Abstract
Contrary to widespread assumption, dynamic RAM (DRAM), the main memory in most modern computers, retains its contents for several seconds after power is lost, even at room temperature and even if removed from a motherboard. Although DRAM becomes less reliable when it is not refreshed, it is not immediately erased, and its contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access to a machine. It poses a particular threat to laptop users who rely on disk encryption: we demonstrate that it could be used to compromise several popular disk encryption products without the need for any special devices or materials. We experimentally characterize the extent and predictability of memory retention and report that remanence times can be increased dramatically with simple cooling techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for mitigating these risks, we know of no simple remedy that would eliminate them.
- Arbaugh, W., Farber, D., Smith, J. A secure and reliable bootstrap architecture. In Proceedings of the IEEE Symposium on Security and Privacy (May 1997), 65--71. Google ScholarDigital Library
- Boyen, X. Halting password puzzles: Hard-to-break encryption from human-memorable keys. In Proceedings of the 16th USENIX Security Symposium (August 2008). Google ScholarDigital Library
- Canetti, R., Dodis, Y., Halevi, S., Kushilevitz, E., Sahai, A. Exposure-resilient functions and all-or-nothing transforms. In EUROCRYPT2000, volume 1807/2000 (2000), 453--469. Google ScholarDigital Library
- Chan, E.M., Carlyle, J.C., David, F.M., Farivar, R., Campbell, R.H. Bootjacker: Compromising computers using forced restarts. In Proceedings of the 15th ACM Conference on Computer and Communications Security (October 2008), 555--564. Google ScholarDigital Library
- Chow, J., Pfaff, B., Garfinkel, T., Rosenblum, M. Shredding your garbage: Reducing data lifetime through secure deallocation. In Proceedings of the 14th USENIX Security Symposium (August 2005). 331--346. Google ScholarDigital Library
- Dwoskin, J., Lee, R.B. Hardware-rooted trust for secure key management and transient trust. In Proceedings of the 14th ACM Conference on Computer and Communications Security (October 2007), 389--400. Google ScholarDigital Library
- Dyer, J.G., Lindemann, M., Perez, R., Sailer, R., van Doorn, L, Smith, S.W., Weingart, S. Building the IBM 4758 secure coprocessor. Computer 34 (Oct. 2001), 57--66. Google ScholarDigital Library
- Ferguson, N.AES-CBC +Elephant diffuser: A disk encryption algorithm for Windows Vista, (August 2006).Google Scholar
- Gutmann, P. Secure deletion of data from magnetic and solid-state memory. In Proceedings of the 6th USENIX Security Symposium (July 1996), 77--90. Google ScholarDigital Library
- Gutmann, P. Data remanence in semiconductor devices. In Proceedings of the 10th USENIX Security Symposium (August 2001). 39--54. Google ScholarDigital Library
- Heninger, N., Shacham, H. Improved RSA private key reconstruction for cold boot attacks. Cryptology ePrint Archive, Report 2008/510, December 2008.Google Scholar
- Lie, D., Thekkath, C.A., Mitchell, M., Lincoln, P., Boneh, D., Mitchell, J., Horowitz, M. Architectural support for copy and tamper resistant software. In Symposium on Architectural Support for Programming Languages and Operating Systems (2000). Google ScholarDigital Library
- Link, W., May, H. Eigenschaften von MOS-Ein-Transistorspeicherzellen bei tiefen Temperaturen. Archiv für Etektronik und Übertragungstechnik 33 (June 1979), 229--235.Google Scholar
- MacIver, D. Penetration testing Windows Vista BitLocker drive encryption. Presentation, Hack In The Box (September 2006).Google Scholar
- Pettersson, T. Cryptographic key recovery from Linux memory dumps. Presentation, Chaos Communication Camp (August 2007).Google Scholar
- Shamir, A., van Someren, N. Playing "hide and seek" with stored keys. LNCS 1648 (1999), 118--124. Google ScholarDigital Library
- Skorobogatov, S. Low-temperature data remanence in static RAM. University of Cambridge Computer Laborary Technical Report 536, June 2002.Google Scholar
- Weinmann, R.-R, Appelbaum, J. Unlocking FileVault. Presentation, 23rd Chaos Communication Congress, December 2006.Google Scholar
Index Terms
- Lest we remember: cold-boot attacks on encryption keys
Recommendations
Lest we remember: cold boot attacks on encryption keys
SS'08: Proceedings of the 17th conference on Security symposiumContrary to popular assumption, DRAMs used in most modern computers retain their contents for several seconds after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not ...
Lest we forget
As hard disk encryption, RAM disks, persistent data avoidance technology and memory-only malware become more widespread, memory analysis becomes more important. Cold-boot attacks are a software-independent method for such memory acquisition. However, on ...
Comments