Our research on cold boot attacks on disk encryption has generated lots of interesting discussion. A few misconceptions seem to be floating around, though. I want to address one of them today.
As we explain in our paper, laptops are vulnerable when they are “sleeping” or (usually) “hibernating”. Frequently used laptops are almost always in these states when they’re not in active use – when you just close the lid on your laptop and it quiets down, it’s probably sleeping.
When a laptop goes to sleep, all of the data that was in memory stays there, but the rest of the system is shut down. When you re-open the lid of the laptop, the rest of the system is activated, and the system goes on running, using the same memory contents as before. (Hibernating is similar, but the contents of memory are copied off to the hard drive instead, then brought back from the hard drive when you re-awaken the machine.) People put their laptops to sleep, rather than shutting them down entirely, because a sleeping machine can wake up in seconds with all of the programs still running, while a fully shut-down machine will take minutes to reboot.
Now suppose an attacker gets hold of your laptop while it is sleeping, and suppose the laptop is using disk encryption. The attacker can take the laptop back to his lair, and then open the lid. The machine will reawaken, with the same information in memory that was there when you put the machine to sleep – and that information includes the secret key that is used to encrypt the files on your hard disk. The machine may be screen-locked – that is, it may require entry of your password before you can interact with the desktop – but the attacker won’t care. All he cares about is that the encryption key is in memory.
The attacker will then insert a special thumb drive into the laptop, yank out the laptop’s battery, quickly replace the battery, and push the power button to reboot the laptop. The encryption key will still be in memory – the memory will not have lost its contents because the laptop was without power only momentarily while the battery was out. It doesn’t matter how long the laptop takes to reboot, because the memory contents are fading only momentarily while the battery is out. When the laptop boots, software from the thumb drive will read the contents of memory, find the secret encryption key, and proceed to unlock the encrypted files on your hard drive.
In short, the adversary doesn’t need to capture your laptop while the laptop is open and in active use. All he needs is to get your laptop while it is sleeping – which it is probably doing most of the time.
The most practical solution to the problem isn’t always a technological one. Technology is fantastic, but it has limits. The most _reliable_ way of denying an attacker access to the security keys in the memory of a sleeping laptop is to physically secure that laptop. An attacker can’t copy what they can’t get access to.
I hear lots of arguments insisting technological solutions are necessary, with scenarios given ranging from plausible to absurd. In the end, the fact remains that security is a three-legged stool and technology is but one of those legs. Operational and physical security are equally important — remove any one leg and the stool becomes useless.
We’ll continue to hear of new breaches and exploits unless and until we get serious about spending as much time, money, and energy on the other legs of the stool as we do on technology…
Actually, if you hibernate your machine AND you’re using some full disk encryption solution which provides pre-boot authentication, you are not going to be vulnerable to this attack – this attack’s only valid after hibernation if the machine can boot itself (like Bitlocker TPM Mode) – if authentication is required, the key gets flushed on hibernate and is not in the ram waiting to be discovered, and can’t get back into the ram until a user enters their password (or other auth details).
Of course, if your disk encryption product doesn’t use authentication, then you are open to this attack.
Crosbie Fitch asked about the BIOS resetting the RAM on boot. My Thinkpad T42p still has an extended memory check option in the BIOS, which does zero all memory. The check seems to take almost no time, certainly less than a second. Enabling the extended memory check prevents an attack where you boot off a thumb drive, but not where you remove the RAM from the system.
@Strontium
So what sort of interrupt will trigger when someone just turns the sleeping laptop over and yanks out the memory module so they can drop it into their handy portable reader device?
This is bad PC hardware and/or Operating system design. When a computer powers down, the capacitors will keep the computer running for a few microseconds. Embedded systems often employ A Power Fail Interrupt (PFI) that can be generated by hardware very easily and cheaply. The easiest solution is to trap the PFI and wipe the keys in memory, before full power fail happens (a few microseconds later). A few microseconds is an eon for a modern CPU and would be ample time to scrub the keys (not all of memory, just the keys). If PC Hardware has the PFI its bad software or OS design for not trapping it and doing the right thing. If the hardware doesn’t have a PFI then its a retarded hardware design.
Security requires that keys be wiped from memory upon suspend/hibernate. Even if the BIOS would clear all RAM on startup, a skilled attacker would be able to replace the BIOS while the system was asleep. By contrast, if encryption keys are wiped from memory before the system sleeps, they’ll be 100% gone immediately. DRAM retention time would not be a factor in such a case.
The logical strategy to me would be to wipe encryption keys from memory on suspend and regenerate or decrypt the keys upon resume using the users’s password the same way the keys are generated or decrypted on boot or mount. I’m a little surprised that the OS-integrated disk encryption products do not do this.
