Presentation is loading. Please wait.

Presentation is loading. Please wait.

DEUCE: WRITE-EFFICIENT ENCRYPTION FOR PCM March 16 th 2015 ASPLOS-XX Istanbul, Turkey Vinson Young Prashant Nair Moinuddin Qureshi.

Published byAmos Caldwell Modified over 9 years ago

Similar presentations

Presentation on theme: "DEUCE: WRITE-EFFICIENT ENCRYPTION FOR PCM March 16 th 2015 ASPLOS-XX Istanbul, Turkey Vinson Young Prashant Nair Moinuddin Qureshi."— Presentation transcript:

1 DEUCE: WRITE-EFFICIENT ENCRYPTION FOR PCM March 16 th 2015 ASPLOS-XX Istanbul, Turkey Vinson Young Prashant Nair Moinuddin Qureshi

2 Insight: re-encrypt only modified words DEUCE: write-efficient encryption scheme Result: bit flips reduced 50%  23% (27% speedup) PCM more vulnerable to attacks  stolen module Secure PCM with encryption Problem: Encryption increases bit flips 12%  50% Goal: Encrypt PCM without causing 4x bit flips Bit flips expensive in Phase Change Memory (PCM) –Affects Lifetime, Power, and Performance –PCM system optimized to reduce bit flips (~12%) EXECUTIVE SUMMARY 2

3 PCM AS MAIN MEMORY Phase Change Memory (PCM) –Improved scaling + density –Non-volatile (no refresh) Key Challenge –Writes: Limited endurance (10-100 million writes) –Writes: Slow and limited throughput –Writes: Power-hungry 3 PCM systems are designed to reduce writes

4 Invert if too many bit flipsWrite only flipped bits Flip-N-Write TYPICAL WRITE OPTIMIZATIONS IN PCM Data-Comparison-Write 4 Cache Comparison Write Cache Flip-N-Write Optimizations reduce bit-flips per write to 10-12%

5 Non-volatility: Power savings Security More vulnerable to stolen-memory attack SECURITY VULNERABILITY OF PCM 5 Stolen memory attack Bus snooping attack also possible We want to protect PCM from both “stolen memory attack” and “bus snooping attack”

6 ENCRYPTION ON PCM Protect PCM using memory encryption Encryption causes 50% bit flips on each write 1 bit flip in line  50% bit flips in encrypted line 6 Cache Encrypted PCM Encryption causes 50% bit flips  Write-intensive Avalanche Effect

7 ENCRYPTION ON PCM COSTLY 7 Encryption increases bit flips from 12% to 50% (4x!) 4x

8 GOAL: WRITE-EFFICIENT ENCRYPTION Goal: How do we implement memory encryption, without increasing bit flips by 4x? 8

9 OUTLINE Introduction to PCM and encryption Background on Counter-mode Encryption DEUCE Results Summary 9

10 Pad-based DecryptionDirect Decryption Encrypted Data WHY PAD-BASED ENCRYPTION? 10 AES Key Data Pad Encrypted Data AES Key Data Pad-based decryption has low-latency AES AES in critical path! XOR in critical path + PCM Cache

11 + ZEROES PAD NEED FOR UNIQUE PADS (0000) ⊕ Pad = Pad Attack! Insecure if pad learned 11 ZEROES PAD Secure pad encryption cannot re-use pads + PAD ENCRYPTED PAD DATA ENCRYPTED

12 Different pad per line address Different pad per write to same line  per-line counter PAD-ctr3 + + + Line1 PAD1 Line2 PAD2 Line1 Time3 Line1 Time2 COUNTER-MODE ENCRYPTION 12 Line1ENCRYPT1 Line2 PAD2 ENCRYPT2 Line1 Time1 ENCRYPT1 ENCRYPT2 PAD1 PAD-ctr2PAD-ctr1 Pad changes every write  50% bit flips every write Secured!

