Cold boot attack
In
An attacker with physical access to a running computer typically executes a cold boot attack by
Technical details
Attackers execute cold boot attacks by forcefully and abruptly rebooting a target machine and then booting a pre-installed operating system from a
A similar kind of attack can also be used to extract data from memory, such as a
Uses
Cold boots attacks are typically used for digital forensic investigations, malicious purposes such as theft, and data recovery.[3]
Digital forensics
In certain cases, a cold boot attack is used in the discipline of
Malicious intent
A cold boot attack may be used by attackers to gain access to encrypted information such as financial information or trade secrets for malicious intent.[10]
Circumventing full disk encryption
A common purpose of cold boot attacks is to circumvent software-based disk encryption. Cold boot attacks when used in conjunction with
In the case of disk encryption applications that can be configured to allow the operating system to boot without a pre-
BitLocker
Mitigation
Since a
Register-based key storage
One solution for keeping encryption keys out of memory is register-based key storage. Implementations of this solution are
There are two potential areas in modern x86 processors for storing keys: the SSE registers which could in effect be made privileged by disabling all SSE instructions (and necessarily, any programs relying on them), and the debug registers which were much smaller but had no such issues.
A
Cache-based key storage
"Frozen cache" (sometimes known as "cache as RAM"),
A similar cache-based solution was proposed by Guan et al. (2015)[18] by employing the WB (Write-Back) cache mode to keep data in caches, reducing the computation times of public key algorithms.
Mimosa[19] in IEEE S&P 2015 presented a more practical solution for public-key cryptographic computations against cold-boot attacks and DMA attacks. It employs hardware transactional memory (HTM) which was originally proposed as a speculative memory access mechanism to boost the performance of multi-threaded applications. The strong atomicity guarantee provided by HTM, is utilized to defeat illegal concurrent accesses to the memory space that contains sensitive data. The RSA private key is encrypted in memory by an AES key that is protected by TRESOR. On request, an RSA private-key computation is conducted within an HTM transaction: the private key is firstly decrypted into memory, and then RSA decryption or signing is conducted. Because a plain-text RSA private key only appears as modified data in an HTM transaction, any read operation to these data will abort the transaction - the transaction will roll-back to its initial state. Note that, the RSA private key is encrypted in initial state, and it is a result of write operations (or AES decryption). Currently HTM is implemented in caches or store-buffers, both of which are located in CPUs, not in external RAM chips. So cold-boot attacks are prevented. Mimosa defeats against attacks that attempt to read sensitive data from memory (including cold-boot attacks, DMA attacks, and other software attacks), and it only introduces a small performance overhead.
Dismounting encrypted disks
Best practice recommends dismounting any encrypted, non-system disks when not in use, since most disk encryption software are designed to securely erase keys cached in memory after use.[20] This reduces the risk of an attacker being able to salvage encryption keys from memory by executing a cold boot attack. To minimize access to encrypted information on the operating system hard disk, the machine should be completely shut down when not in use to reduce the likelihood of a successful cold boot attack.[2][21] However, data may remain readable from tens of seconds to several minutes depending upon the physical RAM device in the machine, potentially allowing some data to be retrieved from memory by an attacker. Configuring an operating system to shut down or hibernate when unused, instead of using sleep mode, can help mitigate the risk of a successful cold boot attack.
Effective countermeasures
Preventing physical access
Typically, a cold boot attack can be prevented by limiting an attacker's
Full memory encryption
Encrypting random-access memory (RAM) mitigates the possibility of an attacker being able to obtain encryption keys or other material from memory via a cold boot attack. This approach may require changes to the operating system, applications, or hardware. One example of hardware-based memory encryption was implemented in the Microsoft Xbox.[23] Implementations on newer x86-64 hardware are available from AMD and on Intel Willow Cove and newer.
Software-based full memory encryption is similar to CPU-based key storage since key material is never exposed to memory, but is more comprehensive since all memory contents are encrypted. In general, only immediate pages are decrypted and read on the fly by the operating system.[24] Implementations of software-based memory encryption solutions include: a commercial product from PrivateCore.[25][26][27] and RamCrypt, a kernel-patch for the Linux kernel that encrypts data in memory and stores the encryption key in the CPU registers in a manner similar to TRESOR.[12][24]
Since version 1.24, VeraCrypt supports RAM encryption for keys and passwords.[28]
More recently, several papers have been published highlighting the availability of security-enhanced x86 and ARM commodity processors.[29][30] In that work, an ARM Cortex A8 processor is used as the substrate on which a full memory encryption solution is built. Process segments (for example, stack, code or heap) can be encrypted individually or in composition. This work marks the first full memory encryption implementation on a general-purpose commodity processor. The system provides both confidentiality and integrity protections of code and data which are encrypted everywhere outside the CPU boundary.
