Actions

Cold Boot Attack Defense

From Whonix



Coldbootattack12312421.png

Introduction[edit]

Attack Definition[edit]

A cold boot attack is: [1]

... a type of side channel attack [archive] in which an attacker with physical access [archive] to a computer performs a memory dump [archive] of a computer's random-access memory (RAM) [archive] by performing a hard reset of the target machine. Typically, cold boot attacks are used to retrieve encryption keys [archive] from a running operating system [archive] for malicious and/or criminal investigative reasons. The attack relies on the data remanence [archive] property of DRAM [archive] and SRAM [archive] to retrieve memory contents that remain readable [archive] in the seconds to minutes after power has been removed.

There are two primary methods of performing the attack: [2]

  1. The target computer is reset and booted from an alternative medium like a USB with a minimal operating system. RAM contents are recovered, except for those that have been already overwritten. BIOS passwords can trivially defeat this method.
  2. Ram modules are physically transplanted from the target computer into another which performs image extraction. Most of the content is retained if properly cooled using certain sprays that increase the data remanence.

Research Findings[edit]

The original 2008 cold boot attack research [archive] found:

  • Dynamic random access memory (DRAM) in most computers retain their contents for seconds to minutes after power is lost, even when removed from the motherboard.
  • This persistence allows for forensic or malicious access to system memory images.
  • Attackers with physical access can potentially cold boot the machine and use an operating system on a removable disk to write the contents of physical memory to a file.
  • This file can be analyzed for sensitive data like cryptographic (encryption) keys.
  • This technique was able to defeat disk encryption schemes like BitLocker, TrueCrypt and FileVault.

More recent research in 2018 has identified that mechanisms that overwrite RAM contents when power is restored can be bypassed by rewriting the non-volatile memory chip (firmware) that contains these settings. [3] [4] At the time of writing DDR3/4 RAM appears to protect against cold boot attacks (see next section).

Possible Countermeasures[edit]

Literature Summary[edit]

The literature suggests the following possible countermeasures against cold boot attacks.

Table: Cold Boot Attack Countermeasures

Category Description
Scrubbing memory Software should try to avoid storing keys in memory. For example, software should overwrite keys when unneeded, keys should be prevented from being paged to disk, and memory cleared at boot time. [5] Unfortunately this cannot protect against keys that remain in memory while in active use, such as encrypted disk keys. Further, researchers demonstrated in 2018 that mechanisms that overwrite RAM contents when power is restored can be bypassed by rewriting the non-volatile memory chip (firmware) that contains these settings. [3] [4] [6]
Limiting booting from network or removable media Administrative passwords can be configured in order to boot from these sources. This is an imperfect defense because the drive can still be swapped out or the computer's NVRAM can be reset to allow for booting from removable media.
Safe system suspension Usually locking the computer screen or suspending a laptop's state is ineffective, because the computer can be awakened, power-cycled, and then have its memory extracted. It is far safer to just completely power off systems when they are not in use, with the computer guarded for a few minutes afterward. Suspension is made safer by necessitating a strong password or external secret to awaken the computer, with memory contents encrypted by a key related to the password.
Avoiding precomputation Although precomputation speeds up cryptographic operations, it makes keys more vulnerable because there is redundant storage of key information.
Key expansion Theoretically the application of a transform to keys when it is stored in memory can make it more difficult to reconstruct. Operating systems could also identify memory locations that decay more quickly, and utilize those to store key material.
Physical defenses Since some cold boot attacks rely on access to DRAM chips/modules, the physical memory can be protected by locking them inside the machine, soldering memory to the motherboard or encasing chips in epoxy so they cannot be removed/accessed.
Future architectural changes DRAM can be designed that loses their state more quickly or future hardware might have key-store hardware that erases the state during power-up, reset and shutdown. Another possibility is the routine encryption of memory contents, so long as they are destroyed after a reset or power loss.
Disk controller encryption Data in the hard disk controller hardware can be encrypted. Unlike normal disk encryption systems, both encryption and decryption are performed by the disk controller which store the main encryption keys. This means encryption/decryption is not performed by software in the main CPU, along with the main encryption keys stored in DRAM.
DDR3 and DDR4 RAM The literature generally suggests that a proper solution to cold boot attacks may be later generation DDR3 and DDR4 RAM which utilizes memory scrambling [archive] via the memory controllers. This also retains memory for a shorter period of time than DDR1 and DDR2 RAM. In summary, there does not appear to be any way to perform real-world cold boot attacks on scrambled DDR3 and DDR4 memory, however it should be noted that researchers have shown it is possible to descramble DDR3 memory in laboratory conditions [archive]. [7] Further, "warm reset attacks" where power is not cut are effective against DDR3 systems. [8] [9]

It should be noted that Trusted Platform Modules [archive] (TPMs) are ineffective against cold boot attacks. The reason is TPMs can prevent keys from being loaded into memory for use, but cannot prevent their capture once they are in memory.

Recommendations[edit]

Based on the research findings, practical countermeasures for the majority of users involves never leaving the computer unattended and always ensuring the computer is completely shut down when not in use or when in high-risk situations like traveling. [10] After shutdown, it is safer to completely remove the machine from any power source by removing the power plug. In the case of notebooks, the battery should be removed after powering off. [11] [12] A final simple recommendation is to rely on later computer hardware that holds encryption keys in hardware separate from the HDD/SSD and utilizing systems that have DDR3/4 RAM installed; see the footnote for how to determine the RAM type. [13]

See Also[edit]

Development Discussion[edit]

Footnotes[edit]

  1. https://en.wikipedia.org/wiki/Cold_boot_attack [archive]
  2. https://doc.lagout.org/security/DFRWS-EU-2016-7.pdf [archive]
  3. 3.0 3.1 https://blog.f-secure.com/cold-boot-attacks/ [archive]
  4. 4.0 4.1 https://www.wired.com/story/cold-boot-break-pc-encryption/ [archive]
  5. The last measure cannot prevent the physical removal of memory chips to another computer for analysis.
  6. In summary, researchers were able to disable memory overwriting and enable booting from external devices. This allowed cold boot attacks via a special program on a USB stick.
  7. While the scrambling algorithm could be broken, researchers only found DDR3 memory retention for around 10 seconds before it totally decayed.
  8. https://cyberside.planet.ee/docs/fares_coldboot.pdf [archive]
  9. The researchers also concluded that cold boot attacks were not possible against modern DDR3 (and later) RAM chips.
  10. So the Linux kernel's memory erasing features (page_poison, slub_debug or init_on_free) and/or your firmware reset attack mitigations are instituted.
  11. And/or the memory should be wiped upon shutdown. This is a theoretical concern at present because it is undocumented.
  12. See: Is RAM Wipe possible inside Whonix? Cold Boot Attack Defense [archive]
    • In Linux, launch a terminal and run.
      sudo dmidecode --type memory

    • In Windows, select the PC Task Manager after pressing Ctrl + Alt + Delete. Click "more details" and navigate to the performance tab. Then select the memory option.
    • In macOS, click the Apple logo and select "About This Mac". For additional information, click the "More Info..." button and navigate to the "Memory" tab.


Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Cold Boot Attack Defense&body=https://www.whonix.org/wiki/Cold_Boot_Attack_Defense link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Cold_Boot_Attack_Defense&title=Cold Boot Attack Defense link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Cold_Boot_Attack_Defense&t=Cold Boot Attack Defense link=https://mastodon.technology/share?message=Cold Boot Attack Defense%20https://www.whonix.org/wiki/Cold_Boot_Attack_Defense&t=Cold Boot Attack Defense

Check out the Whonix ™ News Blog. Rss.png

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.