Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cold Reboot Attacks on Disk Encryption

Posted by CmdrTaco on from the wont-someone-please-think-of-the-bits dept.

jcrouthamel writes "Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them."

21 of 398 comments (clear)

  1. Clear the DRAM? by the4thdimension · · Score: 5, Interesting

    Could probably implement an algorithm at the operating system level that attempts to clear out DRAM except for what is actually needed for the operating system to power down/boot up. I am not sure of the exact logistics but it seems silly to just power down and leave the DRAM however it was, no matter if its instant cleared or take a few minutes.

    --
    Crackin' Wise - Blogging about whatever we want
    1. Re:Clear the DRAM? by KublaiKhan · · Score: 5, Interesting

      It is possible; I remember reading about a class of programs in the Jargon File that exploited certain machine code instructions to clear out the whole of the machine's memory, including itself.

      Can't remember the name of 'em, though.

      --
      In Xanadu did Kubla Khan
      A stately pleasure dome decree
    2. Re:Clear the DRAM? by tmalone · · Score: 5, Funny

      Or we could get rid of this easy to work with RAM that computers have now and go back to the olden days when you had to curse and scream and rip your hands to shreds on sharp metal corners to get at the RAM, which, once you got at was a pain in the ass to remove. Ah, the good old days.

    3. Re:Clear the DRAM? by orclevegam · · Score: 5, Insightful

      As the4thdimension already pointed out, it's a common tenant in systems security that anyone with physical access and sufficient time can disable or otherwise bypass any security system. The fact is, if they're in a position to swipe the RAM out of your computer, they can just as easily take the HD to a secure location to try to brute force it, and/or attach some probes to the RAM and just read the bits straight off it, wouldn't even need to power the system down. Hardware security is just that, hardware, so there will never be an adequate software solution to a hardware security problem. Likewise, software security means nothing if the hardware is vulnerable. It's like building a safe with the most complex and impenetrable locking mechanism ever designed, and then using 1/4" aluminum for the body of the safe, sure no one's going to crack the locking mechanism, but all it takes is 5 minutes with a power drill to bypass it.

      That being said, some sort of physical security mechanism probably wouldn't be out of the question for scenarios that actually called for it. For instance, on systems that contain highly sensitive data such as nuclear launch codes or some such, I could envision a tripwire type system on the computer case that detonates shaped charges on the HD and RAM when the case is cracked. This does open up a possible DOS attack vector, but the alternative seems to justify it.

      --
      Curiosity was framed, Ignorance killed the cat.
    4. Re:Clear the DRAM? by compro01 · · Score: 5, Informative

      death code

      --
      upon the advice of my lawyer, i have no sig at this time
    5. Re:Clear the DRAM? by Anonymous Coward · · Score: 5, Interesting

      Thermite grenades, actually, taped to the case. Classified computers in sensitive areas get turned into slag if the position is overrun. (From my days working for one of the giant US 'aerospace' companies.)

    6. Re:Clear the DRAM? by CountBrass · · Score: 5, Insightful

      I think you've missed the point. Hard drive encryption *is* supposed to protect against someone having physical access to your machine.

      --
      Bad analogies are like waxing a monkey with a rainbow.
    7. Re:Clear the DRAM? by RAMMS+EIN · · Score: 5, Informative

      Exactly! That is why this news item is actually big news. The idea of encrypting your disk is _exactly_ that someone without the key will not be able to access the data (within a reasonable amount of time - any encryption can be broken), even if they have physical access. And encrypting your disk does indeed prevent someone without the key from reading the data. What TFA tells us is that there is a way to get the key that we may not have considered, and I'm willing to bet many of us indeed hadn't. But now that we know of this attack vector, we can work against it.

      As long as we can keep the key hidden, the encryption will protect our data.

      --
      Please correct me if I got my facts wrong.
    8. Re:Clear the DRAM? by orclevegam · · Score: 5, Interesting

      Yes, but the point is, if the system is powered down when it's stolen, or the hard drive is removed from the system, the full disk encryption will still protect the data. This is only a valid attack vector in the highly unlikely occasion that you have access to the powered on system, and even then it's somewhat dubious as to whether you'll get the data you need off of it. As I said though, this is very interesting from an academic standpoint for the simple fact that it is something that hasn't really been thought of. That being the case though, I can already think of one way to prevent this. Simply store your decryption keys at memory offset 0000:7C00, which will ensure that the BIOS copies the boot loader over your keys the next time the system boots (on x86 systems at any rate).

      --
      Curiosity was framed, Ignorance killed the cat.
    9. Re:Clear the DRAM? by Ollabelle · · Score: 5, Interesting

      Had something similar when I was working for a heavy construction company. Used to take out the old hard drives and take them down to the welding shop. They always enjoyed torching a hole through the spindle and liquefying everything inside the case...

