Non-volatile Memory (NVM) could bridge the gap between memory and storage. However, NVMs are susceptible to data remanence attacks. Thus, multiple security metadata must persist along with the data to protect the confidentiality and integrity of NVM-resident data. Persisting Bonsai Merkel Tree (BMT) nodes, critical for data integrity, can add significant overheads due to need to write large amounts of metadata off-chip to the bandwidth-constrained NVMs. We propose iMIV for low-overhead, fine-grained integrity verification through in-memory computing. We argue that memory-intensive integrity verification operations (BMT updates and verification) should be employed close to the NVM to limit off-chip data movement. We design iMIV based on typical NVDIMM designs that have an onboard logic chip with a trusted encryption engine, separate from the untrusted storage media. iMIV reduces the performance overheads from 205% to 55% when integrity verification operations are offloaded to NVM compared to when all the security operations are employed at the memory controller.

翻译：非易失性内存（NVM）有望弥合内存与存储之间的鸿沟。然而，NVM易受数据残留攻击。因此，必须将多种安全元数据与数据一同持久化，以保护NVM驻留数据的机密性与完整性。用于数据完整性的关键元数据——盆景默克尔树（BMT）节点的持久化，由于需要将大量元数据通过带宽受限的NVM片外写入，可能带来显著开销。本文提出iMIV，通过内存内计算实现低开销、细粒度的完整性验证。我们认为，应将内存密集型的完整性验证操作（BMT更新与验证）部署在靠近NVM的位置，以限制片外数据移动。基于典型的NVDIMM设计（其板载逻辑芯片配备独立于非可信存储介质的可信加密引擎），我们设计了iMIV。实验表明，与所有安全操作均在内存控制器执行相比，将完整性验证操作卸载至NVM可使性能开销从205%降低至55%。