Systems And Methods Providing Wear Leveling Using Dynamic Randomization For Non-volatile Memory by Seong, Nak Hee et al.
c12) United States Patent 
Seong et al. 
(54) SYSTEMS AND METHODS PROVIDING 
WEAR LEVELING USING DYNAMIC 
RANDOMIZATION FOR NON-VOLATILE 
MEMORY 
(75) Inventors: Nak Hee Seong, Dunwoody, GA (US); 
Dong Hyuk Woo, San Jose, CA (US); 
Hsien-Hsin S Lee, Atlanta, GA (US) 
(73) Assignee: Georgia Tech Research Corporation, 
Atlanta, GA (US) 
( *) Notice: Subject to any disclaimer, the term ofthis 
patent is extended or adjusted under 35 
U.S.C. 154(b) by 189 days. 
(21) Appl. No.: 13/480,413 
(22) Filed: May24, 2012 
(65) 
(60) 
(51) 
(52) 
(58) 
Prior Publication Data 
US 2012/0324141 Al Dec. 20, 2012 
Related U.S. Application Data 
Provisional application No. 61/489,348, filed on May 
24, 2011. 
Int. Cl. 
G06F 12102 
G06F 12114 
G06F 21155 
U.S. Cl. 
(2006.01) 
(2006.01) 
(2013.01) 
CPC .......... G06F 1210238 (2013.01); G06F 211554 
(2013.01); G06F 1211408 (2013.01); G06F 
221212024 (2013.01); G06F 221217211 
(2013.01) 
USPC ........................................... 7111202;711/103 
Field of Classification Search 
CPC . G06F 21/554; G06F 21/567; G06F 12/0238; 
G06F 12/1408 
USPC .................................................. 711/103, 202 
See application file for complete search history. 
I lllll llllllll Ill lllll lllll lllll lllll lllll 111111111111111111111111111111111 
US008806171B2 
(IO) Patent No.: US 8,806,171 B2 
Aug. 12, 2014 (45) Date of Patent: 
(56) References Cited 
U.S. PATENT DOCUMENTS 
7,350,085 B2 * 
7,830,706 B2 
7,876,616 B2 
3/2008 Johnson et al ................ 713/193 
1112010 Hanzawa et al. 
112011 Reid et al. 
2004/0083335 Al * 412004 Gonzalez et al. ............. 7111103 
(Continued) 
OTHER PUBLICATIONS 
Qureshi, Moinuddin K. et al., "Practical and Secure PCM Systems 
via Online Attack Detection", https://researcher.ibm.com/re-
searcher/files/us-moinqureshi/papers-hcpal l .pdf, Publication date 
not available. Online access as recent as Apr. 22, 2011, pp. 1-12. 
Qureshi, Moinuddin K. et al., "Scalable High Performance Main 
Memory System Using Phase-Change Memory Technology", 
ISCA'09, Austin, Texas, Jun. 20-24, 2009, pp. 1-10. 
(Continued) 
Primary Examiner - Hal Schnee 
(74) Attorney, Agent, or Firm - Troutman Sanders LLP; 
Ryan A. Schneider; Christopher Close, Jr. 
(57) ABSTRACT 
Systems and methods for dynamically remapping elements of 
a set to another set based on random keys. Application of said 
systems and methods to dynamically mapping regions of 
memory space of non-volatile memory, e.g., phase-change 
memory, can provide a wear-leveling technique. The wear 
leveling technique can be effective under normal execution of 
typical applications, and in worst-case scenarios including 
the presence of malicious exploits and/or compromised oper-
ating systems, wherein constantly migrating the physical 
location of data inside the PCM avoids information leakage 
and increases security; wherein random relocation of data 
results in the distribution of memory requests across the 
physical memory space increases durability; and wherein 
such wear leveling schemes can be implemented to provide 
fine-grained wear leveling without overly-burdensome hard-
ware overhead e.g., a look-up table. 
23 Claims, 10 Drawing Sheets 
,/ ,,,-----·--·---······2r~ ···---~--~-'--,--."·-·------.\ 
' ~J(~ ... 
~.-:.:::;.:~rd .R:::~~::.~:;h 
(56) References Cited 
US 8,806,171 B2 
Page 2 
OTHER PUBLICATIONS 
U.S. PATENT DOCUMENTS 
Lee, Benjamin C. et al., "Phase Change Techonolgy and the Future of 
Main Memory", Micro, IEEE, vol. 30, No. 1, Jan.-Feb. 2010, pp. 1-7. 
Zhang, Wangyuan et al., "Exploring Phase Change Memory and 3D 
Die-Stacking for Power/Thermal Friendly, Fast and Durable 
Memory Architectures", PACT '09 Proceedings of the 2009 18th 
International Conference on Parallel Architectes and Compilation 
Techniques, 2009, pp. 1-12. 
2006/0047886 Al* 3/2006 Leaback ........................... 71115 
200910109788 Al* 412009 Moon eta!. .............. 365/230.03 
2009/0113217 Al* 412009 Dolgunov et al. ............ 713/190 
2010/0106920 Al* 4/2010 Anckaert et al. .............. 7111154 
2010/0157641 Al 6/2010 Shalvi et al. 
2012/0131304 Al* 512012 Franceschini et al. ........ 7111202 * cited by examiner 
U.S. Patent Aug. 12, 2014 Sheet 1of10 US 8,806,171 B2 
:t: 
'/> ••• 
·2 ~""'""'""'""'-'•·...-. 
:::::: 
:~ 
r / 
i 
't"'. 
:::;:: 
ft_~,,~ 
0 
•y ••••••••• T"""l. -_ ..... • .. ··'I'""' .. -.. , ....... 
·v. I .,~~, I . 
l ·~:~ 
: ...... ~ 
. :: ... ~ 
...... J 
;......_-4jf;j. :....··-···-.{l r tJ 
•!•!l ' : WY"""'"'' '"""'' ::::1,,:"""'',,I ~:,* 
··.:.:.: 
::~::: 
... :::::: 
··:·l' ;:».;: 
:::~·: 
·'!"' 
rro 110 110 
I l ·=· ~······································································: • r·········································y···························································r········································································I--··················· 
,..• • RANK(n--1} 1 1 J .• • 
Core& 
Cache hierarchy 
. , .... ··:::::::::::::::::::::::::::::t:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::f ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::j-:::::::;· ·: I 
• HANKO I j / • •• • 
• • r········~::·······················:·······;t········ r····~···:···················;····:········f ........ r·········;:~·····:···········::···::·····:./········ ~ • 
•• • •• P v.M Bank 0,.... ,,• GM BanK 1.,/ • Pv1\A Banf:,_ t .,.,, •• •• • 
Loi I I ~=~~£ Ill! !~=~ . 130 11 ~:~~ m. 11 ! 
. rt1~<::·························· .......... J I •I t>~"'~····················· .......... J •• ~"tt~,M,;<~+··············.······· ···········• I• •• I 
• •• t·RMA • •• ... I~ Rfi1A • ( ·HMA •• •• • 
. . . . .. .. 11 r ~eJy~'. i , 2s i i . sa;;~e ; 11 seiure I' 11 I 
• 64Hf i PA ''lto• •• •• Refresh ~·",, ..... Refm;:'.ih ·r-·", • •• Refresh ·~..., •• •• • 
I I ~~~·· IJ U??0~.~~~ll~r:······\! [ I 
• •= Controller •• • · · • t ' \ 1. •• •• 
t ..::::::::::::::::::: .. ::.::a.::::r::::.::.:::::::::::.:::::: .. J. t ...................... l ...j··-·-·-·-·-·-·-·-·-·-·-···i················te@······························· .. '..1 .... ·.·-·-·-·-·-·.-·-·.····~fHJ······_·-·-·-·-·-·-·-·-·-·-·-·-·-_·-·-·-·-·-·-·-·-·-·.-.·-·-·-·-·-·-·-·-·-·-·-·-·-.·-·-.·-·-·-.·-·-.·.-.·-·-·-·-·-·-·-·-·-.···ta.
1 k .. ·•.•. •·• 
MA~ ...... ,.,"· 120 ~---,,--·MA~ I • • • • . • • • . . 
• t 1 • . I Add n:~ss & C{Hnmand Bus ~ ~ 
..... 
,.. 
' 
/ . ...
/ ·1 ss Data Bus 
fig. 2 
~ 
00 
• 
~ 
~ 
~ 
~ 
= ~ 
~ 
~ 
.... 
N 
'" N 
0 
.... 
.i;... 
1J1 
=-('D 
('D 
..... 
N 
0 
..... 
.... 
0 
d 
rJl. 
00 
Oo 
= 
'"O'I 
"'"" -....l 
"'"" 
= N 
U.S. Patent Aug. 12, 2014 Sheet 3of10 
0 *""' N M 
< < < < 
~. ·~.·. ·~.· ~. 
