On the Insecurity of RAM

On The Insecurity of RAM

Mostafa El-Said College of Engineering and Computing School of Computing and Information Systems Grand Valley State University Allendale, Michigan, USA Email: [email protected]

and

David Connett College of Engineering and Computing School of Computing and Information Systems Grand Valley State University Allendale, Michigan, USA Email : [email protected]

ABSTRACT 1. INTRODUCTION

Recent studies have illustrated that RAM is not as With the advent of new attacks targeting RAM, the secure as previously thought. There are a few importance of understanding these attacks and devastating attacks that, if executed properly, could mitigating any potential threat becomes paramount. allow a malicious user to recover plain text The two attacks mentioned in this paper are (i) core passwords from a victim’s computer [5]. dump exploitations and (ii) the cold boot attack, with the experiments focusing on core dumps. This paper explores the nature of the cold boot and Both attacks exploit the fact that data is stored core dump attacks, extends them with remote unencrypted in RAM. exploitation, and proposes a possible solution: encrypting RAM. The two primary concerns with The cold boot attack is a technique that allows an encrypting RAM are twofold: speed degradation, attacker to obtain an image of a victim’s RAM. and the storage of the encryption key itself. Contrary to popular belief, the electric charge stored in RAM does not dissipate immediately An empirical study is carried out by setting up an upon removal of a power source. An attacker can experiment to test exactly how much speed is lost unplug a computer and have up to 10 seconds after encrypting RAM, and to test if encryption (minutes longer if the RAM was subjected to actually defends against these RAM vulnerabilities. coolant) to boot a light weight operating system Results showed that encrypted RAM still operates from an external device (USB, Live CD, etc) and significantly faster than hard drives; however, plain image the latent image in RAM. There are also text passwords were still recoverable from RAM devices that allow a bank of RAM, after being even after encryption because of the way programs removed from the victim’s computer, to be directly cache sensitive information. inserted into an interface and imaged with minimal data corruption. Keywords: Computer Forensics, Memory Forensics, Memory Core Dump, ,Memory A core dump is an image of a process as it resides Encryption, Biometric Data Encryption in RAM. They usually take place during program crash, but can be initiated via the kill command in Linux (the kill command has many options for The remainder of the paper is organized as follows. causing core dumps detailed in the man page) [4]. Section 2 describes the proposed solution and These core dumps are important for debugging summarizes the experimental analysis for the cold purposes but can contain sensitive information boot attack problem. Section 3 concludes the paper about the process in question. Core dumps are and outlines. Finally section 4 introduces the future disabled by default on most systems and can be work. enabled by using the ulimit command per session, or globally by editing a configuration file 2. EXPERIMENTAL ANALYSIS (/etc/security/limits.conf in Ubuntu) such as given in figure 1. There are also utilities that can create a 2.1. Memory Base Line Test core dump without crashing a process at all, and can be used to discreetly steal sensitive information The first experiment was set up in order to from running processes. determine speed degradation of encrypted RAM and to a lesser extent determining whether encrypting RAM is even a feasible solution to the cold book attack problem.

The experiment was performed on Viper Vast 2.74 [9], a security based Linux distribution. Additionally, the experimental testbed includes a laptop in which the tests were performed on has an Intel Mobile Core 2 Duo P8400 processor with 4 GB of Dual Channel DDR2 RAM clocked at 400 MHz. The programs used for the tests: gcore (a core dump utility), Skype (a popular VoIP program), TrueCrypt (encryption program) [6], and Postmark (benchmarking tool) [10]. A file system was created directly on RAM by using of a RAM disk (the folder /dev/shm was used on this machine). This was done to allow comparable speed tests between RAM and a hard drive [2]. Figure 1. Controlling Memory Core Dump The first course of action was to determine the performance of: Unencrypted RAM disk, encrypted Both the cold boot and the core dump rely on the RAM disk, unencrypted hard disk, encrypted hard plain-text nature of RAM. Encrypting RAM disk. seemed to be a simple solution, but there are a few complications that come with the idea. The first Two identical encrypted volumes were created and foremost would be performance degradation. using TrueCrypt. One was placed on the RAM disk, and the other was placed in a normal folder An experimental study is carried out to determine (stored on the hard drive). Postmark simulates a what effect encrypting RAM would have on small file-server in a given directory and times the performance. Specifically, the following speed of file transactions. experiment was set up to answer two specific questions: (i) is encrypting RAM feasible with respect to performance and (ii) whether or not this encryption provides any benefit against the aforementioned attacks.

stored in RAM is lost very quickly after power loss without cooling, and would thus prove complicated for the experimental results needed. This disadvantage to it, but the integrity of data stored in RAM is lost very quickly after power loss without cooling, and would thus prove complicated for the experimental results needed.

Two instances of Skype were installed. One is installed on the encrypted RAM disk volume and the other one is installed in the unencrypted hard drive. Two test accounts were created for each instance and a call was initiated between them. From here it was a simple matter of obtaining the process IDs for both instances using ps –e | grep skype and inputting them into gcore using the command gcore [pid]. Gcore outputted a file to a working directory and has been analyzed using a hex editor to confirm that an unencrypted password

could indeed be recovered from this process. Figure 2 Benchmark Testing for Encrypted RAM As expected, the core dump of the unencrypted The results shown in figure 2 demonstrated that, Skype instance contained sensitive information although encrypting a file system on RAM slows it such as given in figure 3. The following screenshot down by a factor of 4, it is still significantly faster contains the password for the test account. than a hard drive. The downside to this performance evaluation is the fact that it is testing many small file transactions on a file system in RAM and not the actual encrypted processes. This does not necessarily translate to the speed of encrypted processes. Another important factor to keep in mind is the RAM disk benchmarks were run using the same processor and RAM as the actual benchmarking software, although the RAM size was controlled while testing non RAM disk partitions. This benchmark was used as an approximation of speed degradation. We decided to go ahead with the rest of the experiment to see if encryption really provides a defense against RAM exploitation.

