Novel systems for encrypting, restoring and auditing secure persistent memory can significantly improve performance and safeguard systems against data remanence cyber attacks.
Researchers at the University of Central Florida have developed low-cost solutions for effectively managing secure persistent memory devices (PMDs) in computer systems. One invention (Patent ID34140) provides techniques for restoring and recovering secure persistent memory. Another invention (Patent ID 34176) enables file and memory encryption of secure, byte-addressable persistent memory and supports file system auditing.
Emerging non-volatile memory (NVM) devices—known as PMDs—can be significantly faster and have greater capacity than traditional memory storage technologies. Like existing NVMs, PMDs can retrieve stored data after power losses or system crashes. They also can act as main memory, enabling direct access to file system data. Despite these features, problems still exist. For example, the limited write endurance of the systems restricts the use of counter-mode encryption, a methodology essential to the safe recovery of files and data. Moreover, since they retain content even after power loss, they are vulnerable to security issues, including data remanence attacks. The UCF inventions offer solutions with novel persistent memory managing systems (PMMs).
The following information summarizes the technical details associated with PMM technologies.
Patent ID 34176 – This invention comprises a method, system and computer-readable instructions for file encryption, memory encryption, and file system auditing of secure byte-addressable persistent memory. To support the ability to directly access NVM-resident files without sacrificing the security provided by encryption and auditing, the solution may include a co-design of hardware and software implementations in a processor chip or secure persistent memory device. Additionally, it may include optimization techniques that exploit the regular access patterns of files to prefetch the files’ encryption metadata and data.
Patent ID 34140 – This invention comprises a method, system, and secure processor for restoring and recovering secure persistent memory without the need for an external/internal backup battery. The solution provides a significant reduction in performance overhead and the number of NVM writes. It provides various encryption counter security check (ECSC) schemes to persist the encryption counters in NVM memory in response to system crash recovery. For example, a scheme called Osiris provides crash consistency for encryption counters similar to strict counter persistence schemes. It can be configured to integrate with state-of-the-art data and counter integrity verification schemes. Several design options provide trade-offs between hardware complexity and performance.
- Enables a battery-free solution that reduces the performance overhead and write traffic needed to persist the encryption counters in NVM memory
- Can be integrated with state-of-the-art data and counter integrity verification (ECC and Merkle tree) for rapid failure/counter recovery
- Provides for persistently secure processors that can maintain security across system crashes/reboots
- May reduce the overhead resulting from encryption duplication
- Provides DAX-based file systems with the ability to do encryption/decryption and auditing without sacrificing the direct and OS-transparent access capabilities
- Data servers
- Processors in high-availability servers