Mimosa: Protecting Private Keys against Memory Disclosure Attacks using Hardware Transactional Memory


Cryptography is essential for computer and network security. In practice, the cryptographic keys are loaded into the memory as plaintext during cryptographic computations. Therefore, the keys are subject to memory disclosure attacks that read unauthorized data from RAM. This paper presents Mimosa, protecting RSA private keys against both software-based and physical memory disclosure attacks. Mimosa uses hardware transactional memory (HTM) to ensure that (a) whenever a malicious process attempts to read the plaintext private key, the transaction aborts and all sensitive data are automatically cleared, due to the atomicity guarantee of HTM; and (b) all sensitive data appear as plaintext only within caches, and are never loaded to RAM chips. To the best of our knowledge, Mimosa is the first to use transactional memory to protect sensitive data against memory attacks. We implemented Mimosa with Intel TSX. However, the fragility of TSX transactions introduces extra cache-clogging denial-of-service (DoS) threats, and attackers could sharply degrade the performance. We further partition an RSA private-key computation into multiple transactional parts, while (sensitive) intermediate results are protected across transactional parts. Experiments show that Mimosa effectively protects cryptographic keys against memory disclosure attacks, and introduces a small overhead, even with concurrent cache-clogging workloads.

IEEE Transactions on Dependable and Secure Computing