ZL 
,,, ( .· MA;----.·····. · ~-~/
u 
0 """' N M 
< < < < 
L---~------------7~---------------~---------------~-J ,.....-
.~~~~~~:==~-=-~:;-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
._,.,,. 
¢ .............. ~ .......... 
N 
'*"' 
US 8,806,171 B2 

U.S. Patent 
J 
I 
I 
t SC 
I 
:K =~ ···~*· ;.....; 
~ 
~ 
.~:l. 
·<+ ~ ~~ 
:,1;· 
Aug. 12, 2014 
........ 
........ 
........ ,.. 
Sheet 5of10 
U"} 
m 
-~-u.. 
US 8,806,171 B2 
.+ . 
., 
·f;O 
. 
·X~ 
•U... 

U.S. Patent Aug. 12, 2014 
-r-· 
Sheet 7of10 US 8,806,171 B2 
«> 
dJ 
~-u... 
U.S. Patent Aug. 12, 2014 Sheet 8of10 US 8,806,171 B2 
~ 
• Cl 
+:ooooc 
LL. 
150 ! Memmy 
,,..._~....,~WA········l Contmlier 
i 
nirite Rt•ad. 
P(~I\il Bank 
170 
i 
U:t~f~t~st: 
• 
'Bank 
S.RC 
l 
Ha.ta Dah1 642~--... 
'\, 
, • 
/'~--..160 
~~~~ 
.: 
'1 
! .J . Swap !..,.,'mmmmmm-'mmmmmmm 
~• Huffors. 
i 'I ~m;m~ 
. ' . ~~, * I . ....... / l su:~~~!nn · Su!~~g;m11r:·::·::~:~·-·1s:::c~!~~~;1 ········1,~~!~:~~b 4 ·······1···""" 
\ 1 · ; . i ,., ~· Huffers: 
/\ddrt$~ 643 ''A•••• •••••/ 
\",.,,_,181···'"'/"·""'1·····································1 18~ / [ ~ .. -~ t, 
Decuder I 
·'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'~~~~~~~~~~~~~~~~~~[~~~~~~~~~~~~~~~~-------------------------------------------------------------------------------------------- '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"~"'"'' I ·~-:lt'""R. ~. ·~A n, k· ,, A • .,, . • .. 1 
r'I..., .. hi:v1 nan · r~Ud.V 1 
» I 
I 
... ·.···········································································································································································································································································································································································································································-·./. 
Fig. 10 
~ 
00 
• 
~ 
~ 
~ 
~ 
= ~ 
~ 
~ 
.... 
N 
'" N 
0 
.... 
.i;... 
1J1 
=-('D 
('D 
"""" 
"° 0 
..... 
.... 
0 
d 
rJl. 
00 
Oo 
= 
'"O'I 
"'"" -....l 
"'"" 
= N 
.-t!J0-
'•,.,,,,. 
wwwwwww-----·········~•-AWWVWWWWWWWWWW~--·~--·····~•·AAWWWWWWWWWWWWW--··~···••AAAAAAWWWWWWWWWWWWW---·~·-·••AAAAAA-•WWWWWWWWWWW~ 
··· ······~~~~i~~~;-.·~~~~~~;i~~:i~·~·~J·~~ ........ 1";;::~::,:;:;::,~;;;":~:~,;~;>1 r .. :;~~,;;~~;";~~:;;~~~;:::::;~::~1····r·······~:~.:~~~::~:::.~:·~·······~········+······:r~~··----·y ... \ '"11 .. .-t..):) ot,... ·-" .-t.~. - .. f • i ~ ...... - '·· .• ..... ,,._. : '· -- if .... .; ·~ • w. _&:f'.>·:1 ~ <... / '-,, / \ tMTERFACE ; · ·····1: ,,J l ~'~ 
l B!OS AX! 1 : A 4;?-r:S/1 fl __ L~::.~.'. ...... :~~~!::!_JL 4~J';.;;z::::::Jr / ~ t~:itin:o.R~ 
(;/>&fl) .. ~}2 / ~=uc . LC. SYSTEM BL~?J:"' [' ........................ ~ .. '. ........................ J .... ~ .... . 
,, .. ..... . .... o..., , .. • 4;i.o ,.A:&:J : ,, ... ~4G .,.;p(l 
! OPU{AHNC *" ' '!· . f . r : r ..,,. r ~:;· •• ~.<j· . J. ./ l ..... ./ i ..... ...- i-SYSTEM ~~ . .. /·----------------- ------ ---------.... " ,,, .... ,,,,,,,,,,,,,,,, ,,,,,,,,<,,,,,,,,,,..,, ,,.------------""-'<----·"-------... /.,,,,,,,,,,,,""-'<,,,,,,,-.,,,,,..., · , ~·:: •• ·i:::: • 
'" / :. •-l(·..,.,,3·<·~i<f'i>.t.t,;;:;.; ;~: >:2;;:::;;,.,-·'\,<•~< 1.:•: r l · l FR .. t«1~.H 
': r < .>>"< • '<:< ..... ,., ,.,. • . ,~,. .. '·" "'"'· s'<r-..i , A .•. ,,...... , , A«~ 
,,... ·-, • >-<<"·'-l >10· L MO'•-<>/.(>; :: >(><:•X'· >>..>~:~:=j·r l Mf:::·J"<:il»··,(~v l ./'h>{ 
(
. h PPL. ~i" .. f::T~C::~~ ~ ~~> .... !:or.-:.- .. r-:: ~~ ... ':.-··:..-"-:...... -.....(· ..... n;;5;.;;,: :w.s;: ~ :: 1 r-<[;.; :- il'~· ..... fr:.r~.. 1 { ~ 
.M. . ·°".' , ", "'''' l •A~··H{)(~·V' ~~<:··•A". ·>-2"'' .S<.<·(·(:·:e.>>" • c· '~' l .. ,.,.·.,.r.:·>v·· ;-, ·">t~: l i •''] PROf'R•t.1<"~ l ·~·li:::!¥<· r«i ,.,,.:;.,~n.;; .... , ,,-.,,.:;.r:{,r··.M; ,c, l •!riH.:::r·u·"rA.-c j , ... 
1 
... 
• , ' .:>. '-"'--":;:, j !~tfERFACE , NtERFACE , , j . j ~········• :j 
/ -.. \. ii / ' . ..- .... m·· / , ,,.. .... ,,..,,.... ./ : ----- ""-· I (!Y>4'~ P'l''.)Gl'lf" i ' E' ~· I I 1 [ . "PPK'TI< i.~ il~ -/ · rf•m I I I ,:N"~ '¥ 
'-.. ............... Y~:!!.~ ........ :·:·:·:·:·:·::; ·~ 441 
ifVYYYVNYYNhNNhhhhhh~ 
~ '~ Tm ,, : ;, . . . .. l~/r i I I >!':" q·~ 0 \=WAN ~ ! l, •• m3;~:::i:.r~ ' ;,: . .. , ,...,, \. rh : ""'"'"-".?;':;"':':'.';'"'/ , 1 ,.,OMnJ 1 E:h 
.. l \ >,J ) .... ·t1 : f>/r!JU!:::;r::1 ' ! 
·•,, ·~:~:·4~lr/ 4-4\MYJSE I -il:J ,..,; F~"w~.~~ ..... r"·'"\w...,_~.~."" 
= '454 ~~ £(,@,~ ''° ur>~RA 1H«G :: t,,PPU1._,.J»,1!UN l 0; rk:R PH:..1GRNv1 : ~"}<·;J-G.!-Q>JJ: fr1'< ........ r...f5 ... ,Jj \ 
SYsru:i,, i: PRl?GRAMS J MODULES '. i DATA ,_ • ., KEV!JOA.RD 442: 
~~t·t~t l~ 1.:1~ ~ ~1~!~:!'. 1~ -:t.:~:L 
,,' 
fig. 11 
~ 
00 
• 
~ 
~ 
~ 
~ 
= ~ 
~ 
~ 
.... 
N 
~ 
N 
0 
.... 
.i;... 
1J1 
=-('D 
('D 
..... 
.... 
0 
0 
..... 
.... 
0 
d 
rJl 
00 
Oo 
= 
'"O'I 
"'"" -....l 
"'"" 
= N 
US 8,806,171 B2 
1 
SYSTEMS AND METHODS PROVIDING 
WEAR LEVELING USING DYNAMIC 
RANDOMIZATION FOR NON-VOLATILE 
MEMORY 
CROSS REFERENCE TO RELATED 
APPLICATION 
This application claims benefit under 35 USC § 119( e) of 
U.S. Provisional Patent Application Ser. No. 61/489,348, 
filed 24 May 2011, which application is hereby incorporated 
fully by reference. 
STATEMENT REGARDING FEDERALLY 
SPONSORED RESEARCH OR DEVELOPMENT 
This invention was made with Govermnent support under 
Agreement/Contract numbers CCF-0811738 and CNS-
0644096, awarded by the National Science Foundation. The 
Govermnent has certain rights in the invention. 
