Researchers Devise Hardware-Based Encryption For 'Instant-On' Devices

Researchers have discovered a way to protect information stored in the memory of next-generation, "instant on" computing devices that retain user data in main memory for years -- even after the system is shut down.

A team from NC State University developed a new encryption algorithm that automatically encrypts data not currently in use, like a credit-card number, and operates as part of a computer memory module in computing devices that use non-volatile main memory (NVMM). The so-called i-NVMM tool expends only about 3.7 percent of execution-time overhead when it encrypts nearly 80 percent of the main memory that's not in use. The remaining 20 percent of data get encrypted at shutdown.

Data temporarily stored in today's DRAM memory has posed a security concern when a system is on. But the arrival of next-generation systems that start instantly escalates concerns about protecting data that sits in these NVMM devices that store data even longer than today's DRAM technology. NVMM technology, such as phase-change memory, is seen as a way to make mobile and desktop devices easier and faster to use, with expanded memory. But because data in these next-generation devices sits in the main memory, it can't be encrypted via software.

Yan Solihin, one of the researchers and an associate professor of electrical and computer engineering at NC State University, says the hardware-based encryption solution would protect any data stored in the memory of smartphones and laptops, for example.

"Today we still rely on DRAM for most products. As [devices] get smaller, it's not providing very good scaling, so people will be looking for NVMM," Solihin says. "But new memory technologies are all non-volatile: When you turn off the power, you still have data lingering in the main memory. The nice thing about that is that you have an instant-on experience and come back to where you were at the last power-off."

The trade-off is that if a laptop or smartphone gets stolen, the thief can read the contents of the memory, he says.

Solihin and former NC State colleague Siddhartha Chhabra, a former Ph.D. student at the university, are looking for commercial or other partners to help build a prototype of the i-NVMM, which they were able simulate in their labs. They will present their research paper, titled "i-NVMM: A Secure Non-Volatile Main Memory System with Incremental Encryption," on June 6 at the International Symposium on Computer Architecture (ISCA) in San Jose, Calif.

The research is vaguely reminiscent of issues raised by researchers at Princeton University in 2008, who revealed how DRAMs in most computers store data for several seconds after the power is shut down, leaving the data vulnerable to hacking and theft. The Princeton researchers demonstrated (PDF) how even disk encryption systems could be bypassed by exploiting the DRAM residual data.

"Contrary to popular belief, DRAMs hold their values for surprisingly long intervals without power or refresh. Our experiments show that this fact enables a variety of security attacks that can extract sensitive information such as cryptographic keys from memory, despite the operating system’s efforts to protect memory contents," the researchers wrote in their paper.

NC State's Solihin says the new algorithm could also be used in DRAM-based systems to encrypt data in main memory.

Meanwhile, the researchers also explored other options for protecting data stored in NVMM-based devices' memory, such as encrypting all of the data stored there, but that would result in a major performance hit, slowing down the system by 30 to 50 percent. "It's better to identify that data [that] is not being used and encrypt just that," Solihin says. "Another solution would be to only encrypt data at the time the user powers it off. We believe this is not as desirable because it's weakened security protection."

But the stolen laptop is only as secure as its software: "If someone has the password to your account, [this technology] doesn't help," Solihin says, so there must also be proper authentication with it, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.