MEMES: Memory Encryption-based Memory Safety on Commodity Hardware

David Schrammel; Salmin Sultana; Karanvir Grewal; Michael LeMay; David Durham; Martin Unterguggenberger; Pascal Nasahl; Stefan Mangard

doi:10.5220/0012050300003555

MEMES: Memory Encryption-based Memory Safety on Commodity Hardware

David Schrammel, Salmin Sultana, Karanvir Grewal, Michael LeMay, David Durham, Martin Unterguggenberger, Pascal Nasahl, Stefan Mangard

Institut für Angewandte Informationsverarbeitung und Kommunikationstechnologie (7050)

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Abstract

Memory encryption is an effective security building block broadly available on commodity systems from Intel® and AMD. Schemes, such as Intel® TME-MK and AMD SEV, help provide data confidentiality and integrity, enabling cryptographic isolation of workloads on shared platforms. However, due to their coarse encryption granularity (i.e., pages or entire virtual machines), these hardware-enabled primitives cannot unleash their full potential to provide protection for other security applications, such as memory safety. To this end, we present a novel approach to achieving sub-page-granular memory encryption without hardware modifications on off-the-shelf systems featuring Intel®’s TME-MK. We showcase how to utilize our fine-grained memory encryption approach for memory safety by introducing MEMES. MEMES is capable of mitigating both spatial and temporal heap memory vulnerabilities by encrypting individual memory objects with different encryption keys. Compared to other hardware-based memory safety schemes, our approach works on existing commodity hardware, which allows easier adoption. Our extensive analysis attests to the strong security benefits which are provided at a geometric mean runtime overhead of just 16–27%.

Originalsprache	englisch
Titel	SECRYPT 2023 - Proceedings of the 20th International Conference on Security and Cryptography
Redakteure/-innen	Sabrina De Capitani di Vimercati, Pierangela Samarati
Herausgeber (Verlag)	SciTePress
Seiten	25-36
Seitenumfang	12
Band	1
ISBN (Print)	978-989-758-666-8
DOIs	https://doi.org/10.5220/0012050300003555
Publikationsstatus	Veröffentlicht - 2023
Veranstaltung	20th International Conference on Security and Cryptography: SECRYPT 2023 - Rome, Italien Dauer: 10 Juli 2023 → 12 Juli 2023

Konferenz

Konferenz	20th International Conference on Security and Cryptography: SECRYPT 2023
Kurztitel	SECRYPT
Land/Gebiet	Italien
Ort	Rome
Zeitraum	10/07/23 → 12/07/23

ASJC Scopus subject areas

Software
Information systems
Computernetzwerke und -kommunikation

Zugriff auf Dokument

10.5220/0012050300003555Lizenz: CC BY-NC-ND 4.0

memes-camerareadyAkzeptiertes Autorenmanuskript, 335 KB

Andere Dateien und Links

Verknüpfung zur Publikation in Scopus

AWARE - Hardware-gewährleistete Softwaresicherheit
Mangard, S.
1/05/22 → 30/04/25
Projekt: Forschungsprojekt

Dieses zitieren

Schrammel, D., Sultana, S., Grewal, K., LeMay, M., Durham, D., Unterguggenberger, M., Nasahl, P., & Mangard, S. (2023). MEMES: Memory Encryption-based Memory Safety on Commodity Hardware. in S. De Capitani di Vimercati, & P. Samarati (Hrsg.), SECRYPT 2023 - Proceedings of the 20th International Conference on Security and Cryptography (Band 1, S. 25-36). SciTePress. https://doi.org/10.5220/0012050300003555

MEMES: Memory Encryption-based Memory Safety on Commodity Hardware. / Schrammel, David; Sultana, Salmin; Grewal, Karanvir et al.
SECRYPT 2023 - Proceedings of the 20th International Conference on Security and Cryptography. Hrsg. / Sabrina De Capitani di Vimercati; Pierangela Samarati. Band 1 SciTePress, 2023. S. 25-36.

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Schrammel, D, Sultana, S, Grewal, K, LeMay, M, Durham, D, Unterguggenberger, M, Nasahl, P & Mangard, S 2023, MEMES: Memory Encryption-based Memory Safety on Commodity Hardware. in S De Capitani di Vimercati & P Samarati (Hrsg.), SECRYPT 2023 - Proceedings of the 20th International Conference on Security and Cryptography. Bd. 1, SciTePress, S. 25-36, 20th International Conference on Security and Cryptography: SECRYPT 2023, Rome, Italien, 10/07/23. https://doi.org/10.5220/0012050300003555