13 OUTLINE Introduction to PCM and encryption Background on Counter-mode Encryption DEUCE Results Summary 13

14 What if we re-encrypt only modified words? INSIGHT 1 Reduce bit flips by re-encrypting only modified words Re-encrypted Cache Encrypted PCM Re-encrypted Remains encrypted 010 14

15 Naïve implementation needs per-word counters/pads Reduce storage overhead by using only two counters INSIGHT 2: EFFICIENT IMPLEMENTATION 15 Encrypted PCM Do efficient partial re-encryption with only two counters 000000000010000000200001003000120041002300521034006321450174325612854367 000000000010000000200002003000330044004400555055006666660777777788888888 Expensive!

16 Each line has two counters: Leading counter (LeadCTR): incremented every write Trailing counter (TrailCTR): updated every N writes (Epoch) “Modified” bit per word to choose between counters DEUCE: DUAL COUNTER ENCRYPTION 16

17 Epoch Start DEUCE: OPERATION On a write LeadCTR++ Re-encrypt words modified since Epoch Set “modified” bits TrailCTR=LeadCTR Re-encrypt ALL words Reset “modified” bits Between Epoch 17 DEUCE re-encrypts only words modified since Epoch

18 DEUCE: EXAMPLE (EPOCH = 4 WRITES) ALL W0 W7 W0 W4 W7 W0 W4 W7 ALL W2 W4 Encrypted Words LCTR TCTR 0 0 1 0 2 0 3 0 4 4 5 4 W0,W7 W4 W7W2,W4 0 12 34 5 Modified Words in Write Get TrailCTR by masking 2 LSB off LeadCTR DEUCE needs only one physical counter per line X 18 DEUCE does partial re-encryption between Epochs

19 Encrypted Line DEUCE: HOW TO DECRYPT? DEUCE generates two pads with LCTR and TCTR Which pad to use decided by the “Modified” bits Decrypted Line Pad - LCTR Pad - TCTR AES Line counter Mask 4 LSB LCTR TCTR 10011000 Combined 19

20 OUTLINE Introduction to PCM and encryption Background on Counter-mode Encryption DEUCE Results Summary 20

21 Core Chip  8 cores, each 4GHz 4-wide core  L1/L2/L3  32KB/256KB/1MB METHODOLOGY 21 Shared L4 Cache Phase Change Memory CPU

22 Shared L4 Cache:  64 MB capacity  50 cycle latency METHODOLOGY 22 Shared L4 Cache Phase Change Memory CPU

23 Phase Change Memory [Samsung ISSCC’12]  4 ranks, each 8GB  32GB total  Read latency 75ns  Write latency 150ns (per 128-bit write slot) METHODOLOGY 23 Shared L4 Cache Phase Change Memory CPU

24 METHODOLOGY 24 Shared L4 Cache Phase Change Memory CPU Workloads  SPEC2006: High MPKI, rate mode  4 billion instruction slice DEUCE: Epoch=32; Word size=2B

25 RESULTS: BIT FLIP ANALYSIS 25 DEUCE eliminates two-thirds of the extra bit flips caused by encryption

26 RESULTS: SPEEDUP&POWER ANALYSIS 26 Bit flip reduction improves speedup and EDP +27% DEUCE FNW Speedup Energy-Delay-Product -43% Unencrypted

27 Heavily-written bits still heavily-written with DEUCE Solution: Zero-cost “Horizontal” Wear Leveling RESULTS: LIFETIME ANALYSIS 27 Lifetime improvement of 2x +100% DEUCE with HWL

28 OUTLINE Introduction to PCM and encryption Baseline–Counter-mode Encryption DEUCE Results Summary 28

29 Insight: re-encrypt only modified words DEUCE: write-efficient encryption scheme Result: bit flips reduced 50%  23% (27% speedup) PCM more vulnerable to attacks  stolen module Secure PCM with encryption Problem: Encryption increases bit flips 12%  50% Goal: Encrypt PCM without causing 4x bit flips Bit flips expensive in Phase Change Memory (PCM) –Affects Lifetime, Power, and Performance –PCM system optimized to reduce bit flips (~12%) EXECUTIVE SUMMARY 29

