MEMES: Memory Encryption-based Memory Safety on Commodity Hardware

David Schrammel; Salmin Sultana; Karanvir Grewal; Michael LeMay; David Durham; Martin Unterguggenberger; Pascal Nasahl; Stefan Mangard

doi:10.5220/0012050300003555

MEMES: Memory Encryption-based Memory Safety on Commodity Hardware

David Schrammel, Salmin Sultana, Karanvir Grewal, Michael LeMay, David Durham, Martin Unterguggenberger, Pascal Nasahl, Stefan Mangard

Institute of Information Security (7050)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

Memory encryption is an effective security building block broadly available on commodity systems from Intel® and AMD. Schemes, such as Intel® TME-MK and AMD SEV, help provide data confidentiality and integrity, enabling cryptographic isolation of workloads on shared platforms. However, due to their coarse encryption granularity (i.e., pages or entire virtual machines), these hardware-enabled primitives cannot unleash their full potential to provide protection for other security applications, such as memory safety. To this end, we present a novel approach to achieving sub-page-granular memory encryption without hardware modifications on off-the-shelf systems featuring Intel®’s TME-MK. We showcase how to utilize our fine-grained memory encryption approach for memory safety by introducing MEMES. MEMES is capable of mitigating both spatial and temporal heap memory vulnerabilities by encrypting individual memory objects with different encryption keys. Compared to other hardware-based memory safety schemes, our approach works on existing commodity hardware, which allows easier adoption. Our extensive analysis attests to the strong security benefits which are provided at a geometric mean runtime overhead of just 16–27%.

Original language	English
Title of host publication	SECRYPT 2023 - Proceedings of the 20th International Conference on Security and Cryptography
Editors	Sabrina De Capitani di Vimercati, Pierangela Samarati
Publisher	SciTePress
Pages	25-36
Number of pages	12
Volume	1
ISBN (Print)	978-989-758-666-8
DOIs	https://doi.org/10.5220/0012050300003555
Publication status	Published - 2023
Event	20th International Conference on Security and Cryptography: SECRYPT 2023 - Rome, Italy Duration: 10 Jul 2023 → 12 Jul 2023

Conference

Conference	20th International Conference on Security and Cryptography: SECRYPT 2023
Abbreviated title	SECRYPT
Country/Territory	Italy
City	Rome
Period	10/07/23 → 12/07/23

Keywords

Exploit Mitigation
Fine-Granular Memory Encryption
Intel® TME-MK
Memory Safety

ASJC Scopus subject areas

Software
Information Systems
Computer Networks and Communications

Access to Document

10.5220/0012050300003555Licence: CC BY-NC-ND 4.0

memes-camerareadyAccepted author manuscript, 335 KB

Cite this

Schrammel, D., Sultana, S., Grewal, K., LeMay, M., Durham, D., Unterguggenberger, M., Nasahl, P., & Mangard, S. (2023). MEMES: Memory Encryption-based Memory Safety on Commodity Hardware. In S. De Capitani di Vimercati, & P. Samarati (Eds.), SECRYPT 2023 - Proceedings of the 20th International Conference on Security and Cryptography (Vol. 1, pp. 25-36). SciTePress. https://doi.org/10.5220/0012050300003555

MEMES: Memory Encryption-based Memory Safety on Commodity Hardware. / Schrammel, David; Sultana, Salmin; Grewal, Karanvir et al.
SECRYPT 2023 - Proceedings of the 20th International Conference on Security and Cryptography. ed. / Sabrina De Capitani di Vimercati; Pierangela Samarati. Vol. 1 SciTePress, 2023. p. 25-36.

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Schrammel, D, Sultana, S, Grewal, K, LeMay, M, Durham, D, Unterguggenberger, M, Nasahl, P & Mangard, S 2023, MEMES: Memory Encryption-based Memory Safety on Commodity Hardware. in S De Capitani di Vimercati & P Samarati (eds), SECRYPT 2023 - Proceedings of the 20th International Conference on Security and Cryptography. vol. 1, SciTePress, pp. 25-36, 20th International Conference on Security and Cryptography: SECRYPT 2023, Rome, Italy, 10/07/23. https://doi.org/10.5220/0012050300003555