Obviously this is no barrier to the attack on a live machine with keys in memory or in use, but a suspend is, vis-a-vis security requirements, exactly analagous to a shutdown: the machine has no further use for the keys until it sees the password again.
In fact, I recently stumbled across the following pages regarding a FreeBSD developer’s recognition and correction of the issue via suspend and resume scripts. I assumed this was already the case in other OSs with older disk encryption systems:
http://blogs.freebsdish.org/pjd/2007/09/28/geli-suspendresume/
http://unix.derkeiler.com/Mailing-Lists/FreeBSD/hackers/2008-02/msg00425.html
If you put a BIOS level password into your laptop (at least with Toshiba BIOS) then you have to go through that password prompt when waking up out of suspend. The attacker can cold boot with a USB drive if they like but they just meet the same BIOS password prompt anyhow on the reboot.
From memory, the first chunk of RAM is soldered onto the main board (128M or something like that). Then the expansion RAM is in a removable module. If you had some portable RAM module reader then you would probably get some data that way.
Most PC BIOS has a “slow” RAM test mode and a “fast” RAM test mode. I’m pretty sure that neither of them wipes all the RAM but at least the slow test might be a bit better for those show are worried… still doesn’t protect against the portable RAM module reader.
I imagine that the best method when going to sleep would be:
* Pick a random number
* Encrypt the critical chunks of system memory with this number
* Keep the magic number in a CPU register
* Keep a CRC in another CPU register
* sleep
* wake
* decrypt the critical chunks of system memory
* Check against the CRC just in case
Probably a 32 bit number (one regulation PC register) would be fine and a simple symmetric encryption algorithm should exist such that the number never needs to leave the CPU at all. With luck, a few bits would flip when transplanting memory modules and the chunk would never decrypt correctly. The bigger the chunk, the more likely it will be impossible to decrypt but also the slower it takes to go into suspend.
If the laptop hibernates, is the hiberfile encrypted? If not, just remove the drive from the hibernated laptop, put in another computer, copy the hiberfile, and find the key?
When a laptop goes to sleep, all of the data that was in memory stays there, but the rest of the system is shut down
Wouldn’t a hard reset be more straightforward than yanking the battery? Then the retention characteristics of the RAM wouldn’t even matter. Sure you’d have to figure out where the button was (usually behind a paperclip hole); but anyone who’s enough into it to have put together the other tools, surely wouldn’t sweat downloading the manual.
A BIOS boot password should help, but there’s usually a jumper to reset the BIOS and thus bypass this.
A ‘secure’ BIOS would always reset RAM on boot (not user configurable).
Even so, these things are just hassle hurdles to make things expensive for the back street cracker.
The other solution would be to simply disable sleep/hibernate, and have the lid closure sound an alarm if a safe shutdown cannot be quickly assured.
Won’t startup BIOS passwords address this? If the attacker pulls the power and forces a reboot of the laptop, and the laptop prompts for a BIOS password (we actually ask for two – BIOS & harddrive), the USB thumbdrive can’t boot.
Paul, you don’t reset on wakeup, you reset on boot (from USB, etc.).
Resetting on boot/wakeup won’t do anything for you. You have to wipe the information out of RAM on the way into sleep.
Anybody know if any of the hardware crypto accelerators would help here? Do they have “write only” registers that you can initialise with the key and then wipe the key from RAM and only refer to it by register address? I could see how you could make this work, I just don’t know if the required feature set exists on any of the existing chips. It would not eliminate the problem, but it could up the complexity of the attack to make it infeasible for anyone that is not well funded.
-stacy
Well, swapping firmware is slightly more hassle than inserting a USB plug…
Ok, BIOS on ‘secure’ laptops should also have a dead man’s switch to the RAM.
BIOS on ‘secure’ laptops should then reset all memory on boot.
Didn’t some computers use to do this? Maybe it was fast on 64K RAM, but too slow on 2G?
My laptop requires a password to change the boot disk; however that is not enough to thwart the attack – it just means the attacker has to open the case and either wipe out the firmware lock or transfer the RAM to a machine the attacker controls.
Some notebooks support hard disk access password protection – I don’t know how strong such protection is.
After closing the lid and reopening it, I have to type in that password again. In case I used hybernating to an encrypted disk instead of sleep mode with this, would that help any?
Even if the laptop hibernates, it’s not particularly secure. The scenario plays out in pretty much the exact same way: attacker takes away laptop, attacker powers up laptop, OS pages everything into RAM (including keys), pow.
This can be made more secure by having the OS ask for some credentials when resuming hibernation *before* paging everything back in… but that’s a big change. I think that was mentioned in the original paper, anyway.