Thursday, February 21, 2008

Clever exploit of DRAM to attack disk encryption

Security guru Ed Felten posts about "Cold Boot Attacks on Disk Encryption", a sideways attack on BitLocker, FileVault, and other disk encryption programs.

Some excerpts from his post:
The root of the problem lies in an unexpected property of today's DRAM memories ... Virtually everybody, including experts, will tell you that DRAM contents are lost when you turn off the power. But this isn't so.

Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system ... If you cool the DRAM chips, for example by spraying inverted cans of "canned air" dusting spray on them, the chips will retain their contents for much longer.

This is deadly for disk encryption products because they rely on keeping master decryption keys in DRAM. This was thought to be safe because the operating system would keep any malicious programs from accessing the keys in memory, and there was no way to get rid of the operating system without cutting power to the machine, which "everybody knew" would cause the keys to be erased.

Our results show that an attacker can cut power to the computer, then power it back up and boot a malicious operating system (from, say, a thumb drive) that copies the contents of memory ... search through the captured memory contents, find any crypto keys that might be there, and use them to start decrypting hard disk contents.

There seems to be no easy fix for these problems. Fundamentally, disk encryption programs now have nowhere safe to store their keys.
Awesomely clever. Ed links to more details.

Update: In a second post, Ed discusses how easy it is to attack laptops when they are in sleep mode.

1 comment:

Anonymous said...

Well, clever I guess. Reeminence attacks are nothing new. Remember the guys who broke smart cards by reading the electrical signals on the case?

Many crypto manufacturers warned about this in the docs already. It's the people who thought they had a security silver-bullet who were the most surprised.