@inproceedings{de49bf690673414ca5d152edcf01b555,

title = "MEMES: Memory Encryption-based Memory Safety on Commodity Hardware",

abstract = "Memory encryption is an effective security building block broadly available on commodity systems from Intel{\textregistered} and AMD. Schemes, such as Intel{\textregistered} TME-MK and AMD SEV, help provide data confidentiality and integrity, enabling cryptographic isolation of workloads on shared platforms. However, due to their coarse encryption granularity (i.e., pages or entire virtual machines), these hardware-enabled primitives cannot unleash their full potential to provide protection for other security applications, such as memory safety. To this end, we present a novel approach to achieving sub-page-granular memory encryption without hardware modifications on off-the-shelf systems featuring Intel{\textregistered}{\textquoteright}s TME-MK. We showcase how to utilize our fine-grained memory encryption approach for memory safety by introducing MEMES. MEMES is capable of mitigating both spatial and temporal heap memory vulnerabilities by encrypting individual memory objects with different encryption keys. Compared to other hardware-based memory safety schemes, our approach works on existing commodity hardware, which allows easier adoption. Our extensive analysis attests to the strong security benefits which are provided at a geometric mean runtime overhead of just 16–27%.",

keywords = "Exploit Mitigation, Fine-Granular Memory Encryption, Intel{\textregistered} TME-MK, Memory Safety",

author = "David Schrammel and Salmin Sultana and Karanvir Grewal and Michael LeMay and David Durham and Martin Unterguggenberger and Pascal Nasahl and Stefan Mangard",

year = "2023",

doi = "10.5220/0012050300003555",

language = "English",

isbn = "978-989-758-666-8",

volume = "1",

pages = "25--36",

editor = "{De Capitani di Vimercati}, Sabrina and Pierangela Samarati",

booktitle = "SECRYPT 2023 - Proceedings of the 20th International Conference on Security and Cryptography",

publisher = "SciTePress",

address = "Portugal",

note = "20th International Conference on Security and Cryptography: SECRYPT 2023, SECRYPT ; Conference date: 10-07-2023 Through 12-07-2023",

}

TY - GEN

T1 - MEMES: Memory Encryption-based Memory Safety on Commodity Hardware

AU - Schrammel, David

AU - Sultana, Salmin

AU - Grewal, Karanvir

AU - LeMay, Michael

AU - Durham, David

AU - Unterguggenberger, Martin

AU - Nasahl, Pascal

AU - Mangard, Stefan

PY - 2023

Y1 - 2023

N2 - Memory encryption is an effective security building block broadly available on commodity systems from Intel® and AMD. Schemes, such as Intel® TME-MK and AMD SEV, help provide data confidentiality and integrity, enabling cryptographic isolation of workloads on shared platforms. However, due to their coarse encryption granularity (i.e., pages or entire virtual machines), these hardware-enabled primitives cannot unleash their full potential to provide protection for other security applications, such as memory safety. To this end, we present a novel approach to achieving sub-page-granular memory encryption without hardware modifications on off-the-shelf systems featuring Intel®’s TME-MK. We showcase how to utilize our fine-grained memory encryption approach for memory safety by introducing MEMES. MEMES is capable of mitigating both spatial and temporal heap memory vulnerabilities by encrypting individual memory objects with different encryption keys. Compared to other hardware-based memory safety schemes, our approach works on existing commodity hardware, which allows easier adoption. Our extensive analysis attests to the strong security benefits which are provided at a geometric mean runtime overhead of just 16–27%.

AB - Memory encryption is an effective security building block broadly available on commodity systems from Intel® and AMD. Schemes, such as Intel® TME-MK and AMD SEV, help provide data confidentiality and integrity, enabling cryptographic isolation of workloads on shared platforms. However, due to their coarse encryption granularity (i.e., pages or entire virtual machines), these hardware-enabled primitives cannot unleash their full potential to provide protection for other security applications, such as memory safety. To this end, we present a novel approach to achieving sub-page-granular memory encryption without hardware modifications on off-the-shelf systems featuring Intel®’s TME-MK. We showcase how to utilize our fine-grained memory encryption approach for memory safety by introducing MEMES. MEMES is capable of mitigating both spatial and temporal heap memory vulnerabilities by encrypting individual memory objects with different encryption keys. Compared to other hardware-based memory safety schemes, our approach works on existing commodity hardware, which allows easier adoption. Our extensive analysis attests to the strong security benefits which are provided at a geometric mean runtime overhead of just 16–27%.

KW - Exploit Mitigation

KW - Fine-Granular Memory Encryption

KW - Intel® TME-MK

KW - Memory Safety

UR - http://www.scopus.com/inward/record.url?scp=85178606152&partnerID=8YFLogxK

U2 - 10.5220/0012050300003555

DO - 10.5220/0012050300003555

M3 - Conference paper

SN - 978-989-758-666-8

VL - 1

SP - 25

EP - 36

BT - SECRYPT 2023 - Proceedings of the 20th International Conference on Security and Cryptography

A2 - De Capitani di Vimercati, Sabrina

A2 - Samarati, Pierangela

PB - SciTePress

T2 - 20th International Conference on Security and Cryptography: SECRYPT 2023

Y2 - 10 July 2023 through 12 July 2023

ER -

MEMES: Memory Encryption-based Memory Safety on Commodity Hardware

Abstract

Konferenz

ASJC Scopus subject areas

Zugriff auf Dokument

Andere Dateien und Links

Fingerprint

Projekte

AWARE - Hardware-gewährleistete Softwaresicherheit

Dieses zitieren