      --
      Ibid.
    10. Re:Clear the DRAM? by HTH+NE1 · · Score: 5, Interesting

      Just put in firmware a key generator and encrypt everything going on the memory bus with a new key on every start-up. Bonus: also remap the memory address space randomly so that instructions and data are not stored sequentially on the same chip. For pipeline filling to work though you'll want it integrated into the CPU.

      --
      Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
    11. Re:Clear the DRAM? by KublaiKhan · · Score: 5, Informative

      -You- may practice proper procedure, but some contractor/low level drone/mindless bureaucrat might leave his system on screensaver (or just lock the console) when turning his back for a moment, which would allow for someone to snatch the laptop and run.

      And while your program may indeed wipe the drive after 10 incorrect guesses, there's one very significant weakness to that proposition: the program must be -running- in order to do so.

      So, in this case, the method of attack would be as follows: find someone with a laptop full of information who has it activated in an accessible location. Grab said laptop and remove it to a location where the RAM can be accessed per this hack. Then, after grabbing the key, remove the hard drive, hook it to a system you have control over, and either use the key to open the drive or, if the key is corrupted or incomplete, use the key as input to crack the drive conventionally--bearing in mind that if it is mounted in such a way that your fancy program does not activate, the program cannot erase the drive.

      --
      In Xanadu did Kubla Khan
      A stately pleasure dome decree
    12. Re:Clear the DRAM? by FuzzyDaddy · · Score: 5, Funny
      They always enjoyed torching a hole through the spindle and liquefying everything inside the case..

      Well, who wouldn't?

      --
      It's not wasting time, I'm educating myself.
  2. Firewire and USB can access memory by Anonymous Coward · · Score: 5, Interesting

    Heck, with physical access to a running machine, jack into the firewire or USB port and you have clear access to reading and writing all the memory you want.
    I wrote a small paper here http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf for a forensics class on using firewire to access memory, subverting the operating system.

    All bets are off once physical access is gained. Best bet would be to store the keys, somehow, in the CPU's caches and never let it stay in main memory.

  3. Re:Physical Access by TheRaven64 · · Score: 5, Informative
    Think laptops. Laptop users with a half-decent OS don't turn their machines off, they just put them to sleep. When you turn the machine on, you enter your passphrase and it mounts the encrypted disk volume. When you close the lid, the OS locks the machine. You can't get in again without entering your pass phrase. If someone steals the machine, they can't log back in without knowing your password. If they shut the machine down and boot from a different disk then they can't access your data because it's encrypted and turning off the machine wiped the decryption key from RAM.

    Except, apparently, it didn't. With the new scenario, the thief takes the cover off the machine and then pulls the battery. They then cool the RAM chips and dump the contents. They can then scan through the dump looking for the decryption key. Once they've found it, they mount the encrypted volume from another OS and get at all of your confidential data.

    --
    I am TheRaven on Soylent News
  4. Very real concern by Deagol · · Score: 5, Interesting
    I run my FreeBSD (7.0RC3) system with some geli-encrypted volumes, and one-time encrypted swap and /tmp. Very little data can leak out to non-encrypted space (yeah, /var/tmp is one).

    However, for grins one day, I decided to run "dd if=/dev/mem bs=1m count=[mem size] | strings | grep [whatever]" and found not only various passwords, but URLs for sites visited *weeks* ago, even after reboots. So, I installed the "secure_delete" port and ran "smem". No luck -- some stuff got wiped, but some remained in memory. So I booted to a memtest86 CD-ROM, and ran the full test (this test does all kinds of writes/reads to memory). Then, I booted *back* to the normal system, and I was *still* able to recover juicy bits from /dev/mem. WTF?

    We need a kernel module for the common OSes that can encrypt virtual pages (is that the right term?) so that whether in core or paged, they won't be vulnerable.

    --
    Method of processing duck feet
    1. Re:Very real concern by Cruicky · · Score: 5, Informative

      If you are running "dd if=/dev/mem bs=1m count=[mem size] | strings | grep [whatever]" on the machine, your search term will be stored in memory, so you are certain to get a result. You would need to take a memory dump, then run strings on that instead, preferably after it's been transferred to another machine.

  5. Re:Fascinating... by Anonymous Coward · · Score: 5, Informative

    It depends on many factors, including the technology, the density of the part, and the ambient temperature. Years ago I ran some experiments on 128MB SDRAM (not DDR) and found that even at elevated temperatures (60C) the minimum retention time with zero ECC errors (it was ECC memory) was around six seconds.

    I ran those tests because we were using a large chunk of SDRAM (16MB) as a RAM disk to capture log data on an embedded platform. On system failures we had the logs that led to the failure plus a small crash dump to support debugging. The hardware restart cycle was always fast enough to preserve the RAM disk image. I became curious as to how close we were to the edge, so tried a series of experiments, including extracting the blade from the chassis, watching the sweep hand on my watch, and reinserting the blade to let it boot. Even in a temperature chamber (60C is really warm...) the RAM FS was sane after a four second pack pull, allowing about two seconds for the power management to reboot the pack, that gave a six second power off window.

