Cold Boot Attacks on Hard Drive Encryption

Seth Schoen Electronic Frontier Foundation LinuxWorld Conference and Expo 2008 San Francisco, California http://citp.princeton.edu/memory/

Our team and academic paper

J. Alex Halderman (Princeton) Seth D. Schoen (Electronic Frontier Foundation) Nadia Heninger (Princeton) William Clarkson (Princeton) William Paul (Wind River Systems) Joseph A. Calandrino (Princeton) Ariel J. Feldman (Princeton) Jacob Appelbaum Edward W. Felten (Princeton)

Our team and academic paper

Lest We Remember: Cold Boot Attacks on th Encryption Keys (in Proceedings of the 17 USENIX Security Symposium, San Jose, CA, 2008) Home page: http://citp.princeton.edu/memory/ (including PDF of paper, video, images, and source code)

Misperceptions of RAM volatility

DRAM is supposed to be refreshed in order to be reliable DRAM under refresh has extremely low probability of uncommanded bit flips... DRAM without refresh has a noticeable probability of experiencing uncommanded bit flips over time but probability of such flips after many seconds is nowhere near certainty Yet we sometimes wrongly speak as though RAM were designed to clear itself on power loss

DRAMs and SRAMs

SRAMs are like flip-flops DRAMs are like capacitors SRAMs are faster, DRAMs are cheaper Both retain some data without power at room temperature; both retain more data longer at lower temperatures (cf. Skorobogatov) DRAMs typically used for PC main memory There are also long-term burn-in effects (cf. Gutmann); this research is not about those

Shredding Your Garbage

Chow et al. Shredding Your Garbage: Reducing Data Lifetime Through Secure th Deallocation (in Proc. 14 USENIX Security Symposium, Baltimore) Tried to measure how long disused data structures typically persisted in memory Accidentally found intact data structures in RAM from previous system boots (!?!?) Torbjrn Pettersson: this could be a means of acquiring forensic memory images

Hardware people know this...

E.g., Link & May (1979) (early commercial DRAM availability) does low-temperature (LN2) tests with no power, finds week-long retention! Typically considered a feature (low temperatures increase reliability, high temperatures decrease it) common to many logic devices, not a security problem Software people are often unaware of the physical characteristics of devices they use!

They don't break the abstractions

Cold boot attack

Deliberately crash a PC with interesting data in RAM; then restore power to RAM and dump its contents to a permanent storage medium

Or wake up sleeping/hibernated laptop (to a password prompt), then crash it and dump RAM

Operating system memory protection policies are bypassed because operating system is no longer running (nor can OS clear RAM!) Nearly complete state of previously-running system is available; passwords not required

Our attacks

Tools to dump memory after a reboot

USB stick (or external hard drive or iPod) Network boot (e.g. PXE)

Very tiny dumping application (< 10K) Dump onto same medium
USB key photo 2007 User:AIMare CC-BY-SA

Our attacks

Optional cooling with canned air spray (tetrafluoroethane) or liquid nitrogen

Canned air may achieve temperatures around 50 C Invert can when discharging (caution!)

Our attacks

New cryptographic techniques to detect key schedules automatically and correct bit errors

Previous techniques for finding private key material in memory didn't work well for us, especially in the presence of bit errors

Source code for this and associated memory dumpers is now available at http://citp.princeton.edu/memory/code/ Implementations of decryption for particular disk encryption systems

More on memory dumpers

Small programs that run with no OS Memory footprint just a few KB

Bill Paul implemented them in assembly and C

Can be booted from USB or network (e.g. PXE) Save entire contents of RAM to same medium Leave no trace behind on target machine A proof of concept; other vectors are possible

More on cooling

Typically not required on most hardware

Most relevant if RAM must be removed: if target machine has a policy preventing booting from external media without a password or if BIOS clears RAM on boot (e.g. ECC)

Cooling with canned air produces extremely low temperatures and good retention times RAM could be unpowered, even when removed from the computer, for over a minute with minimal loss of data sufficient time to transfer to another machine

When is cooling necessary?

In our experience, cooling was never necessary except when RAM chips had to be physically removed from a PC Just restarting laptops at room temperature never caused enough data loss to prevent reconstruction of keys in our experiments Chips can be removed if BIOS is unfriendly

If BIOS clears RAM or prevents memory dumping In our experiments, canned air was always sufficient for this; liquid nitrogen was never needed

More on correcting bit errors

Cryptographic keys are intended to be random; even a few bit errors could make them useless But in practice, keys actively being used are stored in memory in usefully redundant ways These redundancies can be used to find keys

Often without prior knowledge of software

And also to correct bit errors A variety of powerful, practical mathematical techniques developed by Nadia Heninger

Successful attacks against...

Hardware attacks work on all operating systems BitLocker in basic mode

Even fully at rest with computer powered off! In typical scenarios where computer was running, sleeping, or hibernating In particular, attackers can bypass locked screen or login prompt

FileVault, dm-crypt, TrueCrypt, Loop-AES

Other systems probably vulnerable too

Our attacks are practical

Fully automated attack on BitLocker basic mode via live CD (because of BitLocker basic mode's trust in the TPM, this attack does not even require that laptop was powered on) Automated RAM dumpers run via USB stick or network boot; we even demonstrated using an innocuous-looking iPod as an attack vector Some laptops will not require any cooling; for cooling, canned air spray was always sufficient (liquid nitrogen never required)

Threat models

Some people suggest that our attack doesn't count because hard drive encryption isn't supposed to protect against attackers with physical access to laptops

Microsoft suggests attack is already documented

But why do users encrypt laptop hard drives? If RAM were really volatile users with suspended/hibernated laptops and full-disk encryption would be safe: and they probably believe they are safe

Countermeasures

Inconvenient but helpful:

Turn laptops all the way off when they could be out of your control (left unattended in public, while traveling) Require a password to boot external media (but simply moving chips into another machine still works unless your DRAMs are non-removable)

Destroy all key material at screen lock or screensaver activation, suspend, hibernate

This could require significant software changes; also, user would have to re-authenticate on return

Countermeasures

ECC RAM is cleared at boot time

Harder to attack with off-the-shelf PCs, but probably easier to attack with specialized hardware or BIOS

There is also room for research on different representations of key material in RAM (e.g. exposure-resistant functions, modified key schedules) Not a countermeasure: locating keys in low memory can't protect against removing RAM; cf. http://www.coreboot.org/Coreinfo BIOS image

Conclusions

Many recent security attacks exploit physical hardware properties that users and developers may be unaware of to break abstractions Emanations security examples: CRTs (and all digital hardware) are radio transmitters on (at least) the refresh/clock frequencies they use internally; recent attacks on light and sound emitted by CRTs, LCDs, and keyboards (perhaps akin to research in natural sciences) Security and privacy are pretty hard!

Thanks
Seth Schoen schoen@eff.org
9B36 BCFA 4DE0 8ADE 8A17 D091 56B0 315F 0167 CA38

Please support EFF! http://www.eff.org/ http://citp.princeton.edu/memory/