BACKGROUND OF THE INVENTION 
1. Field of the Invention 
The present invention relates generally to algorithms for 
mapping elements between two sets and, more particularly, to 
algorithms for repeatedly mapping elements between two 
sets based on random keys so as to dynamically provide 
random mappings. Such dynamic mapping algorithms can be 
applied to memory address spaces to effect wear leveling 
techniques; and more particularly, wear leveling techniques 
for mitigating worst-case wear scenarios including malicious 
attacks and/or compromised operating systems. 
2. Description of the Related Art 
2 
deliberately designed to wear out and fail PCM. For instance, 
schemes to reduce write frequency, such as data comparison 
write (B.-D. Yang, J.-E. Lee, J.-S. Kim, J. Cho, S.-Y. Lee, and 
B.-G. Yu, "A Low Power Phase-Change Random Access 
Memory using a Data-Comparison Write Scheme," in Proc. 
IEEE International Symposium on Circuit and Systems, 
2007) and Flip-N Write (S. Cho and H. Lee, "Flip-N-W rite: A 
Simple Deterministic Technique to Improve PRAM Write 
Performance, Energy and Endurance," in Proc. of the Inter-
10 national Symposium on Microarchitecture, 2009) do not pre-
vent an adversary from wiggling the memory bits of the same 
PCM location and wearing them out. Previous wear-leveling 
schemes are also vulnerable due to the inherent weaknesses 
caused by static randomization, coarse-grained shuffling, and 
15 regular pattern shuffling. 
Furthermore, prior attempts do not consider circumstances 
when the underlying operating system (OS) is compromised 
and the resulting security implications to PCM design. A 
compromised OS, (e.g., via buffer overflow) can allow adver-
20 saries to manipulate all processes and easily exploit side 
channels, accelerating the wear-out of targeted PCM blocks 
and rendering a dysfunctional system. For example, a com-
promised OS can thrash or turn off all caches, disabling a 
shield that protects the PCM. Moreover, ifthe compromised 
25 OS allows a malicious process to obtain and assemble useful 
information leaked from side channels (e.g., timing attacks to 
deduce the shuffling pattern in a wear-leveling scheme), the 
wear-leveling scheme will not stop adversaries from tracking, 
pinpointing, and wearing out target PCM blocks. Attacking a 
30 system with side channels using time, power, electromagnetic 
emission, architectural vulnerability, etc., have all been suc-
cessfully demonstrated in many systems including the 
Microsoft© Xbox©. Designing PCM without careful consid-
eration for these security implications risks computationally 
35 inaccurate results and critical data loss, potentially leading to 
dire financial consequences. 
Phase change memory (PCM) has emerged as a potential 
memory technology for improving the performance of the 
overall system memory hierarchy. A PCM cell can be made of 
phase-change material based on chalcogenide alloys com-
monly composed of the elements Germanium (Ge), Anti-
mony (Sb), and Tellurium (Te). Such materials have at least 40 
two distinct phases-a high electrical resistive amorphous 
phase and a low resistive crystalline phase. The crystalline 
phase can be reached by heating the material above the crys-
tallization temperature while the material can be switched 
into the amorphous phase by melting and quickly quenching. 45 
A data bit can be stored in either state, both of which are 
non-volatile. 
BRIEF SUMMARY 
There remains a need in the art for PCM systems and 
methods that increase the durability of PCM under normal 
execution of typical applications, and in worst-case scenarios 
including the presence of malicious exploits and/or compro-
mised operating systems. Preferably, such systems and meth-
ods implement dynamic run-time randomization on low-cost 
hardware embedded inside the PCM. It is to such wear-lev-
eling systems and methods that various embodiments of the 
present invention are directed. Recently, researchers have studied the trade-off of using 
PCM as the main memory, or even as the last level cache. The 
density of PCM is currently higher than that of dynamic 
random-access memory (DRAM) and expected to increase. 
Moreover, PCM promises better scalability with process 
technology scaling. And although the latency of PCM is cur-
rently several times higher than DRAM, several studies 
showed that the benefits gained from its high density can 
outweigh the degradation of access time by employing a 
deeper memory hierarchy or employing a hybrid-memory 
architecture with mixed usage of other memory technologies. 
The primary roadblock for using PCM as part of the main 
memory is its much lower write endurance compared to 
DRAM. The current write endurance of a PCM cell is around 
10·8 . Several recent studies have attempted to address this 
issue by either reducing PCM's write frequency or using 
wear-leveling techniques to evenly distribute PCM writes. 
Although these techniques can extend the lifetime of PCM 
under normal operations of typical applications, most of them 
fail to prevent an adversary from writing malicious code 
Briefly described, in an exemplary form, the present inven-
50 tion is a technique for dynamically remapping a first set of 
elements onto a second set of elements. Applied to regions of 
memory address space, the dynamic remapping algorithm 
can obfuscate the actual location of data within a region by 
constantly mapping data to a new address based on random 
55 keys generated at run-time. For regions of memory address 
space in a non-volatile memory such as phase-change 
memory (PCM), dynamic remapping enables a wear leveling 
effect by distributing memory requests across the physical 
memory space. Wear leveling transforms non-volatile 
60 memory with limited write endurance to a more resilient 
manufacture with a longer lifetime. 
The present invention has unique advantages over prior 
wear leveling schemes: (i) wherein constantly migrating the 
physical location of data inside the PCM avoids information 
65 leakage, providing increased security; (ii) wherein the ran-
dom relocation of data results in the distribution of memory 
requests across the physical memory space, providing 
US 8,806,171 B2 
3 
increased durability; and (iii) wherein the wear leveling 
scheme can be implemented to provide fine-grained wear 
leveling without overly-burdensome hardware overhead, 
such as a look-up table. 
Thus, in an exemplary embodiment, the present invention 
is a method for dynamically remapping a first set of elements 
onto a second set of elements, wherein dynamically remap-
ping the first set onto the second set can comprise performing 
two or more rounds of mapping. Each round of mapping can 
include providing a random key and mapping each element of 10 
the first set to an element in the second set at least partially 
based on the random key. 
The number of elements of the first set can equal the num-
ber of elements of the second set, and there can be a one-to- 15 
one relationship between the elements of the first set and 
second set. Pairs of elements from the first set and set can be 
associated with a sub-element. 
4 
on the random key, and tracking the mapping of each memory 
block of the first region to a memory block in the second 
region. 
The method can further include providing one or more 
write requests to the first region of memory address space, 
and mapping a memory block of the first region to a memory 
block in the second region can occur every predetermined 
number of write requests to the first region of memory address 
space. 
Mapping at least partially based on the random key can 
comprise mapping based on an algebraic operation on a block 
address of a memory block of the first region with the random 
key, the algebraic operation satisfying the associative, com-
mutative, and self-inverse properties. The algebraic operation 
can be an XOR operation. 
Mapping a domain memory block of the first region to a 
range memory block in the second region can include delo-
cating a first data associated with the range block in the 
second region from the block in the second region, delocating The first set and the second set can have a first region of 
memory address space and a second region of memory 
address space, respectively, an element can comprise a 
memory block, and a sub-element can comprise data. Map-
ping each element of the first set to an element in the second 
set can occur at a predetermined interval. 
20 a second data from a second block in the second region 
associated with the domain block of the first region from the 
second block in the second region, relocating the second data 
to the range block in the second region, and relocating the first 
data to the second block in the second region that the second 
The method can further include providing one or more 
requests for an element of the first set, and the predetermined 
interval can be at least partially based on a predetermined 
number of requests for an element of the first set. 
An element in the first set can be a domain element and an 
element in the second set can be a range element. Mapping a 
domain element of the first set to a range element in the 
second set can include dissociating a first sub-element asso-
ciated with the range element in the second set from the 
element in the second set, dissociating a second sub-element 
from a second element in the second set associated with the 
domain element of the first set from the second element in the 
second set, associating the second sub-element with the range 
element in the second set; and associating the first sub-ele-
ment with the second element in the second set that the second 
sub-element is dissociated from. 
A round of mapping can further include tracking the map-
ping of each element of the first set to an element in the second 
set. Tracking the mapping can include providing an indicator 
pointing to an element in the first set, determining if a sub-
element associated with the element pointed to by the indi-
cator has been associated in the particular round of mapping, 
and ifthe sub-element has not been associated in the particu-
lar round of mapping, mapping the element pointed to by the 
indicator to an element of the second set, setting the indicator 
25 data is delocated from. 
Tracking the mapping of each memory block of the first 
region to a memory block in the second region can include 
providing a pointer pointing to a memory block in the first 
region, determining if data associated with the memory block 
30 pointed to by the pointer has been associated in the particular 
round of mapping, and ifthe data has not been associated in 
the particular round of mapping, mapping the memory block 
pointed to by the pointer to a memory block of the second 
region, incrementing the pointer to point to another memory 
35 block of the first region, repeating determining and incre-
menting until it is determined that all the blocks of the first 
region have been mapped in the particular round of mapping. 
