?

Log in

No account? Create an account
Cracking whole-disk crypto by recovering keys from DRAM - after the computer has been turned off! - Adventures in Engineering — LiveJournal
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2008-02-21 12:09
  Subject:   Cracking whole-disk crypto by recovering keys from DRAM - after the computer has been turned off!
Public
  Music:KMFDM - Attak/Reload
  Tags:  metafilter, security

The root of the problem lies in an unexpected property of today’s DRAM memories. Virtually everybody, including experts, will tell you that DRAM contents are lost when you turn off the power. But this isn’t so. Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system. Interestingly, if you cool the DRAM chips, for example by spraying inverted cans of "canned air" dusting spray on them, the chips will retain their contents for much longer. At these temperatures (around -50 °C) you can remove the chips from the computer and let them sit on the table for ten minutes or more, without appreciable loss of data. Then put the chips back into another machine and you can read out their contents.

This is deadly for disk encryption products because they rely on keeping master decryption keys in DRAM. This was thought to be safe because the operating system would keep any malicious programs from accessing the keys in memory, and there was no way to get rid of the operating system without cutting power to the machine, which "everybody knew" would cause the keys to be erased.


http://citp.princeton.edu/memory/

An interesting attack. Who knew DRAM could retain significant information after the computer was turned off?

I can think of a defense that will make this attack much harder. When the computer goes to shutdown, the encryption program commits everything to disk and then over-writes its own memory, including the encryption key(s), with random bits. Now you can dump the DRAM all day and it won't do you any good. You can still defeat this defense by taking a pair of snippers to the power cord, or in the case of a laptop by yanking the battery. The machine will go down without a proper shutdown procedure, and the contents of the DRAM will be (briefly) preserved.

I think it's generally accepted in the computer security community that if an attacker has direct physical access to the hardware, there's pretty much no software defense that will reliably keep them out. This looks like another example of that principle at work.
Post A Comment | 7 Comments | | Link






Alex Belits: iskra
  User: abelits
  Date: 2008-02-22 02:06 (UTC)
  Subject:   (no subject)
Keyword:iskra
Who knew DRAM could retain significant information after the computer was turned off?

People who developed a concept of DRAM in the first place? The whole reason behind its design is that it does not require current to store information except for refresh cycles and updates. Even if the retention time was very short, nothing prevents people from running refresh using an independent power source attached to the board.
Reply | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2008-02-22 02:45 (UTC)
  Subject:   (no subject)
Bad phrasing on my part. I should have said: "who knew that DRAM could retain information for a significant amount of time after the refresh was turned off."
Reply | Parent | Thread | Link



osmium_ocelot
  User: osmium_ocelot
  Date: 2008-02-22 20:04 (UTC)
  Subject:   (no subject)
Okay, please excuse this if it's a dumb idea. I honestly don't know jack squat about my machine at the level programmers have intimate knowledge of. I know how to tear into the guts of windows with regedit and such, but as far as the electronics and things like logic gates and what bit of data gets transferred through memory how; I'm mostly clueless. That said, encryption keys aren't very big. 5012 bytes would be ridiculously large for an encryption key if I'm not mistaken. So, given their relatively tiny size, why not just store them exclusively in the processor cache? Or does the cache remember things when powered down?
Reply | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2008-02-22 21:02 (UTC)
  Subject:   (no subject)
As far as I know, the only way to get something into CPU cache in the first place is to write it to main memory. I don't think there's a documented way to put something into cache without putting it into memory on any intel CPU.

Someone in the Slashdot thread suggested that mobo manufacturers stick a little SRAM onto the mobo, buried inside a glob of epoxy. Then put a big capacitor next to it, so in the event of a power-down it could wipe its own contents with just the little bit of power in the cap.

This approach is all well and good... until the attacker snips the cap off the board and cuts the line that says "the system is powering down" and replaces it with a fake line that keeps saying "the power is on!" even when the computer is off.

Defense, counter-defense, etc. It's an arms race where nobody ever really wins. Once again, the principle holds - if they have direct physical access to the hardware, a software-only solution is not likely to be able to stop them for long.
Reply | Parent | Thread | Link



osmium_ocelot
  User: osmium_ocelot
  Date: 2008-02-23 00:25 (UTC)
  Subject:   (no subject)
I thought of the little chip on the mobo too, and then the immediate counter attack came to mind; which is why I thought of absconding with a little bit of the CPU cache. I thought if you could store the key there, it'd make a counter attack much more difficult, simply because it's so often such a bitch to get a processor off the board, and it'll stay hot longer, so if it worked like DRAM the information should degrade too fast to catch. That was the theory anyway.

Maybe the mobo manufacturers could make a direct line to the cache instead of having to go through the DRAM?

Oh, but then you just tap into that line to read the cache.

Oh well. Heckuva problem.

Of course, for most people, they'll never have to worry about their system being seized or ripped out of their hands, just stolen. So full disc encryption is still a good solution. Governments and militaries (possibly large corporations as well) OTOH have to worry about this kind of attack.
Reply | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2008-02-23 07:23 (UTC)
  Subject:   (no subject)
I think arranging for software to over-write the key in memory upon shutdown, sleep, or when the screen is locked should take care of about 90% of cases.

Probably still not good enough for the military or diplomats though. Those guys need to go the "thermite ignites and slags hard drive and RAM when case is opened" route.
Reply | Parent | Thread | Link



osmium_ocelot
  User: osmium_ocelot
  Date: 2008-02-23 13:31 (UTC)
  Subject:   (no subject)
agreed.

Reply | Parent | Thread | Link



browse
May 2015