@inproceedings{de49bf690673414ca5d152edcf01b555,

title = "MEMES: Memory Encryption-based Memory Safety on Commodity Hardware",

abstract = "Memory encryption is an effective security building block broadly available on commodity systems from Intel{\textregistered} and AMD. Schemes, such as Intel{\textregistered} TME-MK and AMD SEV, help provide data confidentiality and integrity, enabling cryptographic isolation of workloads on shared platforms. However, due to their coarse encryption granularity (i.e., pages or entire virtual machines), these hardware-enabled primitives cannot unleash their full potential to provide protection for other security applications, such as memory safety. To this end, we present a novel approach to achieving sub-page-granular memory encryption without hardware modifications on off-the-shelf systems featuring Intel{\textregistered}{\textquoteright}s TME-MK. We showcase how to utilize our fine-grained memory encryption approach for memory safety by introducing MEMES. MEMES is capable of mitigating both spatial and temporal heap memory vulnerabilities by encrypting individual memory objects with different encryption keys. Compared to other hardware-based memory safety schemes, our approach works on existing commodity hardware, which allows easier adoption. Our extensive analysis attests to the strong security benefits which are provided at a geometric mean runtime overhead of just 16–27%.",

keywords = "Exploit Mitigation, Fine-Granular Memory Encryption, Intel{\textregistered} TME-MK, Memory Safety",

author = "David Schrammel and Salmin Sultana and Karanvir Grewal and Michael LeMay and David Durham and Martin Unterguggenberger and Pascal Nasahl and Stefan Mangard",

year = "2023",

doi = "10.5220/0012050300003555",

language = "English",

isbn = "978-989-758-666-8",

volume = "1",

pages = "25--36",

editor = "{De Capitani di Vimercati}, Sabrina and Pierangela Samarati",

booktitle = "SECRYPT 2023 - Proceedings of the 20th International Conference on Security and Cryptography",

publisher = "SciTePress",

address = "Portugal",

note = "20th International Conference on Security and Cryptography: SECRYPT 2023, SECRYPT ; Conference date: 10-07-2023 Through 12-07-2023",

}

TY - GEN

T1 - MEMES: Memory Encryption-based Memory Safety on Commodity Hardware

AU - Schrammel, David

AU - Sultana, Salmin

AU - Grewal, Karanvir

AU - LeMay, Michael

AU - Durham, David

AU - Unterguggenberger, Martin

AU - Nasahl, Pascal

AU - Mangard, Stefan

PY - 2023

Y1 - 2023

N2 - Memory encryption is an effective security building block broadly available on commodity systems from Intel® and AMD. Schemes, such as Intel® TME-MK and AMD SEV, help provide data confidentiality and integrity, enabling cryptographic isolation of workloads on shared platforms. However, due to their coarse encryption granularity (i.e., pages or entire virtual machines), these hardware-enabled primitives cannot unleash their full potential to provide protection for other security applications, such as memory safety. To this end, we present a novel approach to achieving sub-page-granular memory encryption without hardware modifications on off-the-shelf systems featuring Intel®’s TME-MK. We showcase how to utilize our fine-grained memory encryption approach for memory safety by introducing MEMES. MEMES is capable of mitigating both spatial and temporal heap memory vulnerabilities by encrypting individual memory objects with different encryption keys. Compared to other hardware-based memory safety schemes, our approach works on existing commodity hardware, which allows easier adoption. Our extensive analysis attests to the strong security benefits which are provided at a geometric mean runtime overhead of just 16–27%.

AB - Memory encryption is an effective security building block broadly available on commodity systems from Intel® and AMD. Schemes, such as Intel® TME-MK and AMD SEV, help provide data confidentiality and integrity, enabling cryptographic isolation of workloads on shared platforms. However, due to their coarse encryption granularity (i.e., pages or entire virtual machines), these hardware-enabled primitives cannot unleash their full potential to provide protection for other security applications, such as memory safety. To this end, we present a novel approach to achieving sub-page-granular memory encryption without hardware modifications on off-the-shelf systems featuring Intel®’s TME-MK. We showcase how to utilize our fine-grained memory encryption approach for memory safety by introducing MEMES. MEMES is capable of mitigating both spatial and temporal heap memory vulnerabilities by encrypting individual memory objects with different encryption keys. Compared to other hardware-based memory safety schemes, our approach works on existing commodity hardware, which allows easier adoption. Our extensive analysis attests to the strong security benefits which are provided at a geometric mean runtime overhead of just 16–27%.

KW - Exploit Mitigation

KW - Fine-Granular Memory Encryption

KW - Intel® TME-MK

KW - Memory Safety

UR - http://www.scopus.com/inward/record.url?scp=85178606152&partnerID=8YFLogxK

U2 - 10.5220/0012050300003555

DO - 10.5220/0012050300003555

M3 - Conference paper

SN - 978-989-758-666-8

VL - 1

SP - 25

EP - 36

BT - SECRYPT 2023 - Proceedings of the 20th International Conference on Security and Cryptography

A2 - De Capitani di Vimercati, Sabrina

A2 - Samarati, Pierangela

PB - SciTePress

T2 - 20th International Conference on Security and Cryptography: SECRYPT 2023

Y2 - 10 July 2023 through 12 July 2023

ER -

MEMES: Memory Encryption-based Memory Safety on Commodity Hardware

Abstract

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

AWARE - Hardware-Ensured Software Security

Cite this

MEMES: Memory Encryption-based Memory Safety on Commodity Hardware

Abstract

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Projects

AWARE - Hardware-Ensured Software Security

Cite this