In another exemplary embodiment, the present invention is 
a system for dynamically remapping a set of elements onto 
40 another set of elements comprising a first set of elements, a 
second set of elements, a random key provider, and a control-
ler configured to dynamically remap the first set onto the 
second set. Dynamically remapping the first set onto the 
second set can involve performing two or more rounds of 
45 mapping. Each round of mapping can include mapping each 
element of the first set to an element in the second set at least 
partially based on a random key provided for each round by 
the random key provider. 
to point to another element of the first set, and repeating 50 
determining and setting until it is determined that all the 
sub-elements of the first set have been associated in the par-
ticular round of mapping. 
The first set of elements and the second set of elements can 
comprise a first region of memory address space and a second 
region of memory address space, respectively, an element can 
comprise a memory block, and a memory block can be asso-
ciated with data. 
In another exemplary embodiment, the present invention is 
a method for dynamically remapping a first region memory 55 
address space having a plurality of memory blocks to a sec-
ond region memory address space having a plurality of 
memory blocks. The size of the second region can equal the 
size of the first region, there can be a one-to-one relationship 
between memory blocks of the first region and second region, 60 
and a memory block can be associated with data. The method 
can comprise dynamically remapping the first region onto the 
second region. Dynamically remapping the first region onto 
the second region can involve performing two or more rounds 
of mapping. Each round of mapping can include generating a 65 
random key, mapping each memory block of the first region to 
a memory block in the second region at least partially based 
The random key provider can be a random key generator. 
The controller can have a register configured to store a ran-
dom key and a register configured to store an additional 
random key. The random key generator can be part of the 
controller. 
Each round of mapping can further include tracking the 
mapping of each memory block of the first region to a 
memory block in the second region. The controller can also 
have a bit register for every memory block in the first region 
of memory address space. Alternatively, the controller can 
also have a register configured to store a pointer for pointing 
to a memory block and a remapping checker configured to 
determine if a memory block in the first region has been 
mapped in a particular round. 
US 8,806,171 B2 
5 
The size of a memory block can be the cache line size of a 
last-level cache. The random key generator can generate ran-
dom keys based at least partially on thermal noise from the 
controller. 
Mapping at least partially based on the random key can 
include mapping at least partially based on an algebraic 
operation on a block address of a memory block of the first 
region with the random key, the algebraic operation satisfying 
the associative, commutative, and self-inverse properties. The 
controller can be associated with two swap buffers configured 
to hold data and can also have a swapping logic configured to 
swap memory blocks of the second region using at least the 
two swap buffers. 
6 
FIG. 9 illustrates a block diagram of a two-level Security 
Refresh embedded in a PCM bank, according to an exemplary 
embodiment of the present invention. 
FIG. 10 illustrates a schematic diagram of a PCM bank of 
with two levels of Security Refresh, according to an exem-
plary embodiment of the present invention. 
FIG. 11 illustrates an architecture of a suitable target plat-
form or device that can use the dynamic remapping tech-
nique, according to an exemplary embodiment of the present 
10 invention. 
DETAILED DESCRIPTION 
The system can also have one or more write requests for a 
memory block of the first region. The controller can also have 15 
a register to store a counter for counting the number of write 
requests for a memory block in the first region. The predeter-
mined interval can be based on a predetermined number of 
write requests for a memory block in the first region. 
To facilitate an understanding of the principles and features 
of the invention, various illustrative embodiments are 
explained below. Although many exemplary embodiments of 
the invention are explained in detail, it is to be understood that 
other embodiments are contemplated. Accordingly, it is not 
intended that the invention is limited in its scope to the details 
of construction and arrangement of components set forth in 
the following description or illustrated in the drawings. The 
invention is capable of other embodiments and of being prac-
ticed or carried out in various ways. 
The controller can also have address translation logic con- 20 
figured to translate the address of a given memory address to 
an address of a memory block in the first region based on the 
random key, the additional random key, and the memory 
block pointer. 
The system can have a non-volatile memory bank, the 25 
memory bank comprising one or more controllers. 
In describing the exemplary embodiments, terminology 
will be resorted to for the sake of clarity. It is intended that 
each term contemplates its broadest meaning as understood 
by those skilled in the art and includes all technical equiva-
lents which operate in a similar manner to accomplish a 
BRIEF DESCRIPTION OF THE FIGURES 
FIG. lA illustrates an addressing scheme of a baseline 
architecture of a main memory system, according to an exem-
plary embodiment of the present invention. 
FIG. lB illustrates an addressing scheme of a two-level 
Security Refresh, according to an exemplary embodiment of 
the present invention. 
FIG. 2 illustrates a block diagram of a memory address 
translation path, according to an exemplary embodiment of 
the present invention. 
30 similar purpose. 
It is also to be understood that the mention of one or more 
method steps does not preclude the presence of additional 
method steps or intervening method steps between those 
steps expressly identified. Similarly, it is also to be under-
35 stood that the mention of one or more components in a device 
or system does not preclude the presence of additional com-
ponents or intervening components between those compo-
nents expressly identified. 
FIG. 3 illustrates a region of memory address space com-
prising memory blocks, according to an exemplary embodi- 40 
ment of the present invention. 
In particular, the present invention is described in the con-
text of being a method for dynamically remapping a memory 
address space to another memory address space, providing 
the benefits ofimproved security and wear leveling for phase-
change memory (PCM). 
FIG. 4 illustrates a flow diagram of a round of Security 
Refresh, according to an exemplary embodiment of the 
present invention. 
FIG. 5 illustrates a timeline diagram of security refresh 
rounds comprising the refresh of four memory blocks with a 
security refresh interval of two memory write requests, 
according to an exemplary embodiment of the present inven-
tion. 
FIG. 6 illustrates a flow diagram of a security refresh 
round, according to an exemplary embodiment of the present 
invention. 
FIG. 7 A illustrates a schematic diagram of an exemplary 
controller, according to an exemplary embodiment of the 
present invention. 
FIG. 7B illustrates a schematic diagram of an address 
translation logic, according to an exemplary embodiment of 
the present invention. 
FIG. 7C illustrates a schematic diagram of a remapping 
checker, according to an exemplary embodiment of the 
present invention. 
FIG. 7D illustrates a schematic diagram of a swapping 
logic, according to an exemplary embodiment of the present 
invention. 
FIG. 8 illustrates a block diagram of a multi-level Security 
Refresh with two levels of dynamic remapping, according to 
an exemplary embodiment of the present invention. 
Embodiments of the invention, however, are not limited in 
45 application to phase-change memory. Rather, embodiments 
of the invention may be used for providing improved security 
and wear leveling in use of various other volatile and non-
volatile memory systems including hybrid-memory architec-
tures. Moreover, the underlying dynamic remapping tech-
50 nique can be applied to provide increased security in various 
non-memory applications such as, but not limited to, encryp-
tion systems and methods. 
All or a portion of the invention can be embodied in a 
computer program product on a computer-readable medium, 
55 executable by a computer processor of a computing device. In 
some embodiments, the invention can comprise a specialized 
computing device. 
The components described hereinafter as making up vari-
ous elements of the invention are intended to be illustrative 
60 and not restrictive. Many suitable components that would 
perform the same or similar functions as components 
described herein are intended to be embraced within the 
scope of the invention. Such other components not described 
herein may include, but are not limited to, for example, com-
65 ponents developed after the invention. Those of skill in the art 
will appreciate that various components may serve as substi-
tutes for the elements described herein. 
US 8,806,171 B2 
7 
Various exemplary embodiments of the present invention 
comprise systems and methods for dynamic remapping. 
Referring now to the figures, in which like reference numerals 
represent like parts throughout the views, various embodi-
ments of dynamic mapping technique as applied to PCM 
memory will be described in detail. 
FIG. lA illustrates an addressing scheme of a baseline 
architecture 100 of a main memory system 432, according to 
an exemplary embodiment of the present invention. As shown 
8 
channel leakage; prohibiting physical tampering, e.g., 
memory bus probing; allowing a memory controller 150 to 
exploit bank-level parallelism for better scheduling; enabling 
high-efficiency operation without disturbing the off-chip bus 
during data shuffling and swapping; enabling a high-band-
width data swapping mechanism without being constrained 
by potentially limited, off-chip pin bandwidth; and allowing 
PCM vendors to protect their products without relying on a 
in FIG. lA, a memory controller 150 can map a given physical 1 o 
address (PA) 110 into a memory address (MA) 120 that 
consists of a rank ID, a bank ID, a row address 135, and a 
colunm address 140 for indexing the main memory. In the 
following examples, it is understood that a memory controller 
150 interleaves consecutive row addresses across different 15 
banks-a common mechanism to enhance bank-level paral-
lelism. However, it will be apparent to those skilled in the art 
that other configurations are possible. 
third-party software/hardware such as the OS 834 or the 
memory controller 150. 
