Outside an on-premise firewall, data in the cloud needs ample security protection. MIT researchers have drawn up a system to keep attackers from learning about data when it goes to and from memory.
Encryption is a critical tool for keeping data secure as it travels to and lives inside of public clouds, but when a chip needs to send or receive data stored outside its circuitry in off-chip memory, it’s possible for an attacker to learn about workloads and figure out what to target.
Researchers at MIT have been developing a system called Ascend to prevent those security vulnerabilities involving memory access, according to a Tuesday news release from the school.
Ascend does a few things to minimize the likelihood that a cyberattack could ascertain information from the transmission of data to and from memory. First off, it proposes a novel way of querying memory addresses for data:
What Devadas and his collaborators — graduate students Ling Ren, Xiangyao Yu and Christopher Fletcher, and research scientist Marten van Dijk — do instead is to arrange memory addresses in a data structure known as a “tree.” A family tree is a familiar example of a tree, in which each “node” (in this example, a person’s name) is attached to only one node above it (the node representing the person’s parents) but may connect to several nodes below it (the person’s children).
With Ascend, addresses are assigned to nodes randomly. Every node lies along some “path,” or route through the tree, that starts at the top and passes from node to node, without backtracking, until arriving at a node with no further connections. When the processor requires data from a particular address, it sends requests to all the addresses in a path that includes the one it’s really after.
What’s more, whenever a chip asks a single memory address for data, Ascend switches around the address with some other memory address.
The system also hampers efforts to read into the frequency of a chip’s requests for data in memory by sending out many periodic requests, even when the chip doesn’t actually want more data because it’s busy. This is important because a long gap between requests could indicate a particularly challenging and therefore important workload worth targeting during an attack.
This architecture “hasn’t been built yet,” said one of the researchers, Srini Devadas, a professor of electrical engineering and computer science at MIT, according to the news release. Hopefully it will be built soon, though, because cloud security is becoming a bigger deal by the day.
More companies are leaving behind on-premise applications and taking up Software as a Service (SaaS) products instead. Meanwhile providers of Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) might be interested in incorporating the architecture into their servers so as to provide better security to their customers. News of cyberattacks and government snooping only amplify concerns about security on shared infrastructure, making solutions like Ascend more enticing.