How AMD Memory Guard is Driving Security Innovation in an Ever-Changing World
Whether you are a large business or a small business, protecting your customers and business data is important. There are many reports of lost or stolen computers containing very sensitive information such as banking records, personal health information, and even government investigations by the FBI. With modern laptops and desktops never fully powered off, the threat of that data being stolen during a physical attack (sometimes referred to as a âcold boot attackâ) is high. Many security mechanisms, even disk encryption, can be overcome by this type of attack.
With a modern, multi-layered approach to security, AMD processors help protect your sensitive data from today’s sophisticated attacks, avoid downtime, and can reduce resource consumption. AMD provides a set of security features at the silicon and firmware level which are then developed with industry ecosystem partners at the operating system and system levels. In particular, AMD Memory Guard brings a new set of security features to help solve an old industry problem.
DID YOU KNOW?2.3
When users log on to their computer, many system secrets are stored in DRAM, unencrypted. With physical access to a PC, an attacker may be able to cool memory, reboot the system by bypassing memory wipe functions, and read content. As a result, keys used for drive encryption and user passwords stored in memory can be extracted. Unfortunately, this has been an industry problem for over 10 years. While in recent years DDR4 memory scrambling techniques have helped somewhat, they have been publicly proven to not provide effective protection against physical memory attack.
Until AMD Memory Guard, the only way to protect against this type of attack was to shut down the PC completely after each use. In fact, many storage encryption vendors still recommend this approach today. While effective, the problem is that end users expect an increasingly responsive computing experience with the ability to quit and resume work without ever shutting down their computers. The industry has responded by pushing towards the large-scale use of modern sleep where a PC sits in sleep mode ready to resume where the user left off in seconds. This significantly improves the user experience and productivity, but it also reminded the risk of physical attacks. Finding a solution to this dilemma between productivity and data security is the type of technology challenge that AMD is committed to helping its customers solve.
Businesses should view all aspects of endpoint security as essential tools in their security defenses while being aware of how the modern PC is used. With AMD PRO security technology, users benefit from AMD memory protection, which enables encryption of system memory to help reduce the threat of physical memory attacks even if a system is left in sleep mode. When used in combination with other technologies, such as disk encryption, TPM, and system authentication, businesses can continue to protect data while allowing users to be more productive in the process. not having to turn off their PC after each use.
How AMD MEMORY GUARD Helps Improve Endpoint Security by Encrypting System Memory
Inside every AMD Ryzen â¢ PRO processor is a dedicated on-chip security coprocessor called the AMD Secure Processor (ASP). ASP forms the foundation of trust for critical security functions and functionality of AMD PRO security technology, including AMD Memory Guard.
AMD Memory Guard is a memory encryption technology providing a simple yet compelling model for many computer systems, especially where physical attacks on the system are an issue. With AMD Memory Guard, all DRAM content is encrypted using the random key which helps provide protection against physical cold boot, DRAM interface spying and similar types of attacks. For systems with NVDIMM, AMD Memory Guard also helps provide protection against an attacker removing a memory module and attempting to extract its contents.
AMD architectural advantages
The encryption of the main memory, AMD Memory Guard, is done through dedicated hardware in the integrated memory controllers. Each controller includes a high-performance Advanced Encryption Standard (AES) engine that encrypts data as it is written to DRAM and decrypts it as it is read, as shown in Figure 1. As part of the memory controller, the solution has the added benefit of being completely transparent to the operating system and any application level software.
Memory encryption behavior: Data encryption is performed with a 128-bit key generated by a built-in NIST SP 800-90 compatible hardware random number generator in a mode that uses additional adjustment based on the physical address to help protect against drop-in attacks. block of cipher text. The encryption key used by the AES engine with AMD Memory Guard is randomly generated each time the system reboots and is not visible to any software running on the processor cores. This key is fully managed by the AMD secure processor.
Small impact on system performance: The AMD architecture has several advantages by providing cryptographically strong encryption that is built into the processor itself, making it harder to breach through a physical attack. It is important to note that it also has only a small impact on the overall performance of the system.
The graph on the right shows an approximate reduction in processor performance as well as overall system performance when AMD Memory Guard is enabled against a benchmark score without memory encryption. The graph shows that the CPU performance and the overall system performance are very close with hardly any noticeable impact for the user.
Essential characteristic of a complete security solution
Physical cold boot attacks have been around for over 10 years, so the only solution to addressing this security threat was to either physically secure a PC or shut it down completely after each use. Neither solution is particularly practical, especially as laptops become more important and users keep their systems in a sleep state to increase usability. But now, with AMD Memory Guard, important data can be encrypted in system memory to help mitigate physical memory attacks. With the growing need to protect sensitive data from cyber threats, AMD now offers another tool that, as part of a comprehensive security solution, can help combat security threats.
VISIT AMD.COM/ PARTNER
Your source for tools, training, news, reviews and more!
Learn more about AMD PRO security at WWW.AMD.COM/PROSECURITY
1. For business laptops and desktops, AMD Memory Guard, full system memory encryption, is included in AMD Ryzen PRO and Athlon PRO processors. PP-3
4. Tests carried out on 03/26/2020 by AMD Performance Labs on a Ryzen 5 PRO 350U (Lenovo T495). Results may vary. PP-23.
5. Tests carried out on 03/26/2020 by AMD Performance Labs on a Ryzen 5 PRO 350U (Lenovo T495). Results may vary. PP-24.
PCMark is a registered trademark of Futuremark Corporation.
Â© 2020 Advanced Micro Devices, Inc. All rights reserved. AMD, the AMD Arrow logo, Athlon, Radeon, Ryzen, EPYC, and combinations thereof are trademarks of Advanced Micro Devices, Inc. Other product names used in this publication are for identification purposes only and may be trademarks of their respective companies. PID # 20492125-A