Merely concealing internal memory addresses will not 
safeguard against calculated attacks-information leaked 
through side channels can allow an adversary to assemble 
useful knowledge and devise a side-chamiel attack for target 
PCM locations. However, the internal address mapping can 
be periodically updated to obfuscate any relationships among 
information leaked from side chamiels. 
Prior studies have focused on extending the lifetime of a 
PCM-based system that runs conventional applications but 20 
fail to protect the system against deliberately-crafted mali-
cious attacks. Although durability and security may seem two 
separate issues in PCM design, they can be addressed at the 
same time. Exemplary PCM designs of the present invention 
consider worst-case wear-out scenarios including malicious 25 
attacks such as side chamiel exploits. 
FIG. 3 illustrates a region of memory address space 190 
comprising memory blocks 195, according to an exemplary 
embodiment of the present invention. For simplicity, the 
region 190 is illustrated as containing only four memory 
blocks 195. However, it will be apparent to those skilled in the 
art that regions 190 can comprise arbitrary numbers of 
memory blocks 195 at a potential performance tradeoff. In 
some embodiments, a memory block can be no smaller than a 
cache line in order to simplify address look-up. 
Likewise, in the following explanation of the Security 
Refresh algorithm, a PCM bank 170 is treated as one region 
190. However, a PCM bank 170 can comprise multiple 
regions 190 and sub-regions of memory blocks 195 in various 
embodiments of the present invention. 
After a predetermined number of memory write requests to 
a region 190 of memory address space, the SRC 180 for that 
To circumvent intentional exploits, an adversary can be 
kept from inferring an actual physical PCM location of data. 
Furthermore, the address space can be shuffled dynamically 
over time to avoid the leakage of useful information through 30 
side-channels. To achieve these goals, the present invention 
can define an additional address space, the Refreshed or 
Remapped Memory Address 130 (RMA) space, inside a PCM 
bank 170 to dissociate a memory address 110 from the actual 
location of the associated data. 35 region can refresh 240 a memory block 195 by potentially 
remapping the memory block to a new PCM location based 
on a randomly generated key. This number of writes can be 
analogous to DRAM' s refresh rate and is herein referred to as 
the security refresh interval 250. In various embodiments, the 
I. Security Refresh 
After receiving an access command in MA 120 from a 
memory controller 150, a PCM bank 170 can recalculate its 
own internal row 135 and colunm address 140 in RMA. To 
provide such operation, the present invention enables a 
scheme called Security Refresh. Similar to DRAM refresh, 
which cycles through a DRAM bank reading each row and 
writing it back again to compensate for the gradual leakage of 
charge from the capacitors which store the data, Security 
Refresh can prevent address information from being leaked 
from PCM accesses by dynamically randomizing mapping 
between MAs and RMAs. From hereinafter, the term 
"refresh" should be understood to refer to dynamic remap-
ping or dynamically remapping. 
Rather than refreshing based on time, as with DRAM cells, 
an exemplary embodiment of the security refresh scheme can 
refresh a PCM region 190 based on usage, i.e., the number of 
memory write requests to the PCM region 190. 
Security Refresh can be controlled by one or more Security 
Refresh Controllers 180 (SR Cs). In addition to remapping an 
MA into an RMA, a SRC 180 can also periodically change the 
mapping between these two address spaces with low hard-
ware overhead. 
FIG. 2 illustrates a block diagram of a memory address 
translation path, according to an exemplary embodiment of 
the present invention. As shown in FIG. 2 one or more SRCs 
180 can be embedded inside a PCM bank 170. Embedding an 
SRC 180 inside the PCM bank 170 can provide the following 
nonexclusive benefits: obfuscating the address information 
regarding the actual physical data placement from applica-
tions, a potentially compromised operating system 834 (OS), 
and the memory controller 150; obfuscating potential side-
40 security refresh interval can be based on memory access 
requests, time, any of various other factors, or a combination. 
At each subsequent security refresh interval 250, the 
refresh operations can continue for all memory blocks 195 in 
each region 190. A complete iteration of refreshing every 
45 single memory block in a region 190 is herein referred to as a 
security refresh round 220, similar to DRAM's refresh 
period. 
FIG. 5 illustrates a timeline diagram of security refresh 
rounds comprising the refresh of four memory blocks with a 
50 security refresh interval of two memory write requests, 
according to an exemplary embodiment of the present inven-
tion. As shown in FIG. 5, the exemplary security refresh 
round comprises a refresh of each of the four memory blocks 
195 in the example region 190. In an exemplary embodiment, 
55 the SRC 180 can generate a new random key 210 to begin a 
new security fresh round 220. 
II. Security Refresh Algorithm 
FIG. 6 illustrates a flow diagram of a security refresh round 
220 on a PCM region 190 comprising eight memory blocks 
60 195, according to an exemplary embodiment of the present 
invention. As shown in FIG. 6, sub-figures (a) to ( e) start from 
an initial state and illustrate successive security refreshes 240 
for eight memory blocks 195 in the PCM region 190. In each 
sub-figure, the left colunm shows the MAs 120 (memory 
65 addresses) of these blocks with their data in capital letters, 
and the right column shows the RMAs 130 (refreshed 
memory addresses) and the actual data location in the PCM. 
US 8,806,171 B2 
9 
Sub-figure (a) shows the initial state in which all eight 
RMAs 130 were generated by XORing their corresponding 
MAs 120witharandomkeyk0 , whereko=4. For example, the 
memory address MAO (000) XOR k0 (100) is mapped to 
RMA4 (100) in the physical PCM. Also note that, sub-figure 5 
(a) has reached the end of a security refresh round as all the 
MAs have been refreshed withk0 . Upon each security refresh, 
the candidate MA 120 to be refreshed can be pointed to by a 
register hereinafter called the current refresh pointer 660 
(CRP), shown as a shaded box in the sub figures. The CRP 660 10 
can be incremented 248 after each security refresh. 
Sub-figure (b) illustrates the next security refresh 240. A 
new security refresh round 220 can be initiated because CRP 
660 has reached the first MA 120 of a region 190. Conse-
quently, a new random key (k1 =6) can be generated 210. In 15 
some embodiments a hardware random number generator 
610 can generate random keys. In an exemplary embodiment, 
the hardware number generator can be embedded in SRC 180. 
At this point, MAO is refreshed and remapped from RMA4 to 
RMA6. Since the data [A] of MAO is now moved to RMA6 20 
where the data [CJ ofMA2 used to be, [CJ should be evicted 
from RMA4 and stored somewhere else. Due to the nature of 
XOR, MA2 will actually be mapped to RMA4 using the new 
key (2 XOR k1=4), i.e., the RMA of MAO from the previous 
round (0 XOR ko=4). Thus, this security refresh essentially 25 
swaps data between the PCM locations corresponding to 
MAOandMA2. 
10 
For example, in sub-FIG. 6(d), MA2 can be XO Red with 4 
(kO) and 6 (kl) giving a result ofO (2 XOR 4 XOR 6=0). Since 
the result, 0, is smaller than CRP, 2, it indicates that MA2 has 
already been swapped in the particular refresh round 220. 
Between sub-figures (d) and (e), the next five memory 
blocks 195 are refreshed in the same manner. After the eighth 
security refresh 240 in the current security refresh round 220, 
the CRP 660 will wrap around and reach MAO again, com-
pleting the current security refresh round 220 (sub-figure ( e )). 
Upon the next security refresh 220, a new random key, k2 , can 
be generated 210 and a new round starts using k1 and k2 . ko 
will no longer be needed as for each refresh round 220, only 
the most recent two keys are needed. 
III. Address Translation 
To service a memory request for a given MA 120, the MA 
must be translated to its current RMA 130 using the right key 
in order to find the data location in PCM. In an exemplary 
embodiment, one bit can be added to an SRC 180 for each MA 
120 in the region 190 serviced by the SRC to indicate whether 
the MA should be translated using the current random key or 
the key from the previous refresh round. Though one bit per 
block may seem small, a 1 GB PCM region with 16 KB 
memory blocks could require 8 KB (2·1 6 bits) of extra space. 
To provide fine-grained wear leveling with an exemplary 
block size of 256B, a 1 GB PCM region could require 512 KB 
(2 ·24) of extra space. Such hardware overhead for maintaining 
the translation information of each block is a main reason why 
the prior table-based approaches cannot support fine-granu-
larity segments, i.e., small block sizes. 
In an exemplary embodiment of the present invention, 
however, the pairwise remapping property and linearly 
increasing CRP 660 value property can be used to determine 
the right key without a table. Thus, Security Refresh enables 
fine-grained wear leveling of smaller memory blocks without 
Security refresh using XOR can result in a swap of data 
between an MA to be refreshed and another MA that occupies 
the physical location that the MA to be refreshed should be 30 
remapped to in this current round. This property of XOR is 
hereinafter referred to as the pairwise remapping property, 
and holds true for functions that satisfy the associative prop-
erty: (xEBy)EBz=xEB(yEBz); the commutative property: 
xEBy=yEBx; and self-inverse property: xEBx=e, where e is an 
identity element such that xEBe=x. Although XOR is used in 
this example as an exemplary function satisfying the pairwise 
remapping property, it will be apparent to one skilled in the art 
that other functions can be used with the present invention. 
