Patent Application
20090125562
1. Field of the Invention
This invention relates generally to computer storage media and, more specifically, to a method and system for checking the integrity of computer memory.
2. Description of Background
In existing methods, such as those described in U.S. Patent Application Number 20060161773, a processor updates a read/write history register (R/W) is after each read and write memory access (Eqs. 1, 2, and 3). When the processor updates the write history register (Eq. 2), a counter value storing the number of writes to a memory is encrypted and used as a new counter value (Eq. 3) in order to make a future counter value unpredictable for attackers.
R
t
:=R
t-1
⊕E
k(d, cr, a), (1)
W
t
:=W
t-1
⊕E
k(d, cw, a), (2)
where cw=cr+Ec(cr). (3)
Wherein Rt and Wt are stored values in the R/W register for a transaction t, Ek is an encryption function using an encryption key k, d is data, c is a counter value, a is a data address, and Ec is an encryption function using c as an encryption key.
The method requires an encryption circuit for encrypting the counter value and a large adder that handles multiple bits. Furthermore, the encryption processing occupies about half the latency of the entire integrity check.
The shortcomings of the prior art are overcome and additional advantages are achieved through an exemplary method for monitoring memory integrity, the method comprising, receiving a data read access request, updating a data read history register responsive to receiving a data read access request, the update comprising storing a first register value, wherein the first register value is defined by a previous register value and a first function Rt:=Rt-1⊕Ek(d, r, a), wherein t is a transaction number, d represents stored data, r is a random number, a is an address of the data, Ek is a symmetric key encryption function, and k is a key of the symmetric key encryption function, updating a data write history register in further response to receiving the data read access request, the update comprising storing a second register value, wherein the second register value is defined by a previous register value and a second function Wt:=Wt-1⊕Ek(d, r, a), receiving a data write access request, updating the data read history register responsive to receiving a data write access request, the update comprising storing the first register value, and updating the data write history register in further response to receiving the data write access request, the update comprising storing the second register value.
Additional features and advantages are realized through the techniques of the present invention. Other embodiments and aspects of the invention are described in detail herein and are considered a part of the claimed invention. For a better understanding of the invention with advantages and features, refer to the description and to the drawings.
The subject matter that is regarded as the invention is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other aspects, features, and advantages of the invention are apparent from the following detailed description taken in conjunction with the accompanying drawings in which:
The detailed description explains the preferred embodiments of the invention, together with advantages and features, by way of example with reference to the drawings.
Systems and methods involving checking memory integrity are provided. Several exemplary embodiments are described.
Memory integrity ensures that a set of read data is the last data written by a memory controller such as, for example, a processor. To ensure memory integrity, previous methods generate read access and write access in pairs and verify the transactions. For example, when a cache memory controller issues a read access request, an external memory controller makes a write access after the read access. When a write access request is issued, the external memory controller makes the write access after a read access. This may be expressed in the equation below, transactions t, that is, read data and write data d, their addresses a and the order c of the transactions on the reading channel are the same as those on the write channel.
Σatw{da, a, c}=Σatr{da, a, c}
To achieve this, read/write history registers are provided on the write and read channels to store the history of transactions. Each of the registers is updated after each memory access. The update is made by using exclusive OR. However, the same history can be held for different transaction sequences if calculated as:
R=⊕
a
t{d
a
, a, c}, W=⊕
a
t{d
a
, a, c}
Therefore, transactions are scrambled using a hash function H before storing.
R=⊕
a
H(t{da, a, c}), W=⊕aH(t{da, a, c})
If only the simple hash function is used, malicious attackers can generate collisions. Therefore, a symmetric key cryptography function Ek is used. The key k is hidden within the processor and therefore is not observable by an attacker.
R=⊕
a
E
k(t{da, a, c}), W=⊕aEk(t{da, a, c})
However, the encryption cannot prevent an attack that forces the processor to read even numbers of the same transaction, because of the property of exclusive OR. For example:
E
k(t0)⊕Ek(t1)=Ek(t0)⊕Ek(t1)⊕Ek(t2)⊕Ek(t2)
Therefore, a global counter register g is provided that counts a number of memory accesses within the processor. A number of write accesses to each memory address is compared with the total count of the counter c (g=Σc). Thus, such attack can be detected.