30 THANK YOU 30

31 EXTRA SLIDES 31

32 DEUCE FOR OTHER NVM In-place writing NVM –RRAM –STT-MRAM 32

33 WRITE SLOTS PCM is power-limited Write-slot of 128 Flip-N-Write-enabled bits (64 bit flips) 33 Average number of write slots used per write request. On average, DEUCE consumes 2.64 slots whereas unencrypted memory takes 1.92 slots out of the 4 write slots

34 IMPROVING PCM WEAR LEVELING 34 Vertical Wear Leveling (Start-gap)—Inter-line leveling Horizontal Wear Leveling—Intra-line leveling Re-use vertical wear leveling to level inside line  START A B C 0 1 2 3 4 D GAP   START C Rot3 D Rot3 A Rot2 0 1 2 3 4 B Rot2 A Rot3 D Rot4 C Rot4 B Rot4 B Rot3 GAP  Vertical Wear LevelingHorizontal Wear Leveling

35 QUESTION: IS IT SECURE? Aren’t you re-using the pad? AES-CTR-mode –Unique full pad per ever write. DEUCE –Epoch start, uses unique full pad –Between epochs, uses a unique full pad per write, to re- encrypt modified words. Unmodified words simply not touched  whole line is always encrypted, and pads are not re-used 35

36 444 4 4444444444400000000 MINIMUM RE-ENCRYPT 36 Words modified 1 2 3 5 7 8 55 6 77 8888888 Value of Leading Counter (Epoch=4) W2 W7 W6 W0, W4, W5 W0 W0, W3, W4

37 44444444444444444400000 0 00000000 DEUCE RE-ENCRYPT 37 Words modified 1 22 333 5 66 77 8 55 6 77 8888888 Value of Leading Counter (Epoch=4) W2 W7 W6 W0, W4, W5 W0 W0, W3, W4

38 QUESTION: IS IT SECURE? What about information leak? AES-CTR-mode –Can tell when a line is modified DEUCE –Can tell when a line is modified, and –Can sometimes tell when a word is modified –Similar information leakage 38

39 CIPHER BLOCK CHAINING 39

40 COUNTER-MODE ENCRYPTION 40 Security bounds no worse than CBC (NIST-approved) Weakness to input is accepted to due to the underlying block cipher and not the mode of operation

41 RESULTS: BIT FLIP ANALYSIS 41 DEUCE eliminates two-thirds of the extra bit flips caused by encryption

Download ppt "DEUCE: WRITE-EFFICIENT ENCRYPTION FOR PCM March 16 th 2015 ASPLOS-XX Istanbul, Turkey Vinson Young Prashant Nair Moinuddin Qureshi."

Similar presentations

A Framework for Coarse-Grain Optimizations in the On-Chip Memory Hierarchy J. Zebchuk, E. Safi, and A. Moshovos.

A Framework for Coarse-Grain Optimizations in the On-Chip Memory Hierarchy J. Zebchuk, E. Safi, and A. Moshovos.
Coherence Ordering for Ring-based Chip Multiprocessors Mike Marty and Mark D. Hill University of Wisconsin-Madison.

Coherence Ordering for Ring-based Chip Multiprocessors Mike Marty and Mark D. Hill University of Wisconsin-Madison.
Jaewoong Sim Alaa R. Alameldeen Zeshan Chishti Chris Wilkerson Hyesoon Kim MICRO-47 | December 2014.

Jaewoong Sim Alaa R. Alameldeen Zeshan Chishti Chris Wilkerson Hyesoon Kim MICRO-47 | December 2014.
A Case for Refresh Pausing in DRAM Memory Systems

A Case for Refresh Pausing in DRAM Memory Systems
Application-Aware Memory Channel Partitioning † Sai Prashanth Muralidhara § Lavanya Subramanian † † Onur Mutlu † Mahmut Kandemir § ‡ Thomas Moscibroda.

