Memclave: Secure In-memory Enclave for Untrusted Hosts

Cloud platforms run data-intensive workloads in multi-tenant settings, where frequent CPU-memory traffic can leak access patterns via cache side channels. Processing-in-Memory (PIM) devices such as UPMEM move computation into DRAM, sharply reducing data movement and shrinking the CPU cache footprint. However, commercial PIM architectures expose a host-programmed control plane and host-shared module memory, leaving device-resident code and data vulnerable to a compromised host. Existing secure-PIM proposals either add encryption/access-control hardware or rely on heavyweight host-side cryptographic protocols, complicating practical deployment. We present Memclave, a software-only framework that brings code integrity and data confidentiality to commodity PIM without hardware changes. A TPM-attested hypervisor permanently isolates the PIM's control plane from host access at boot. On each in-memory core, a trusted loader authenticates the user kernel and establishes a per-session protected data path. Memclave preserves the programming model and kernel code: host applications replace a small set of data-movement calls with secure drop-ins, keeping the trusted computing base small and porting effort low. We implement Memclave on off-the-shelf UPMEM DIMMs and evaluate it across the PrIM benchmark suite, covering heterogeneous memory-access, compute, and synchronization patterns. After a one-time ∼100 ms authenticated load, in-memory kernel time remains close to the PIM baseline: Multilayer Perceptron (MLP) stays within 1.5× at practical sizes, and Breadth-First Search (BFS) is 1.1× on some graphs with modest rise as number of frontier levels increase.