An attack that replaces transactions themselves cannot be prevented also because of the property of exclusive OR. For example
E
k(t0)⊕Ek(t1)=Ek(t1)⊕Ek(t0)
E
k(t0{d0, a0, c0})⊕Ek(t1{d1, a1, c1})=Ek(t1{d1, a1, c1})⊕Ek(t0{d0, a0, c0})
The replacement attack is still possible because a future counter value can be predicted if the order (counter) c of transactions t{da, a, c} is incremented after every memory access. In order to prevent a future counter value from being predicted, a new counter cw is generated by encrypting a read transaction tr and a read counter cr. The global counter is also updated accordingly.
c
w
=c
r
+E
c(cr)
g+=E
c(cr)
Updating the counter in this way makes it difficult to predict future counter values and therefore can prevent the replacement attack. A block diagram of an example of a memory controller using the above-described previous method is illustrated in
In operation, the exemplary embodiment of the verification module 208 ensures memory integrity by ensuring that the read data is the last data written by the cache memory 206. The verification module 208 generates read access and write access always in pairs, and verifies the transactions t that is, read data and write data d, their addresses a and the unpredictable random number r of the transactions on the reading channel are the same as those on the write channel.
Σatw{d, r, a}=Σatr{d, r, a}
The verification module 208 includes the read/write history registers 211 and 213 that are provided on write and read channels to store the history of the transactions. Each of the registers 211 and 213 is updated after each memory access. The update is made by using exclusive OR. However, the same history can be held for different transaction sequences (R=W) if calculated as:
R=⊕
a
t{d, r, a}, W=⊕
a
t{d, r, a}
Therefore, transactions are scrambled using a hash function H before storing.
R=⊕
a
H(t{d, r, a}), W=⊕aH(t{d, r, a})
If only the simple hash function is used, malicious attackers can generate collisions. Therefore, a symmetric key cryptography function Ek is used. The key k is hidden within the processor and therefore is not observable by an attacker.
R=⊕
a
E
k(t{d, r, a}), W=⊕aEk(t{d, r, a})
However, the encryption cannot prevent an attack that forces the processor to read even numbers of the same transaction, because of the property of exclusive OR. For example:
E
k(t0)⊕Ek(t1)=Ek(t0)⊕Ek(t1)⊕Ek(t2)⊕Ek(t2)
Using the random number enables the verification module 208 to verify the integrity of the data without using a global counter register update that uses encryption for integrity or multiple multi-bit adder circuits. This is illustrated by the equations:
R
t
:=R
t-1
⊕E
k(d, r, a),
W
t
:=W
t-1
⊕E
k(d, r, a)
where the RNG 209 generates r, and r is an unpredictable random number that varies at each memory access. The use of r allows the verification module 208 to not encrypt a counter and maintain memory integrity.
As discussed above regarding the previous method, an attacker may attempt to perform a replacement attack when the attack repeats the same transaction an even number of times because of the property of exclusive OR. To perform a replacement attack, pairs (t1, r1) and (t2, r2) must be replaced as follows. A transaction in the following description represents data and its address (t:={da, a}).
W=E
k(t0, r0)⊕Ek(t1, r1)⊕Ek(t2, r2)⊕Ek(t3, r3)
R=E
k(t0, r0)⊕Ek(t2, r2)⊕Ek(t1, r1)⊕Ek(t3, r3)
When write access to t1 is made, t2 and r2 must be read. However, even if t2 is known, r2 is an unpredictable random number that will be generated in the future and therefore cannot be replaced. Thus, the replacement attack fails.
Using another method of attack, an attacker may attempt to force the processor to read even numbers of the same transaction
W=E
k(t0, r0)⊕Ek(t1, r1)⊕Ek(t1, r1)⊕Ek(t3, r3)=Ek(t0, r0)⊕Ek(t3, r3)
W=E
k(t0, r0)⊕Ek(tm, rm)⊕Ek(tm, rm)⊕Ek(t3, r3)=Ek(t0, r0)⊕i Ek(t3, r3)
W═R
However, since the random number r is changed at every memory access, r1 cannot be written twice. Therefore
W=E
k(t0, r0)⊕Ek(t1, r1)⊕Ek(t1, r2)⊕Ek(t3, r3)=Ek(t0, r0)⊕Ek(t3, r3)
showing that
W≠R
Therefore, the attack can be also detected.
The above-described embodiment reduces the circuit size and latency. The latency required for integrity check at every memory access can be reduced by about half because the processor does not encrypt the counter and encryption of only the read/write history registers is performed.
While the preferred embodiment to the invention has been described, it will be understood that those skilled in the art, both now and in the future, may make various improvements and enhancements which fall within the scope of the claims which follow. These claims should be construed to maintain the proper protection for the invention first described.
