The patent's assignee is
News editors obtained the following quote from the background information supplied by the inventors: "Most smartphones and tablets use an ARM System-on-Chip (SoC) architecture. To protect sensitive data, in one protection model the ARM SoC provides a hardware-based isolation environment (e.g., TrustZone.RTM.) for running trusted services on the handheld device, in which running services are able to keep their secret state in RAM while the device is running.
"However, this protection model has a significant vulnerability, in that once a relatively sophisticated attacker with appropriate resources has physical access to a mobile device (e.g., steals a smartphone), the attacker can try to read the RAM contents that stores these trusted services' secret state. Such attacks are thus directed towards stealing secret state, including AES cryptographic keys. Different ways to attack and read RAM include cold boot attacks, bus monitoring attacks and DMA attacks.
"In a class of attacks referred to as cold boot attacks, the attacker (adversary) is able to physically extract the RAM from within a mobile device and read its contents to retrieve the cryptographic keys. This attack is possible because of the RAM remanence effect in which residual data remains into RAM long after the RAM has lost power. Disk encryption systems popular on contemporary personal computers/laptops are susceptible to cold boot attacks.
"Another approach is to force the device to reboot a different operating system that dumps out the memory contents, for systems where the firmware does not automatically clear the memory on reboot.
"In another class of attacks referred to as DMA attacks, a DMA-capable peripheral that manipulates the DMA controller is used to read arbitrary memory regions. On certain I/O buses, such as Firewire.RTM. and Thunderbolt.TM., this can be done without any cooperation from the processor or the operating system. These attacks may exploit any of several DMA interfaces. The mobile device does not even need to be unlocked, since as long as the device running, its DMA controller can be programmed over a DMA interface. One mechanism that can be used to defend against such attacks is by using an I/O memory management unit found on many contemporary personal computers and laptops, often referred to as an IOMMU, in which the operating system programs the IOMMU to restrict what memory regions different DMA-capable I/O devices can access. Despite IOMMU's popularity on personal computers and laptops, IOMMUs are not yet present on most other mobile devices today. Moreover, IOMMUs cannot authenticate the DMA devices, whereby they are susceptible to a spoofing attack in which a malicious DMA device can impersonate another device. Thus, to be effective, an IOMMU needs to be present and programmed to deny access to all DMA devices.
"Bus monitoring attacks refer to yet another class of attacks, in which the attacker attaches a bus monitor to the memory bus and waits for the secret data (such as cryptographic keys) to be loaded from RAM into the CPU, or vice-versa. With disk encryption systems, a simple reboot ensures that the AES encryption keys are loaded into RAM, as they are needed to start decryption of the disk volumes upon startup.
"Notwithstanding, bus monitoring attacks may be effective even against a system that does not even keep the AES keys (or any other secrets) in RAM. This is because most efficient AES implementations rely on caching pre-computation (e.g., data tables) to speed up encryption. Although this pre-computed state is not secret, the way in which the state is accessed during AES encryption (the access pattern) does leak valuable information about the encryption key; for example, such information may be used to significantly reduce the number of possible values for the encryption key. Attempts to protect against this vulnerability heretofore have not been straightforward, as pre-computed state is much larger than the encryption keys, significantly increasing the size of the secrets that need to be protected.
"One way to mitigate such attacks is to use encrypted RAM. However, deploying the hardware needed for encrypted RAM is expensive and not practical, at least not presently. A software-based solution is thus desirable."
As a supplement to the background information on this patent application, VerticalNews correspondents also obtained the inventors' summary information for this patent application: "This Summary is provided to introduce a selection of representative concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used in any way that would limit the scope of the claimed subject matter.
"Briefly, various aspects of the subject matter described herein are directed towards a technology to prevent memory attacks. In one aspect, protected data, comprising secret state and access-protected state, is maintained in on-SoC secure storage. Secret state is not allowed to be written to unsecure storage, while access-protected state is not accessed from unsecure storage during encryption or decryption processing operations. During encryption or decryption processing, the secure storage is accessed with respect to the secret state and the access protected state.
"In one aspect, performing encryption or decryption processing comprises performing AES encryption rounds, or verifying a personal identification number (PIN).
"In one aspect, maintaining the protected data in on-SoC secure storage comprises maintaining the protected data in lines of cache, including locking each cache line containing a subset of the protected data to prevent eviction from the cache. Locking the cache line occurs before writing of the secret data to the cache line. Meaningless data is written over the secret data in the cache line before unlocking the cache line.
"In one aspect, on-SoC secure storage, unsecure memory, and state protection logic coupled to the on-SoC secure storage are described. The state protection logic is configured to maintain AES secret state comprising a key, and, during AES encryption rounds, to maintain a round block in the on-SoC secure storage. The state protection logic is further configured to prevent the secret state from entering the unsecure memory.
"In one aspect, secret state is protected from entering unsecure memory, including locking a cache line of an on-SoC cache, and writing the secret state into the cache line only after locking the cache line. A cache line containing secret state is unlocked only after writing meaningless information over the secret state.
"In one aspect, there is described performing at least one AES computation round, and securely maintaining a round block comprising computations for a latest round in the cache in a locked state that prevents eviction of the round block to unsecure storage. A round index (round tracking information) tracks the completed round. Described is preparing for a context switch, including saving the round index, saving the round block to another secure storage, and clearing CPU state.
"In one aspect, there is described resuming AES computations, including securely restoring the round block to the cache in a locked state that prevents eviction of the round block to unsecure storage, securely restoring a key to the cache in a locked state that prevents eviction of the key to unsecure storage, reading the round index to determine the completed round, and performing a next AES computation round based upon the round block and the round index.
"Other advantages may become apparent from the following detailed description when taken in conjunction with the drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
"The present invention is illustrated by way of example and not limited in the accompanying figures in which like reference numerals indicate similar elements and in which:
"FIG. 1 is a representation of an example device configured with a System-on-Chip and secure memory used for preventing memory attacks, according to one example embodiment.
"FIG. 2 is a flow diagram comprising example steps for using a cache as a secure memory via cache locking, according to one example embodiment.
"FIG. 3 is a flow diagram comprising example steps for using a cache as a secure memory via cache locking and secure unlocking, according to one example embodiment.
"FIG. 4 is a flow diagram representing example steps that may be taken to securely prepare for a context switch, according to one example embodiment.
"FIG. 5 is a flow diagram representing example steps that may be taken to securely resume from a context switch, according to one example embodiment.
"FIG. 6 is a block diagram representing an example computing environment, in the form of a mobile device, into which aspects of the subject matter described herein may be incorporated."
For additional information on this patent application, see: Colp, Patrick J.; Raj, Himanshu; Saroiu, Stefan; Wolman, Alastair. Protecting Secret State from Memory Attacks. Filed
Keywords for this news article include:
Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC
Most Popular Stories
- Obama Administration Releases Proposal to Regulate For-Profit Colleges
- Apple, HP, Intel May Take a Hit from Slowdown in Smartphone Sales Growth
- Elizabeth Vargas' Husband Marc Cohn Addresses Rumors
- Keurig Adds Peet's coffee, Alters Starbucks deal
- U.S. to Relinquish Gov't Control Over Internet
- Motley Crue's Nikki Sixx Marries Model Courtney Bingham
- FDIC Files Lawsuit on Behalf of Banks Allegedly Hurt by Libor Scandal
- Chinese e-Commerce Giant Alibaba Gears for IPO in U.S.
- Some California Cities Seeking Water Independence
- Quiznos Files for Chapter 11