Secure erasure of memory
Since cold boot attacks target unencrypted random-access memory, one solution is to erase sensitive data from memory when it is no longer in use. The "TCG Platform Reset Attack Mitigation Specification",[31] an industry response to this specific attack, forces the BIOS to overwrite memory during POST if the operating system was not shut down cleanly. However, this measure can still be circumvented by removing the memory module from the system and reading it back on another system under the attacker's control that does not support these measures.[2]
An effective secure erase feature would be that if power is interrupted, the RAM is wiped in the less than 300 ms before power is lost in conjunction with a secure BIOS and hard drive/SSD controller that encrypts data on the M-2 and SATAx ports. If the
Some
- Generation of a GnuPG keypair and viewing the private key on a text editor could lead to the key being recovered.[35]
- A cryptocurrency seed could be seen, therefore bypassing the wallet (even if encrypted) allowing access to the funds.[citation needed]
- Typing a password with visibility enabled might show parts of it or even the whole key. If a keyfile is used, it could be shown to reduce time needed for a password attack.
- Traces of mounted or opened encrypted volumes with plausible deniability might be shown, leading to the discovery of them.
- If connected to a .onion service, the URL might be shown and lead to its discovery, whereas otherwise would be extremely difficult.[36][37]
- Usage of a particular program could show user's patterns. For instance, if a steganography program is used and opened, the assumption that the user has been hiding data could be made. Likewise, if an instant messenger is being used, a list of contacts or messages could be shown.
External key storage
A cold boot attack can be prevented by ensuring no keys are stored by the hardware under attack.
- User enters the disk encryption key manually
- Using an enclosed fully encrypted hard disk drive where the encryption keys are held in hardware separate from the hard disk drive.
Ineffective countermeasures
Although limiting the boot device options in the
Smartphones
The cold boot attack can be adapted and carried out in a similar manner on Android
Typically, Android
References
- ^ MacIver, Douglas (2006-09-21). Penetration Testing Windows Vista BitLocker Drive Encryption (PDF). HITBSecConf2006, Malaysia. Microsoft. Retrieved 2008-09-23.
- ^ S2CID 7770695.
- ^ a b c d e f g h Carbone, Richard; Bean, C; Salois, M (January 2011). An in-depth analysis of the cold boot attack (PDF). Defence Research and Development Canada.
- ^ Skorobogatov, Sergei (June 2002). Low temperature data remanence in static RAM (PDF). University of Cambridge.
- ^ a b c MacIver, Douglas (2008-02-25). "System Integrity Team Blog: Protecting BitLocker from Cold Attacks (and other threats)". Microsoft. Retrieved 2020-06-24.
- ^ "Memory Research Project Source Code". Center for Information Technology Policy. 2008-06-16. Archived from the original on 2013-06-05. Retrieved 2018-11-06.
- ^ "Passware Software Cracks BitLocker Encryption Open" (Press release). PR Newswire. 2009-12-01.
- ISBN 978-0-7695-3102-1.
- ^ Carbone, R.; Bean, C; Salois, M. (January 2011). "An In-depth Analysis of the Cold Boot Attack: Can it be Used for Sound Forensic Memory Acquisition?". Defense Technical Information Center. Archived from the original (pdf) on April 8, 2013.
- ^ a b Gruhn, Michael (2016-11-24). "Forensically Sound Data Acquisition in the age of Anti-Forensic Innocence". Erlangen, Germany: Friedrich-Alexander-Universität Erlangen-Nürnberg.
- ^ "BitLocker Drive Encryption Technical Overview". Microsoft. 2008. Retrieved 2008-11-19.
- ^ a b c TRESOR USENIX paper, 2011 Archived 2012-01-13 at the Wayback Machine
- ISBN 978-1-4503-0672-0. Archived from the original(PDF) on 2018-11-06. Retrieved 2018-11-06.
- ^ Müller, Tilo (2010-05-31). "Cold-Boot Resistant Implementation of AES in the Linux Kernel" (PDF). Aachen, Germany: RWTH Aachen University.
- ^ Friedrich-Alexander-Universität Erlangen-Nürnberg. "Tresor / TreVisor / Armored: TRESOR Runs Encryption Securely Outside RAM / The TRESOR Hypervisor / for Android-driven Devices". Retrieved 2018-11-06.
- ^ Tews, Erik (December 2010). FrozenCache – Mitigating cold-boot attacks for Full-Disk-Encryption software. 27th Chaos Communication.
- ^ Frozen Cache Blog
- ^ Guan, Le; Lin, Jingqiang; Luo, Bo; Jing, Jiwu (February 2014). Copker: Computing with Private Keys without RAM (PDF). 21st ISOC Network and Distributed System Security Symposium (NDSS). Archived from the original (PDF) on 2016-08-03. Retrieved 2016-03-01.
- ISBN 978-1-4673-6949-7.
- ^ Dean, Sarah (2009-11-11). "Cold Boot Attacks on Encryption Keys (aka "DRAM attacks")". Archived from the original on 2012-09-15. Retrieved 2008-11-11.