35 overly burdensome hardware. In exemplary embodiments, a 
memory block size can be the cache line size of the last-level 
cache, or smaller. However, blocks smaller than the cache line 
size can require multiple PCM accesses to retrieve a single 
cache line. 
In some embodiments, the SRC 180 is responsible for 40 
reading and writing the two memory blocks 195 to physically 
swap the data between them. In an exemplary embodiment, 
the SRC 180 comprises the necessary hardware to effect the 
swap. 
When a memory controller 150 wants to read from or write 
to a given MA, Cm, the current key (kc) can be used in the 
following two cases, otherwise, the key in previous refresh 
round (kp) can be used: 
(i) if Cm is less than the value of CRP, the current key (kc) 
Sub-figure ( c) illustrates the next security refresh 240. 
Similar to last refresh, the data for MAl and MA3 (the evictee 
ofMAl) in PCM are swapped between RMA5 and RMA7. 
Sub-figure ( d) illustrates the next security refresh 240. 
45 can be used, since the given MA has already been refreshed in 
the current security refresh round; and (ii) ifthe CmEBkPEBkc is 
less than the value of the CRP, the current key can still be 
used. 
MA2, pointed to by the CRP 660, is the candidate for remap-
ping. However, the data for MA2 has already been remapped 50 
previously in the current security refresh round 220 (see 
sub-figure (b )). In an exemplary embodiment, an MA 220 that 
has already been remapped in a particular refresh round 220 
is not swapped again. As shown in the flow diagram of FIG. 4, 
if it is determined that an MA has already been remapped, 55 
remapping can be skipped and the CRP 660 can be incre-
mented to point to a next memory block 195 in the region 190. 
Thus, MA2 is not swapped again, and the CRP 660 is incre-
mented 248 to point to the next memory block 195. 
An MA can be determined to have been already remapped 60 
in the current round by exploiting the pairwise remapping 
property. In an exemplary embodiment, a current candidate 
MA (the MA 120 pointed to by the CRP 660) can be XO Red 
with the random key used in the prior refresh round and the 
random key used in the current refresh round 220. If the 65 
outcome is smaller than CRP 660, the memory block has 
already been remapped in the current round. 
The second condition detects whether Cm was a victim that 
was evicted when another MA, Dm, was remapped to the old 
RMA value of Cm, i.e., CmEBkr As explained, Dm can be 
reconstructed by performing an XOR operation between the 
RMA value and the current key, which is (Cm EBkP)EBkc IfDm 
is compared against the CRP 660, it can be detected whether 
Cm was a victim that is already remapped when Dm was 
remapped. 
IV. Security Refresh Hardware 
FIGS. 7A-D illustrate schematic diagrams ofhardwarethat 
can be used to implement Security Refresh, according to 
exemplary embodiments of the present invention. The main 
additional hardware for supporting Security Refresh can be 
the security refresh controller 180 (SRC), as shown in FIG. 
7 A. An SRC can comprise a specialized computing device. 
In an exemplary embodiment, a PCM bank 170 can com-
prise one or more SRCs. Each SRC 180 can be associated 
with four registers, a random key generator 610 (RKG), 
address translation logic 620 (ATL) as shown in FIG. 7B, 
US 8,806,171 B2 
11 
remapping checker 630 (RC) as shown in FIG. 7C, swapping 
logic 640 (SWL) as shown in FIG. 7D, and two swap buffers 
642. The four registers can be: (1) KEY() register 670 to store 
a prior key; (2) KEYl register 680 to store a current key; (3) 
a global write counter 650 (GWC) to count the total number 
of writes to a region for triggering security refresh, and ( 4) a 
current refresh pointer 660 (CRP) that points to the next MA 
120 to be refreshed. In an exemplary embodiment, the KEYO 
and/or KEYl registers can be of size log2 n bits, where n is the 
number of memory blocks in a region 190 corresponding to 10 
the SRC 180. 
In various embodiments, one or more of these elements 
associated with an SRC may be embedded inside the SRC. In 
12 
address remapping based on an inner-level security refresh 
interval. In addition, an outer-level region SRC 180 can still 
distribute writes across the entire region 190 with its own 
refresh interval 250. 
With a given refresh interval, a small sub-region can effec-
tively trigger address remapping more frequently because of 
a smaller number of memory blocks within each sub-region. 
On the other hand, an outer-level SRC can occasionally 
remap an MA of a given memory block across sub-regions. 
The additional level can effectively enlarge a region size. 
Each individual Security Refresh level can be regarded as 
an independent layer. In other words, each level can perform 
the Security Refresh algorithm with its own register values an exemplary embodiment, the SRC 180 can comprise the 
RKG 610. In a further embodiment, keys can be generated by 
the RKG in between two security refresh rounds using ther-
mal noise generated by un-driven resistors in the SRC. Such 
random keys can never be accessed outside of or leave the 
PCM chip, thwarting prediction or detection by attackers. The 
ATL 750 can perform address translation. In an exemplary 
embodiment, the ATL can map an MA 120 from the memory 
controller to a corresponding RMA 130. 
15 and settings, and the Security Refresh algorithm can guaran-
tee the integrity of the address remapping. In some embodi-
ments of the present invention, different regions and sub-
regions can have different settings such as memory block 
sizes and refresh intervals, even for regions and sub-regions 
20 the same level. 
As explained earlier, some embodiments of the translation 
process need to determine whether a given MA has been 
remapped in the current round. This determination can be 25 
implemented in the RC 630, which can comprise two bitwise 
XOR gates, two comparators, and one OR gate. The RC 630 
can also be responsible for finding an address to be remapped. 
In an exemplary embodiment, upon every security refresh, 
the RC 630 provides the same output to the SWL 640 so that 30 
SWL can decide whether the MA 120 should be remapped or 
not. If needed, the SWL 640 can perform a swap operation 
with the pair of swap buffers. 
IV. Implementation Tradeoffs 
As described above, Security Refresh presents several 35 
unique advantages over prior wear leveling techniques. How-
ever, there are various performance tradeoffs to be considered 
when implementing Security Refresh in a PCM design. For 
example, ifthe total number of writes required to start a new 
security refresh round is larger than the PCM write endurance 40 
limit, an adversary could wear a PCM block out before a new 
refresh round is triggered. On the other hand, extra PCM 
writes are induced for swapping two blocks upon remapping. 
Frequent swaps can unnecessarily increase the total number 
of PCM writes even for normal applications (write overhead), 45 
leading to performance degradation. 
Moreover, a larger region distributes localized writes 
across a larger memory space; however, a large region 
requires a shorter refresh interval to increase the frequency of 
randomized mapping changes and progress through the 50 
refresh round. Otherwise, a lengthy refresh round can leave 
the randomized mapping unchanged for a protracted period, 
increasing the risk of side-channel attacks. On the other hand, 
a shorter refresh interval will inflict higher write overheads 
due to more frequent swapping, which can lead to a higher 55 
performance penalty. To address the issues of write overhead 
and performance penalty while still taking advantage of a 
large region size, the present invention enables a multi-level 
Security Refresh scheme. 
In an exemplary embodiment, two levels of Security 
Refresh can provide dynamic remapping of memory blocks. 
However, it will be apparent to one skilled in the art that 
Security Refresh schemes can be implemented with more 
than two levels of security refresh. 
FIG. 9 illustrates a block diagram of a two-level Security 
Refresh scheme embedded in a PCM bank, according to an 
exemplary embodiment of the present invention. The two-
level Security can work in a recursive fashion: An outer-level 
Security Refresh controller (i.e., region SRC 180) can accept 
a demand memory request from the memory controller 150 as 
its input. The region SRC 180 can remap a memory address 
120 (MA) of the demand request to an intermediate remapped 
memory address 131 (IRMA). Meanwhile, if the demand 
request is a write that triggers a new refresh, the region SRC 
can perform the demand write request and then generate a 
swap operation that consists of two read requests and two 
write requests for two IRMAs 131. In this example, the region 
size of the outer-level Security Refresh is the size of a bank. 
Consequently, every r0 writes to a given bank 150 (where r0 is 
the security refresh interval of the outer level Security 
Refresh) can trigger a new refresh operation in the bank 150. 
In order to keep the integrity of its address remapping, the 
outer SRC can halt other requests until the swap is completed. 
The demand request or the swap requests generated by the 
outer SRC can be forwarded to the appropriate sub-regions 
according to a sub-region index field 155 in their IRMAs 131, 
as shown in FIG. lB. 
