IVEC: Off-Chip Memory Integrity Protection for Both Security and Reliability Ruirui Huang, G. Edward Suh Cornell University

2 ECC Integrity Verification (IV) IV+ECC Random Error Detection Malicious Attack Detection Random Error Correction Motivation Processor Off-chip Memory Random Transient Errors ECC ECC Parity Malicious Attacks IV IV Hash It’s easy to compute the ECC parity bits for the injected attack data. Execution is aborted when IV fails. Twice the overhead for random error detection!!

3 IVEC – Integrity Verification with Error Correction  Goal: Extend IV to correct errors while ensuring a proper level of security Cover both single-bit and multi-bit errors  Challenge Error correction is essentially finding the erroneous bits Cryptographic hash in IV does not reveal error locations 3 Can we extend the capability of IV to handle both security and reliability errors with minimal overheads?

4 Outline  Background ECC Integrity Verification (IV)  IVEC error correction Single-bit errors Multi-bit errors  HW Implementation  Evaluation

5 ECC (SEC-DED)  In general, a modern system uses (72, 64) SEC-DED ECC  For every 64-bit data, 8 additional parity bits are needed  Memory space and bandwidth overheads of 12.5%  Correct 1-bit errors 5 ECC DIMM (18 x4 DRAM chips) DRAM 1 72-bit SEC-DED ECC Word DRAM 2 DRAM 3 DRAM 4 DRAM 5 DRAM 6 DRAM 7 DRAM 8 DRAM 9 DRAM 10 DRAM 11 DRAM 12 DRAM 13 DRAM 14 DRAM 15 DRAM 16 DRAM 18 DRAM 17 Two extra DRAM chips for 8-bit parity of ECC  ECC can be extended to correct common multi-bit errors  Chip-kill correct: correct up to one DRAM chip failure

6 Cryptographic Hash  IV relies on cryptographic hash to detect any changes on data saved in an un-trusted memory Fixed length “finger print” of the data Collision resistance is a key property  Message Authentication Code (MAC) is a keyed cryptographic hash that can also be used for IV Data (d) Hash (h) On data access, check if h == H(d)

7 hash Size of a cache block Protected data in memory hash IV - Hash/MAC Trees  Integrity verification techniques often rely on hash/MAC trees Any changes in data memory would be detected H(h 1 || h 2 || h 3 || h 4 ) root hash h1h1 h2h2 h3h3 h4h4 In processor In off-chip memory 7 hash Size of a cache block Protected data in memory hash h1h1 h2h2 h3h3 h4h4 h1h1 h2h2 h3h3 h4h4 Previous works suggest that IV’s performance overhead is only 2-5% when using Cached MAC Trees

8 Outline  Background ECC Integrity Verification (IV)  IVEC error correction Single-bit errors Multi-bit errors  HW Implementation  Evaluation

9 Single-bit Error Model  A single-bit error in a cache block (64B)  Error is detected by checking the computed hash value to the stored hash value on-chip 9 DIMM1 DIMM4 DRAM 1 DRAM 16 DRAM 1 DRAM 16 1 st Read-block (256 bits) 2 nd Read-block (256 bits)  64B cache block, 256-bits per read-block (2 read-blocks required to fill 1 cache block)

10 Single-bit Error Correction  Correction as searching problem Flip one bit at a time for all possible combinations, and check if the new value passes the integrity verification 10 DIMM1 DIMM4 DRAM 1 DRAM 16 DRAM 1 DRAM st Read-block (256 bits) nd Read-block (256 bits)  64B cache block, 256bits per read-block (2 reads required to fill 1 cache block) Corrected!