    On reboot, the boot monitor checked the reserved area by clearing the ECC status bits, then reading the entire reserved block, which would trigger ECC counters in the memory controller if there were flipped bits. If there were any (even one) ECC counts, it zeroed the block, triggering the kernel to rebuild an empty file system.

    So there is my experience on DRAM data retention in power off situations. YMMV.

    If someone would like to try this with DDR2 or DDR3 with ECC, it would be interesting to see your results. I have DDR2/ECC blades coming on line now, if I get ahead of my work, I may recreate this test and post back the results. Given my current calendar, it will be a while (months).

    PS: Under normal room temp, ~20C, it was very reliable at 16 seconds, and I saw a couple of tests that passed twenty.

  6. DRM attack vector by crow · · Score: 5, Insightful

    While an issue for whole-disk encryption, this is also an issue for DRM. Just flick the power while the interesting media is being decrypted, and even if the OS had been protecting the key in some "safe" location, you can now find it. It might be little more tricky, but if you can pull the RAM on a video game console, you can do the same thing.

  7. Another attack loop-AES thought about ! by this+great+guy · · Score: 5, Interesting

    This is yet another attack that the developer of loop-AES thought about while typically every other disk encryption tool out there is vulnerable. Loop-AES is the 3rd most popular disk encryption tool in Linux. See the KEYSCRUB=y option in its README file:

    If you want to enable AES encryption key scrubbing, specify KEYSCRUB=y on make command line. Loop encryption key scrubbing moves and inverts key bits in kernel RAM so that the thin oxide which forms the storage capacitor dielectric of DRAM cells is not permitted to develop detectable property. For more info, see Peter Gutmann's paper.

    I have used loop-AES as a full disk encryption tool on my laptop for 2+ years. I am glad I took the time to carefully research which tool would the most secure before deploying it ! For example even TrueCrypt and dm-crypt are vulnerable to other (arguably minor) security issues that loop-AES is impervious to: http://article.gmane.org/gmane.linux.cryptography/2321

    Surprisingly, the research paper TFA talks about doesn't even directly mention loop-AES (its name only happens to be in the title of a webpage in the reference section describing a safe suspend/resume setup when using disk encryption).

  8. Sony IBM Cell by epine · · Score: 5, Interesting

    I'm surprised no one has mentioned the Cell processor yet. I guess everyone hates it.

    The first power word that a toddler learns is "mine!" It's the capstone to a complete working vocabulary: mommy, daddy, more, enough, and mine. My laptop, my hardware, my data, my privacy. The word "mine" has a direct bypass to the neurological circuit "you can't make me", which as adults lingers as a deeply-rooted fascination with rubber-hose cryptography, and bravado propositions such as "if the Feds bust through your windows". Wrong answer.

    Let's look at this from Sony's perspective: my media, my hardware, my design, my copyright, my profits. But guess what? They have a small physical access problem. Millions of zit faced kids with access to liquid nitrogen can get their paws inside the PS3.

    This is why an entire SPU is locked down on the PS3 for security / DRM purposes. The SPU contains 256K of SRAM which is carefully guarded. The instruction set is synchronous and deterministic to guard against timing attacks. They were aware of power attacks as well. These can be partially mitigated in software for critical routines by executing non-conditional instruction sequences and then discarding the portions of the computation you didn't want. By design, the SPU doesn't dance on the power line the way most modern speculative out-of-order processors do to begin with. You can't use latency effects, because the local SRAM has constant access time. You can't use contention effects because there aren't any below the level of DMA bursts, which are controlled by a companion processor within the SPU. Plus I think it is possible to schedule SPU-SPU and SPU-memory DMA transfers deterministically, if you really need to. None of this was accidental.

    The hardest part of the problem is bootstrapping the secure SPU with the security kernel. I've forgotten how they went about it. There must be some kind of decrypt key buried in the Cell hardware which functions during initial code upload during processor initialization.

    In the long run it might be an unwinnable battle, but the PS3 certainly has a far better facility to maintain data security in the complete absence of hardware security than your average PC.

    Why can't the average hacker Harry wants to enjoy the same security as Sony/IBM, why can't you achieve this? You've already got the PS3 in your living room. Impediment: the secure system init decrypt key is probably burned into the silicon. It's probably a one-way key, so even if you crack the key, you won't be able to encrypt a replacement block of your own code that matches the decrypt key. But let's suppose you break that too. Problem: Sony knows the decrypt key for the SPU initialization sequence. Game over.

    Let's suppose you figure out how to physically change the silicon with an initialization decrypt code known only to yourself. Congratulations, you now enjoy the same protection for your secrets that Sony enjoys for "Untraceable". In doing so, you have now upgraded yourself to a sufficiently threatening fish to swim in a tank in Syria, where your nervous system will be similarly reconfigured.

    Ew, I feel like I've just written the script for "Adaptation".