

# TRUSTED MEMORY

Software-Based Off-Chip Memory Protection  
for RISC-V Trusted Execution Environments



Gui Andrade | Krste Asanović  
Dayeol Lee | Dawn Song  
David Kohlbrenner

*University of California, Berkeley*

# TRUSTED MEMORY?

Securing data/code against  
snooping/reverse-engineering

*Cryptographic keys*

*Proprietary algorithms*

*Biometric data*

*Personally identifiable  
information*

*Code obscurity  
(defense-in-depth)*

# TRUSTED MEMORY?

Two security domains of system memory:  
*on-chip* and *off-chip*.

On-chip presumed secure,  
off-chip not quite



# TRUSTED MEMORY?

Two secure  
on-chip ar

On-chip m

**Off-chip memory**  
a determined  
hobbyist (!) could  
compromise



memory:

**On-chip memory**  
extremely difficult  
(expensive) to  
compromise

# TRUSTED MEMORY?

Two secure  
on-chip ar

On-chip n

**Off-chip memory**  
some *gigabytes* of  
storage



memory:

**On-chip memory**  
some megabytes of  
storage

**(to scale)**

**On-chip RAM**

Two sets  
on-chip

On-chip  
off-chip



Hifive Unleashed



also, who's this  
**Determined Hobbyist?**



(“neimod” soldered FPGA I/O to  
this Nintendo 3DS’s memory bus)

Is this  
hobbyist?  
the person  
trying to dump  
their game  
console RAM

# Problems

## Confidentiality

“can an attacker  
read my data?”



## Integrity

“can an attacker secretly  
change my data?”

# Today

- ① Keystone Framework intro
- ② Prior art in Intel SGX
- ③ Protected paging
- ④ Evaluation
- ⑤ Conclusion

# Our Toolset?



# Keystone



# Keystone

an extensible, customizable  
*Trusted Execution Environment*  
framework for RISC-V



# Trusted Execution Environments



# Trusted Execution Environments



# Trusted Execution Environments



# Trusted Execution Environments

Integrity

Confidentiality

Remote Attestation



# Trusted Execution Environments

Integrity

Confidentiality

Remote Attestation



**Perfect!** but....

**On-chip memory**  
some megabytes of storage



**Perfect!** but....

**On-chip memory**  
exhausted very  
quickly



**Perfect!** but....

On-chip  
Experiments

**demand paging**

# Problems

## Confidentiality

“can an attacker  
read my pages?”



## Integrity

“can an attacker secretly  
change my pages?”

# Solutions

## Encryption

any outbound pages  
are encrypted

## Hashing

any inbound pages have  
their hashes checked

# Precedent

Confidentiality

Integrity



Intel's Secure Guard  
Extensions solve in  
hardware

# Precedent

## Confidentiality

Modified  
AES-CTR, 128-bit

Version counters  
for replay  
protection



## Integrity

Carter-Wegman  
MAC, 56-bit

512b block  
granularity

Merkle tree  
hash storage

# A Software Approach

for commodity RISC-V hardware

## Confidentiality

AES-CTR, 256-bit

Version counters  
for replay  
protection

## Integrity

page size  
granularity  
(multiple  
of 4096b)

SHA256  
Merkle tree  
hash storage

# The Scheme



```
s_hash := sha(s)
```

# The Scheme



```
s_hash := sha(s)  
s_enc := aes(s)
```

# The Scheme



```
s_hash := sha(s)
```

```
s_enc := aes(s)
```

```
d_dec := aes(d)
```

# The Scheme



```
s_hash := sha(s)  
s_enc := aes(s)  
  
d_dec := aes(d)  
d_hash :=  
    aes(d_dec)
```

# The Scheme



```
s_hash := sha(s)  
s_enc := aes(s)  
  
d_dec := aes(d)  
d_hash :=  
    aes(d_dec)  
  
check_hash(d_hash)
```

# The Scheme



Secure on-chip memory

# Why a tree?

Array of page hashes too big  
(wasteful) for  
on-chip memory



*Move it off-chip*



The Scheme

s\_hash := sha(s)  
s\_enc := aes(s)

d\_dec := aes(d)  
d\_hash :=  
aes(d\_dec)

check\_hash(d\_hash)  
store\_hash(s\_hash)

Untrusted DRAM

# The Scheme

Secure on-chip memory

# Why a tree?

*Off-chip hashes*



Untrusted hashes?



`s_hash := sha(s)`  
`s_enc := aes(s)`

`d_dec := aes(d)`  
`d_hash := aes(d_dec)`

`check_hash(d_hash)`  
`store_hash(s_hash)`

# Problems

## Confidentiality

“can an attacker  
read my hashes?”



## Integrity

“can an attacker secretly  
change my hashes?”

# Solutions

**Don't care!**

cryptographic  
hashes leak no  
information

**More hashing!**

hash the hash  
store, keep the  
root hash safe

# Hashing the store



**Original plan:**  
Keep nonresident  
page hashes in  
secure memory

**Problem:**  
On-chip memory  
too valuable!

# Hashing the store



**Solution:**  
Move store off-chip, check its integrity during page swaps

**Problem:**  
Hashing the entire store wastes CPU cycles

# Hashing the store



## Solution:

- Split hash store
- Hash left or right side as needed
- Propagate to root

## Problem:

Hashing half of store still too much for one page swap

# Hashing the store



## Solution:

- Recursive splits
- Hash only the relevant leaf
- Propagate to root

This tree structure is called a *Merkle Tree*.

# Hashing the store



## Merkle tree tradeoffs:

- Very little secure memory usage
- Deeper tree needs more insecure mem
- Deeper tree hashes fewer bytes total
- Deeper tree needs more hash passes

# Evaluation

Software memory protection feasible, with appreciable overhead.

Optimizations pending; current implementation conservative with security guarantees

# Evaluation



With efficient paging infrastructure,  
even unoptimized protection  
routines could be viable.

# Evaluation



Unfortunately, paging  
currently accounts for huge  
runtime overheads

# Conclusion

Protected paging appropriate for  
**security-critical, speed-flexible** operations

Specifically, ones under secure memory  
pressure

# Conclusion

Protected paging lays groundwork for other space optimizations

- Free up L2 cache when enclave is idle
- Balance on-chip memory among several enclaves



# A Flexible Approach

# Conclusion

Software protections need  
no special IP blocks!

Frees up die area for cost  
constrained hardware

# Conclusion

Software protections are complemented by special IP blocks!

One scheme parametrizable over many hardware configurations