11 Multi-bit Error Model  Any bits in one DRAM chip can fail in each read- block Similar to chip-kill correct 11 DIMM1 DIMM4 DRAM 1 DRAM 16 DRAM 1 DRAM 16 1 st Read-block (256 bits) 2 nd Read-block (256 bits)  64B cache block, 256bits per read-block (2 reads required to fill 1 cache block)

12 2 nd Read-block (256 bits) IVEC Error Correction with Parity  Each parity bit covers one bit from every DRAM chip in a read-block x4 DRAM: 4 parity bits per read-block 12 DIMM1 DIMM4 DRAM 1 DRAM 16 DRAM 1 DRAM 16 1 st Read-block (256 bits)  64B cache block, 256bits per read-block (2 reads required to fill 1 cache block), 8 parity bits P1P2P3P4P1P2P3P4P1P2P3P4P1P2P3P4 P5P6P7P8P5P6P7P8P5P6P7P8P5P6P7P8 P1 P3 P4 P2

13 IVEC Correction with Parity  Use parity bits to guide our correction search Correction scheme can be extended with more or fewer number of parity bits 13 DIMM1 DIMM4 DRAM 1 DRAM 16 DRAM 1 DRAM st Read-block (256 bits) nd Read-block (256 bits)  64B cache block, 256bits per read-block (2 reads required to fill 1 cache block), 8 parity bits P1P2P3P4P1P2P3P4P1P2P3P4P1P2P3P4 P5P6P7P8P5P6P7P8P5P6P7P8P5P6P7P Corrected! For hard faults, start searching from recent error locations

14 Parity Handling  Parity bits are stored in regular memory space  Parity bits are not needed for reads unless there is an error They are only updated on write-back operations Decoupled error detection and correction  A parity cache can be used to load and store parity bits when necessary

15 Outline  Background ECC Integrity Verification (IV)  IVEC error correction Single-bit errors Multi-bit errors  HW Implementation  Evaluation

16 IVEC Hardware Implementation  Blue – new blocks for IVEC  Yellow – already exist in a system with IV 16 IVEC Control Parent MAC from cache Counter Cache Counter Cache L2 Cache AES Check GF Multiply LDQ To memory From memory IV Queue Data Queue MACQ Correction Buffer To L2 Result to control Parity Cache

17 Outline  Background ECC Integrity Verification (IV)  IVEC error correction Single-bit errors Multi-bit errors  HW Implementation  Evaluation

18 Error Detection  IV detects any error pattern unless there is a hash/MAC collision  Error detection probability depends on the length of the hash/MAC ↑ hash/MAC length, ↓ collision rate For example, 64-bit MAC has 1/ 2 64 collision rate

19 Error Correction  Mis-correction happens if there is a hash/MAC collision on a correction attempt Every time a hash is recomputed for a possible correction (correction attempt), there is a chance of a collision ↑ number of correction attempts, ↑ mis-correction rate  Security is weakened by correction attempts An integrity violation is not detected on a mis-correction ↑ number of correction attempts, ↓ security  Correction latency GMAC: 4-8 cycles per correction attempt

20 Worst-Case Numbers  Maximum number of correction attempts 20 Parity Single-bit ErrorMulti-bit Error x4 DRAM Chip x8 DRAM Chip x16 DRAM Chip x4 DRAM Chip x8 DRAM Chip x16 DRAM Chip None bits bits bits bits Security is reduced by ~12-bit (64bits->52bits) Max correction latency: cycles Security is reduced by ~8-bit (64bits->56bits) Max correction latency: 4096 cycles 512-bit cache block, 256-bit read-block

21 Memory Space Overhead 21  ECC: 64 parity bits per cache block (512 bits)  IV: 64-bit MAC per cache block (512 bits) in a MAC tree structure plus meta-data

22 Performance Evaluation  Run-time overheads Error correction latency: negligible with a typical SER rate Performance overhead due to off-chip bandwidth usage from updating parity bits  Tools Pin instrumentation tool and TAXI performance simulator  Parameters Core2-like single processor: 4-issue OoO core  Baseline is chosen to have IV implemented 64-bit GMAC-tree with split counter mode (< 5% overhead)

23 Memory Bandwidth Overhead  Traditional ECC bandwidth overhead is 12.5%  IVEC Memory bandwidth overhead is <= 9% in the worst case  Performance overhead is negligible (0.5% in the worst case) 23 9%3.2%

24 Related Work  Memory integrity verification  Off-chip DRAM ECC SEC-DED ECC Chip-kill Correct  Tiered ECC  Reliability and Security Engine (RSE) 24

25 Conclusion  IVEC enables efficient protection of off-chip memory from both security attacks and random errors Can handles both single-bit errors and multi-bit errors Minimal impact on security  IVEC is able to eliminate the use of traditional ECC for off- chip memory when a system requires IV for security 25