Each sub-region SRC 181 can perform the Security 
Refresh algorithm on its respective sub-region 191. The sub-
region SRC 181 can take a request from the region SRC 180, 
which can be either a memory demand request or a swap 
request generated by the region SRC. The sub-region SRC 
181 can use the IRMA 131 of those requests to find a corre-
sponding RMA 130, which is the actual physical location of 
the data inside the sub-region 191. 
If the request from the region SRC 180 triggers an inner-
level, sub-region refresh, the sub-region SRC 181 can auto-
IV. Multi-Level Security Refresh 
FIG. 8 illustrates a block diagram of a multi-level Security 
Refresh with two levels of dynamic remapping, according to 
an exemplary embodiment of the present invention. In lieu of 
using small refresh intervals that can increase write overhead, 
60 matically perform a swap operation of two RMAs inside the 
sub-region. Consequently, every r, writes to a given sub-re-
gion (where r, is the security refresh interval of the inner-level 
sub-region Security Refresh) will trigger one new refresh 
a region 190 can be broken up into multiple smaller sub- 65 
regions 191, as shown in FIG. 8. Each sub-region can be 
associated with its own sub-region SRC 181 to perform 
operation in the sub-region. 
In some embodiments, when the first write request of a 
swap operation from a region SRC 180 triggers a sub-region 
refresh, the second write request of the outer-level swap 
US 8,806,171 B2 
13 
operation can be performed after the completion of the inner-
level refresh to guarantee the integrity of the address remap-
ping in the sub-region. 
14 
The computing device 400 can include a variety of com-
puter readable media. Computer-readable media can be any 
available media that can be accessed by the computing device 
400, including both volatile and nonvolatile, removable and 
non-removable media. For example, and not limitation, com-
puter-readable media can comprise computer storage media 
and communication media. Computer storage media can 
include, but are not limited to, RAM, ROM, EEPROM, flash 
memory or other memory technology, CD-ROM, digital ver-
FIG. lB illustrates an exemplary of address remapping 
from MA 120 to IRMA 131 through the outer-level Security 
Refresh and that from IRMA 131 to RMA 130 through the 
inner-level Security Refresh. In this exemplary illustration, 
each 1 GB bank is divided into 512 sub-regions while the 
memory block sizes for both region and sub-region are 32B. 
As shown in FIG. lB, nine most significant bits from a row 
address are used as a sub-region index. 
In other words, a row in this exemplary PCM bank is 
virtually partitioned into 512 sub-regions. For each sub-re-
gion, an inner-level SRC 181 can perform the operations of 
Security Refresh as explained above. Similarly, the region 
SRC 180 can perform the same operation across the entire 
bank 150. 
10 satile disks (DVD) or other optical disk storage, magnetic 
cassettes, magnetic tape, magnetic disk storage or other mag-
netic storage devices, or any other medium which can be used 
to store data accessible by the computing device 400. For 
example, and not limitation, communication media can 
15 include wired media such as a wired network or direct-wired 
connection, and wireless media such as acoustic, RF, infrared 
and other wireless media. Combinations of any of the above 
can also be included within the scope of computer readable 
media. 
In some embodiments the region SRC 180 can swap two 
memory blocks that belong to different sub-regions because 
the sub-region index is a part of output values of the XOR 20 
operation. Such swapping between distinct sub-regions trig-
gered by the region SRC 180 enables distribution oflocalized 
writes across the entire bank 170 without using a large sub-
region at the inner-level. 
The system memory 430 can comprise computer storage 
media in the form of volatile or nonvolatile memory such as 
read only memory (ROM) 431 and random access memory 
(RAM) 432. A basic input/output system 433 (BIOS), con-
taining the basic routines that help to transfer information 
FIG. 10 illustrates a schematic diagram of a PCM bank of 
with two levels of Security Refresh, according to an exem-
plary embodiment of the present invention. Implementations 
of a multi-level Security Refresh scheme can share certain 
hardware within and between levels. For example, as shown 
25 between elements within the computing device 400, such as 
during start-up, can typically be stored in the ROM 431. The 
RAM 432 typically contains data and/or program modules 
that are immediately accessible to and/or presently in opera-
tion by the processing unit 420. For example, and not limita-
30 tion, FIG. 11 illustrates operating system 434, application 
programs 435, other program modules 436, and program data 
437. 
in FIG. 10, in an exemplary embodiment, SRCs of the same 
level can share swap buffers 643. In another exemplary 
embodiment, a RKG 610 embedded in a PCM bank can be 
shared among one or more levels of SRCs. These examples 
are not exhaustive and it will be apparent to those skilled in 
the art that many other configurations reducing hardware 35 
requirements are possible. 
V. Exemplary Computer Systems 
The computing device 400 can also include other remov-
able or non-removable, volatile or nonvolatile computer stor-
age media. By way of example only, FIG. 11 illustrates a hard 
disk drive 441 that can read from or write to non-removable, 
nonvolatile magnetic media, a magnetic disk drive 451 for 
reading or writing to a nonvolatile magnetic disk 452, and an 
optical disk drive 455 for reading or writing to a nonvolatile 
optical disk 456, such as a CD ROM or other optical media. 
Other computer storage media that can be used in the exem-
plary operating environment can include magnetic tape cas-
settes, flash memory cards, digital versatile disks, digital 
video tape, solid state RAM, solid state ROM, and the like. 
FIG. 11 illustrates an architecture of a suitable target plat-
form or device that can be used for implementation of the 
dynamic remapping method 300, according to an exemplary 40 
embodiment of the present invention. As mentioned above, 
one or more aspects of the dynamic remapping methods and 
related systems can be embodied, in whole or in part, in a 
computing device 400. FIG. 11 illustrates an example of a 
suitable computing device 400 that can be used. 45 The hard disk drive 441 can be connected to the system bus 
421 through a non-removable memory interface such as inter-
face 440, and magnetic disk drive 451 and optical disk drive 
455 are typically connected to the system bus 421 by a remov-
Although specific components of a computing device 400 
are illustrated in FIG. 11, the depiction of these components 
in lieu of others does not limit the scope of the invention. 
Rather, various types of computing devices 400 can be used to 
implement embodiments of the dynamic remapping method. 50 
Exemplary embodiments of the dynamic remapping method 
can be operational with numerous other general purpose or 
special purpose computing system environments or configu-
rations. 
Exemplary embodiments of the dynamic remapping 55 
method can be described in a general context of computer-
executable instructions, such as one or more applications or 
program modules, stored on a computer-readable medium 
and executed by a computer processing unit. Generally, pro-
gram modules can include routines, programs, objects, com- 60 
ponents, or data structures that perform particular tasks or 
implement particular abstract data types. 
With reference to FIG. 11, components of the computing 
device 400 can comprise, without limitation, a processing 
unit 420 and a system memory 430. A system bus 421 can 65 
couple various system components including the system 
memory 430 to the processing unit 420. 
able memory interface, such as interface 450. 
The drives and their associated computer storage media 
discussed above and illustrated in FIG. 11 can provide storage 
of computer readable instructions, data structures, program 
modules and other data for the computing device 400. For 
example, hard disk drive 441 is illustrated as storing an oper-
ating system 444, application programs 445, other program 
modules 446, and program data 447. These components can 
either be the same as or different from operating system 434, 
application programs 435, other program modules 436, and 
program data 437. 
A web browser application program 435, or web client, can 
be stored on the hard disk drive 441 or other storage media. 
The web client 435 can request and render web pages, such as 
those written in Hypertext Markup Language, in another 
markup language, or in a scripting language. 
A user of the computing device 400 can enter commands 
and information into the computing device 400 through input 
devices such as a keyboard 462 and pointing device 461, 
US 8,806,171 B2 
15 
commonly referred to as a mouse, trackball, or touch pad. 
Other input devices (not shown) can include a microphone, 
joystick, game pad, satellite dish, scanner, electronic white 
board, or the like. These and other input devices are often 
connected to the processing unit 420 through a user input 
interface 460 coupled to the system bus 421, but can be 
connected by other interface and bus structures, such as a 
parallel port, game port, or a universal serial bus. A monitor 
491 or other type of display device can also be connected to 
the system bus 421 via an interface, such as a video interface 10 
490. In addition to the monitor, the computing device 400 can 
also include other peripheral output devices such as speakers 
497 and a printer 496. These can be connected through an 
output peripheral interface 495. 
16 
element in the second set by swapping, between the 
respective element from the first set and another respec-
tive element from the first set, their respective mappings 
to an element from the second set, wherein the random 
key is a new random key provided for the respective 
round of mapping and wherein the pointer is updated to 
indicate an element from the first set to be mapped next 
during the respective round of mapping; and 
tracking, using the pointer, the new random key for the 
respective round of mapping, and a random key from a 
previous round of mapping, which elements from the 
first set have already been mapped to elements from the 
second set in the respective round of mapping. 
