The week is rare that doesn’t see a headline on internet privacy and security with a story underneath detailing how another breach has compromised user data. It turns out, however, not every privacy/security story is bad news. This was the case with regard to a presentation delivered last week at the International Symposium on Computer Architecture by a group of MIT researchers.

The cloud infrastructure, since its inception, has raised concerns about privacy. As explained in an MIT press release, a bank of cloud servers could be running applications for 1000 customers at one time. Without knowledge of the hosting service, one of those applications might have no purpose other than spying on the other 999.

The use of data encryption has worked to make cloud servers more secure. However, a motivated individual or group can learn more than enough about a business or individual by focusing their attentions on memory-access patterns. These patterns show the frequency a server both stores and accesses data at specific memory addresses.

A new hardware component developed by a team at MIT, called Ascend, works to disguise memory-access patterns. By effectively hiding this information from a potential attacker, Ascend makes it impossible for any inference to be drawn about the stored data. Ascend is also effective at prohibiting timing attacks.

“This is the first time that any hardware design has been proposed – it hasn’t been built yet – that would give you this level of security while only having about a factor of three or four overhead in performance,” states Srini Devadas. “People would have thought it would be a factor of 100.”

Ascend basically arranges memory addresses in a sort of tree. Much like a family tree, each node is attached to only one node above it but may be connected to several nodes below it. Each node is randomly assigned an address on this tree. With each node located on a path that originates from the top of the tree, the processor sends requests to all the addresses in a given path including the one it’s really after.

Each time Ascend accesses a particular memory address it randomly swaps that address with one stored somewhere else in the tree. This means multiple visits to the same address will most usually require accessing it via different paths.

As a final security measure, Ascend sends out memory requests at regular intervals. These memory requests occur even when the processor is busy and doesn’t require any new data. This last action works to prohibit attackers from being able to tell how long any given computation is taking.

This latest MIT proposal is a promising advance in cloud security. With the eventual implementation of Ascend, both companies and individual users will rightly enjoy a confidence in the cloud that thus far has been lacking.