- ^ "Encryption Still Good; Sleeping Mode Not So Much, PGP Says". Wired. 2008-02-21. Retrieved 2008-02-22.
- ^ Weis S, PrivateCore (2014-06-25). Protecting Data In-Use from Firmware and Physical Attacks (PDF). Black Hat USA 2014. Palo Alto, California, U. S. A. p. 2.
- ^ B. Huang "Keeping Secrets in Hardware: The Microsoft Xbox Case Study", "CHES 2002 Lecture Notes in Notes in Computer Science Volume 2523", 2003
- ^ ISBN 978-1-4503-4233-9. Retrieved 2018-11-07.
- ^ Y. Hu, G. Hammouri, and B. Sunar "A fast real-time memory authentication protocol", "STC '08 Proceedings of the 3rd ACM workshop on Scalable trusted computing", 2008
- ^ G. Duc and R. Keryell, "CryptoPage: an efficient secure architecture with memory encryption, integrity and information leakage protection", Dec. 2006
- ^ X. Chen, R. P. Dick, and A. Choudhary "Operating system controlled processor-memory bus encryption", "Proceedings of the conference on Design, automation and test in Europe", 2008
- ^ "VeraCrypt Release Notes".
- ^ M. Henson and S. Taylor "Beyond full disk encryption:protection on security-enhanced commodity processors", "Proceedings of the 11th international conference on applied cryptography and network security", 2013
- ^ M. Henson and S. Taylor "Memory encryption: a survey of existing techniques", "ACM Computing Surveys volume 46 issue 4", 2014
- ^ "TCG Platform Reset Attack Mitigation Specification". Trusted Computing Group. May 28, 2008. Retrieved June 10, 2009.
- ^ Teague, Ryne (2017). "EVIDENCE VERIFICATION COMPLICATIONS WITH SOLID-STATE DRIVES". Association of Digital Forensics, Security and Law. 12: 75–85 – via ProQuest.
- ^ "Tails - Protection against cold boot attacks". Retrieved 7 November 2018.
- ^ "Erase video memory on shutdown (#5356) · Issues · tails / Tails · GitLab".
- ^ "The Palinopsia Bug". hsmr.cc. 2022-04-17. Archived from the original on 2022-02-24. Retrieved 2022-04-17.
- ^ "Tor: Onion Service Protocol". 2019.www.torproject.org. 2022-04-17. Archived from the original on 2022-04-05. Retrieved 2022-04-17.
- ^ https://svn-archive.torproject.org/svn/projects/design-paper/tor-design.pdf [bare URL PDF]
- ^ Igor Skochinsky (2014-03-12). "Secret of Intel Management Engine". SlideShare. pp. 26–29. Retrieved 2014-07-13.
- ^ "2nd Generation Intel Core Processor Family Desktop, Intel Pentium Processor Family Desktop, and Intel Celeron Processor Family Desktop" (PDF). June 2013. p. 23. Retrieved 2015-11-03.
- ^ "2nd Generation Intel Core Processor Family Mobile and Intel Celeron Processor Family Mobile" (PDF). September 2012. p. 24. Retrieved 2015-11-03.
- ^ Michael Gruhn, Tilo Muller. "On the Practicability of Cold Boot Attacks" (PDF). Retrieved 2018-07-28.
- .
- ^ Salessawi Ferede; Yitbarek Misiker; Tadesse Aga. "Cold Boot Attacks are Still Hot: Security Analysis of Memory Scramblers in Modern Processors" (PDF). Retrieved 2018-07-28.
- ^ kpacquer (2018-05-14). "Boot to UEFI Mode or Legacy BIOS mode". Microsoft. Retrieved 2018-11-06.
- ^ S, Ray (2015-12-08), Booting to the Boot Menu and BIOS, University of Wisconsin-Madison, retrieved 2018-11-06
- ^ Dell Inc. (2018-10-09). "How to Perform a BIOS or CMOS Reset and/or Clear the NVRAM on your Dell System | Dell Australia". Dell Support.
- ^ Ruud, Schramp (2014-06-13), OHM2013: RAM Memory acquisition using live-BIOS modification, archived from the original on 2021-12-21, retrieved 2018-07-28
- ^ Michael, Gruhn (2016). Forensically Sound Data Acquisition in the Age of Anti-Forensic Innocence (Thesis). Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU). p. 67.
- ISSN 1742-2876.
- ^ a b c Bali, Ranbir Singh (July 2018). Cold Boot Attack on Cell Phones. Concordia University of Edmonton.
{{cite book}}
: CS1 maint: location missing publisher (link)
External links
- Lest We Remember: Cold Boot Attacks on Encryption Keys on YouTube
- McGrew Security's Proof of Concept
- Boffins Freeze Phone to Crack Android On-Device Crypto
- Skorobogatov, Sergei (June 2002). "Low temperature data remanence in static RAM". doi:10.48456/tr-536. Retrieved 2008-02-27.