Application-Aware Memory Channel Partitioning † Sai Prashanth Muralidhara § Lavanya Subramanian † † Onur Mutlu † Mahmut Kandemir § ‡ Thomas Moscibroda.
Smart Refresh: An Enhanced Memory Controller Design for Reducing Energy in Conventional and 3D Die-Stacked DRAMs Mrinmoy Ghosh Hsien-Hsin S. Lee School.

Smart Refresh: An Enhanced Memory Controller Design for Reducing Energy in Conventional and 3D Die-Stacked DRAMs Mrinmoy Ghosh Hsien-Hsin S. Lee School.
Architectures for Secure Processing Matt DeVuyst.

Architectures for Secure Processing Matt DeVuyst.
Data Mapping for Higher Performance and Energy Efficiency in Multi-Level Phase Change Memory HanBin Yoon*, Naveen Muralimanohar ǂ, Justin Meza*, Onur Mutlu*,

Data Mapping for Higher Performance and Energy Efficiency in Multi-Level Phase Change Memory HanBin Yoon*, Naveen Muralimanohar ǂ, Justin Meza*, Onur Mutlu*,
†The Pennsylvania State University

†The Pennsylvania State University
Reducing Read Latency of Phase Change Memory via Early Read and Turbo Read Feb 9 th 2015 HPCA-21 San Francisco, USA Prashant Nair - Georgia Tech Chiachen.

Reducing Read Latency of Phase Change Memory via Early Read and Turbo Read Feb 9 th 2015 HPCA-21 San Francisco, USA Prashant Nair - Georgia Tech Chiachen.
A Cache-Like Memory Organization for 3D memory systems CAMEO 12/15/2014 MICRO Cambridge, UK Chiachen Chou, Georgia Tech Aamer Jaleel, Intel Moinuddin K.

A Cache-Like Memory Organization for 3D memory systems CAMEO 12/15/2014 MICRO Cambridge, UK Chiachen Chou, Georgia Tech Aamer Jaleel, Intel Moinuddin K.
Phase Change Memory What to wear out today? Chris Craik, Aapo Kyrola, Yoshihisa Abe.

Phase Change Memory What to wear out today? Chris Craik, Aapo Kyrola, Yoshihisa Abe.
Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
Techniques for Efficient Processing in Runahead Execution Engines Onur Mutlu Hyesoon Kim Yale N. Patt.

Techniques for Efficient Processing in Runahead Execution Engines Onur Mutlu Hyesoon Kim Yale N. Patt.
TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.

TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.
CAFO: Cost Aware Flip Optimization for Asymmetric Memories RAKAN MADDAH *, SEYED MOHAMMAD SEYEDZADEH AND RAMI MELHEM COMPUTER SCIENCE DEPARTMENT UNIVERSITY.

CAFO: Cost Aware Flip Optimization for Asymmetric Memories RAKAN MADDAH *, SEYED MOHAMMAD SEYEDZADEH AND RAMI MELHEM COMPUTER SCIENCE DEPARTMENT UNIVERSITY.
1 Lecture 14: DRAM, PCM Today: DRAM scheduling, reliability, PCM Class projects.

1 Lecture 14: DRAM, PCM Today: DRAM scheduling, reliability, PCM Class projects.
Moinuddin K. Qureshi ECE, Georgia Tech ISCA 2012 Michele Franceschini, Ashish Jagmohan, Luis Lastras IBM T. J. Watson Research Center PreSET: Improving.

Moinuddin K. Qureshi ECE, Georgia Tech ISCA 2012 Michele Franceschini, Ashish Jagmohan, Luis Lastras IBM T. J. Watson Research Center PreSET: Improving.
Study of AES Encryption/Decription Optimizations Nathan Windels.

Study of AES Encryption/Decription Optimizations Nathan Windels.
Flexible Reference-Counting-Based Hardware Acceleration for Garbage Collection José A. Joao * Onur Mutlu ‡ Yale N. Patt * * HPS Research Group University.

Flexible Reference-Counting-Based Hardware Acceleration for Garbage Collection José A. Joao * Onur Mutlu ‡ Yale N. Patt * * HPS Research Group University.

Similar presentations

Ads by Google