2.2. Evaluating the Efficacy Of RAM Encryption

For the purpose of evaluating the efficacy of RAM Figure 2. Core Dump of the Unencrypted encryption, core dumps were the sole exploit used Skype Instance for the experiments; however, it should be noted that all of the attacks performed require Unfortunately, the core dump for the encrypted administrator access to a machine or the ability to version of Skype revealed that it is still possible to crash a program (assuming core dumps are enabled obtain sensitive information such as shown in on a system). The cold boot attack does not have this disadvantage to it, but the integrity of data figure 4. The following screenshot shows the attacker) using putty (a popular SSH client) to recovered password. connect to Ubuntu 9.04. Skype was used again as a test program with the same test user as before. The following screenshot in figure 5 shows that an SSH connection is established with the victim machine and the attacker invoking gcore to image Skype in memory. It worth mentioning that gcore did not crash Skype, the victim in this test would have no idea that Skype was exploited).

Figure 3. Core Dump of the Encrypted Skype Instance

The password is recoverable because the RAM disk only encrypted the installed program Skype, which is not where the sensitive information is Figure 4. Remote Core Dump Attack stored (It is in the process which is copied directly Execution from the RAM disk into the main memory). This does not, however, invalidate the idea of After the core dump has been created Core FTP (a encrypting RAM (at least partially). Critical popular FTP client) was used to initiate an SCP operating system functions could remain connection in order to retrieve the file such as unencrypted with a “secure processes” section of shown in figure 6. RAM, allowing processes to be decrypted only when they need to be used by the processor. There will still be an encryption key stored in RAM that could be recovered via a cold boot/core dump attack (otherwise the processor would not know how to decrypt the information). Biometrics can be used, in this case, to help secure RAM.

2.3. Escalating the Attack

Core dumps are not limited to the physical location of a machine like the cold boot attack. This very simple demonstration illustrates a core dump being performed over a network and is simply a proof of concept, illustrating a core dump being performed over an SSH connection then being retrieved with Figure 5. FTP upload for Memory Core Dump SCP. This test was done with Windows Vista (the The file was 135MB and took 5 minutes to transfer 4. FUTURE WORK over a LAN connection; an attacker could easily filter the size of the dump by using the Linux One possible countermeasure to both the cold boot command strings to find all the ASCII characters in and core dump attack would be a biometrics based the file before the file transfer commences. Figure symmetric-key encryption between RAM and the 7 presents the successful recovery of a password processor. You could obtain one’s fingerprint from a remote system using XVI32 (a windows hex using a fingerprint scanner and then generate a editor). digital key based on the person’s fingerprint. Consequently, hash the generated key and store the hash in the BIOS. Then use an L-3 cache attached to the processor in which the other hashed key is stored. Constraining the input of the processor’s cache to a hardware biometric device would make it very difficult for an attacker to utilize the information gained in a cold boot attack. One would have to first crack the hash to reveal the original fingerprint generated key, then use this information to build a physical model of the victim’s fingerprint in order to access the contents in RAM.

There are also a few methods that can be implemented to prevent only the cold boot attack right now (note that these do not necessarily protect against core dumps): BitLocker uses a Trusted Platform Module to prevent cold boot attacks [1, 3], and photonic memory (light based RAM) would conceivably dissipate any residual memory faster than its electronic counterpart; this is purely speculation by the author though [7].

Figure 6. Skype Password Recovery from 5. REFERENCES Remote Attack Execution

3. CONCLUSION [1] T. Relph-Knight, “Linux and the Trusted Platform Module (TPM) - The H Open Source: Discovering the password in the encrypted instance News and Features,” H-Online. of Skype revealed that the underlying problem is the way programmers store sensitive information in [2] K. Merley, “Linux: How to Use RAM as Swap | their code. TrueCrypt advertises that it only KernelTrap.” decrypts information that is currently being used by a process; however, this process still needs to be [3] D. MacIver, “System Integrity Team Blog : stored in plain text somewhere, otherwise the Protecting BitLocker from Cold Attacks (and other processor would have no idea how to read the threats).” information properly. Many programs are written without regard to the insecure nature of RAM and [4] J. Hulst, “Vulnerabilities in RAM Core are therefore left in caches which are exploitable by Dumps,” Apr. 2009. the methods detailed above. It is my opinion that more research must be done relating the remote [5] J.A. Halderman, S.D. Schoen, N. Heninger, W. exploitation of RAM, and methods to mitigate the Clarkson, W. Paul, J.A. Calandrino, A.J. Feldman, risk of RAM based attacks. J. Appelbaum, and E.W. Felten, “Lest we remember: cold-boot attacks on encryption keys,” Commun. ACM, vol. 52, 2009, pp. 91-98.

[6] R. Snyder, “Some security alternatives for encrypting information on storage devices,” Proceedings of the 3rd annual conference on Information security curriculum development, Kennesaw, Georgia: ACM, 2006, pp. 79-84.

[7] Hiroyuki Nihei and Atsushi Okamoto, “Switching Time of Optical Memory Devices Composed of Photonic Crystals with an Impurity Three-Level Atom,” Japanese Journal of Applied Physics, vol. 40, 2001, pp. 6835-6840.

[8] Online resource. Accessed on Nov 2, 2009: Phoronix .

[9] Online resource. Accessed on Nov 2, 2009: http://vipervast.sourceforge.net/

[10] Online resource Accessed on Nov 15, 2009: http://packages.debian.org/stable/utils/postmark