorgos Vasiliadis and Giorgos Christou and Evangelos Markatos and Sotiris Ioannidis",
year = "2017",
month = "1",
day = "1",
doi = "10.1007/978-3-319-66399-9_20",
language = "English",
isbn = "9783319663982",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "362--380",
booktitle = "Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings",

}

TY - GEN

T1 - No sugar but all the taste! Memory encryption without architectural support

AU - Papadopoulos, Panagiotis

AU - Vasiliadis, Giorgos

AU - Christou, Giorgos

AU - Markatos, Evangelos

AU - Ioannidis, Sotiris

PY - 2017/1/1

Y1 - 2017/1/1

N2 - The protection of in situ data, typically require solutions that involve different kinds of encryption schemes. Even though the majority of these solutions prioritize the protection of cold data stored on secondary devices, it has been shown that sensitive information like passwords, secrets, and private data can be easily exfiltrated from main memory as well, by adversaries with physical access. As such, the protection of hot data that reside on main memory is equally important. In this paper, we aim to investigate whether it is possible to achieve memory encryption without any architectural support at a reasonable performance cost. In particular, we propose the first of its kind software-based memory encryption approach, which ensures that sensitive data will remain encrypted in main memory at all times. Our approach is based on commodity off-the-shelf hardware, and is totally transparent to legacy applications. To accommodate different applications needs, we have built two versions of main memory encryption: Full and Selective Memory Encryption. Additionally, we provide a new memory allocation library that allows programmers to manage granular sensitive memory regions according to the specific requirements of each application. We conduct an extensive quantitative evaluation and characterization of the overheads of our software-based memory encryption, using both micro-benchmarks and real-world application workloads. Our results show that the performance overheads due to memory encryption are tolerable in real-world network scenarios, below 17% for HTTP and 27% for HTTPS.

AB - The protection of in situ data, typically require solutions that involve different kinds of encryption schemes. Even though the majority of these solutions prioritize the protection of cold data stored on secondary devices, it has been shown that sensitive information like passwords, secrets, and private data can be easily exfiltrated from main memory as well, by adversaries with physical access. As such, the protection of hot data that reside on main memory is equally important. In this paper, we aim to investigate whether it is possible to achieve memory encryption without any architectural support at a reasonable performance cost. In particular, we propose the first of its kind software-based memory encryption approach, which ensures that sensitive data will remain encrypted in main memory at all times. Our approach is based on commodity off-the-shelf hardware, and is totally transparent to legacy applications. To accommodate different applications needs, we have built two versions of main memory encryption: Full and Selective Memory Encryption. Additionally, we provide a new memory allocation library that allows programmers to manage granular sensitive memory regions according to the specific requirements of each application. We conduct an extensive quantitative evaluation and characterization of the overheads of our software-based memory encryption, using both micro-benchmarks and real-world application workloads. Our results show that the performance overheads due to memory encryption are tolerable in real-world network scenarios, below 17% for HTTP and 27% for HTTPS.

UR - http://www.scopus.com/inward/record.url?scp=85029513757&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85029513757&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-66399-9_20

DO - 10.1007/978-3-319-66399-9_20

M3 - Conference contribution

AN - SCOPUS:85029513757

SN - 9783319663982

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 362

EP - 380

BT - Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings

PB - Springer Verlag

ER -