2. The computer program product of claim 1, further com-
prising providing a set of sub-elements, each respective sub-
element of the set of sub-elements corresponding to a respec-
tive element from the first set of elements and mutably 
associated with a respective element from the second set of 
The computing device 400 can operate in a networked 15 
environment, being in communication with one or more 
remote computers 480 over a network. The remote computer 
480 can be a personal computer, a server, a router, a network 
PC, a peer device, or other common network node, and can 
include many or all of the elements described above relative 20 elements; 
to the computing device 400, including a memory storage 
device 481. 
When used in a LAN networking environment, the com-
puting device 400 can be connected to the LAN 471 through 
wherein the swapping, between the respective element 
from the first set and another respective element from the 
first set, their respective mappings to an element from 
the second set, comprises swapping, between the sub-
element corresponding to the respective element from 
the first set and the sub-element corresponding to the 
another respective element from the first set, their 
respective associations to an element from the second 
set. 
3. The computer program product of claim 2, wherein the 
first set and the second set comprise a first region of memory 
address space and a second region of memory address space, 
respectively, wherein each respective element of the first set 
and of the second set comprises a memory block, and wherein 
a network interface or adapter 470. When used in a WAN 25 
networking environment, the computing device 400 can 
include a modem 472 or other means for establishing com-
munications over the WAN 473, such as the internet. The 
modem 472, which can be internal or external, can be con-
nected to the system bus 421 via the user input interface 460 30 
or other appropriate mechanism. In a networked environ-
ment, program modules depicted relative to the computing 
device 400 can be stored in the remote memory storage 
device. For example, and not limitation, FIG. 11 illustrates 
remote application programs 485 as residing on memory 
storage device 481. It will be appreciated that the network 
connections shown are exemplary and other means of estab-
lishing a communications link between computers can be 
used. 
35 each respective sub-element of the set of sub-elements com-
prises data. 
4. The computer program product of claim 1, wherein the 
mapping of each respective element of the first set to a random 
respective element from the second set is based on a prede-
termined interval. 
5. The computer program product of claim 4 further com-
prising receiving one or more requests for an element from 
the first set, wherein the predetermined interval is at least 
partially based on a predetermined number of requests for an 
45 element from the first set. 
Numerous characteristics and advantages have been set 40 
forth in the foregoing description, together with details of 
structure and function. While the invention has been dis-
closed in several forms, it will be apparent to those skilled in 
the art that many modifications, additions, and deletions, 
especially in matters of shape, size, and arrangement of parts, 
can be made therein without departing from the spirit and 
scope of the invention and its equivalents as set forth in the 
following claims. Therefore, other modifications or embodi-
ments as may be suggested by the teachings herein are par-
ticularly reserved as they fall within the breadth and scope of 50 
the claims here appended. 
We claim: 
1. A computer program product embodied in a non-transi-
tory computer-readable medium, the computer program 
product comprising an algorithm adapted to effectuate a 
method for dynamically remapping a set of elements onto 
another set of elements, the method comprising: 
providing a first set of elements bijectively mapped onto a 
second set of elements; 
providing a pointer for indicating an element from the first 
set; and 
dynamically remapping the first set onto the second set, 
wherein the dynamically remapping comprises per-
forming two or more rounds of mapping, each respective 
round of mapping comprising: 
mapping, at least partially based on a random key, each 
respective element of the first set to a random respective 
6. The method of claim 1, wherein the mapping at least 
partially based on the random key, each respective element of 
the first set to a random respective element in the second set, 
comprises, selecting the random respective element at least 
partially based on performing an algebraic operation on an 
index of an element of the first set to derive an index of the 
random respective element. 
7. The method of claim 6, wherein the algebraic operation 
satisfies associative, commutative, and self-inverse proper-
55 ties. 
8. The method of claim 6, wherein the algebraic operation 
is an XOR operation. 
9. A computer-implemented method for dynamically 
remapping a memory address space to another memory 
60 address space comprising: 
65 
providing a first region of memory address space compris-
ing a plurality of memory blocks and providing a second 
region of memory address space comprising a plurality 
of memory blocks, wherein the second region and the 
first region have a same size and there is a one-to-one 
mapping between memory blocks of the first region and 
second region; 
US 8,806,171 B2 
17 
providing a pointer for pointing to a memory block from 
the first region; and 
dynamically remapping the first region onto the second 
region, wherein the dynamically remapping comprises 
performing two or more rounds of mapping, each 
respective round of mapping comprising: 
mapping, at least partially based on a random key, each 
respective memory block of the first region to a ran-
dom respective memory block from the second 
region, by swapping, between the respective memory 10 
block from the first region and another respective 
memory block from the first region, their respective 
mappings to a memory block from the second region 
"'.herein the random key is a new random key pro~ 
v1ded for the respective round of mapping and 15 
wherein the pointer is updated to indicate a memory 
block from the first region to be mapped next during 
the respective round of mapping; and 
tracking using the pointer, the new random key for the 
respective round of mapping, and a random key from 20 
a previous round of mapping, which memory blocks 
from the first region have already been mapped to 
memory blocks from the second region in the respec-
tive round of mapping. 
10. The computer-implemented method of claim 9 further 25 
comprising receiving one or more write requests to the first 
region .of memory address space, and wherein mapping a 
respective memory block of the first region to a respective 
memory block from the second region occurs responsive to a 
predetermined number of write requests to the first region of 30 
memory address space. 
11. The computer-implemented method of claim 9 
wherein the mapping at least partially based on the rando~ 
key comprises mapping at least partially based on an alge-
braic operation on a block address of a memory block from 35 
the. firs.t region with the random key, the algebraic operation 
satJsfymg the associative, commutative, and self-inverse 
properties. 
12. The computer-implemented method of claim 11 
wherein the algebraic operation is an XOR operation. ' 40 
13. The i:iethod of claim 9, wherein the swapping, between 
the respective memory block from the first region and another 
r~spective.memory block from the first region, their respec-
tive m~ppmgs to a memory block from the second region, 
compnses swapping, for the respective memory block from 45 
the first region and the another respective memory block from 
the first region, the memory blocks from the second region 
that their corresponding data are stored in. 
14. A system for dynamically remapping a set of elements 
onto another set of elements comprising: 
a first set of elements; 
a second set of elements; 
a random key provider; 
a pointer for indicating an element from the first set; and 
50 
a controller configured to dynamically remap the first set 55 
onto the second set, wherein the dynamically remapping 
comprises performing two or more rounds of mapping, 
each respective round of mapping comprising: 
18 
the respective element from the first set and another 
respective element from the first set, their respective 
mappings to an element from the second set, wherein 
the pointer is updated to indicate an element from the 
first set to be mapped next during the respective round 
of mapping; and 
tracking, using the pointer, the new random key for the 
respective round of mapping, and a random key from 
a previous round of mapping, which elements from 
the first set have already been mapped to elements 
from the second set in the respective round of map-
ping. 
15. The system of claim 14, wherein the first set of ele-
ments and the second set of elements comprise a first region 
of memory address space and a second region of memory 
address space, respectively, and wherein each respective ele-
ment from the first set and the second set comprises a memory 
block. 
. 16 .. The system of claim 15, wherein the random key pro-
vider 1s ~random key generator, and the controller comprises: 
a reg~ster configured to store a first random key; and 
a register configured to store a second random key. 
17. The system of claim 15 further comprising a non-
volatile memory bank, the non-volatile memory bank com-
prising a plurality of the controllers. 
. 18. The system of claim 14, the controller further compris-
mg: 
a register configured to store the pointer. 
19. The system of claim 15, wherein a size of each memory 
block is a cache line size of a last-level cache. 
20. The system of claim 16, wherein the random key gen-
erator is configured to generate random keys based at least 
partially on thermal noise from the controller, the controller 
further comprising the random key generator. 
21. The system of claim 16, wherein the mapping at least 
partially based on the new random key comprises mapping 
based on an algebraic operation on a block address of a 
memo~ block of the first region with the new random key, the 
algebraic operation satisfying the associative, commutative, 
and self-inverse properties; 
the system further comprising two swap buffers for storing 
data; and 
the controller further comprising a swapping logic config-
ured to swap data between memory blocks from the 
second region using at least the two swap buffers. 
22. The system of claim 16, wherein: 
the controller is further configured to receive write requests 
for .memory blocks of the first region and comprises a 
reg1.ster configured to store a count of write requests; and 
wherem a predetermined interval for initiating mapping of 
an element from the first set to a respective element from 
the second set is at least partially based on a predeter-
mined number of write requests for a memory block in 
the first region. 
. 23. The system of claim 16, the controller further compris-
mg address translation logic configured to translate the 
address of a given memory address in the first region of 
memory address space to an address of a memory block in the providing, by the random key provider, a new random 
keJ'. for the respect!ve round of mapping; 
mappmg, at least partrnlly based on the new random key, 
each respective element of the first set to a respective 
element in the second set, set by swapping, between 
60 second region based on the pointer, a random key for a current r~spective ro1:'nd of mapping, and a random key from a pre-
v10us respective round of mapping. 
* * * * * 
