iMIV: in-Memory Integrity Verification for NVM
Rajat Jain, Aravinda Prasad, Sreenivas Subramoney, Arkaprava Basu
TL;DR
Data remanence in non-volatile memory enables confidentiality and integrity threats that challenge traditional CME/SMAC/BMT approaches. iMIV relocates memory-intensive BMT updates to a per-DIMMs Trusted IVE on the NVDIMM, while retaining CME/SMAC in the memory controller, and introduces a split BMT cache and pipelined updates to drastically reduce off-chip data movement. The approach achieves strong security guarantees with significantly lower overheads (average around 55% vs 205% baseline) and scales across multiple NVDIMMs, delivering faster recovery and reduced energy use, especially under bandwidth-constrained NVM. The work demonstrates competitive performance against prior secure-NVM schemes and provides practical design insights for secure, crash-resilient, and scalable NVM architectures.
Abstract
Non-volatile Memory (NVM) could bridge the gap between memory and storage. However, NVMs are susceptible to data remanence attacks. Thus, multiple security metadata must persist along with the data to protect the confidentiality and integrity of NVM-resident data. Persisting Bonsai Merkel Tree (BMT) nodes, critical for data integrity, can add significant overheads due to need to write large amounts of metadata off-chip to the bandwidth-constrained NVMs. We propose iMIV for low-overhead, fine-grained integrity verification through in-memory computing. We argue that memory-intensive integrity verification operations (BMT updates and verification) should be employed close to the NVM to limit off-chip data movement. We design iMIV based on typical NVDIMM designs that have an onboard logic chip with a trusted encryption engine, separate from the untrusted storage media. iMIV reduces the performance overheads from 205% to 55% when integrity verification operations are offloaded to NVM compared to when all the security operations are employed at the memory controller.