The Cold Boot Attack
Nadia Heninger
November 20, 2009
Joint work with: J. Alex Halderman, Seth D. Schoen, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Rick Astley, Jacob Appelbaum, and Edward W. Felten The Persistence of Memory
For a good time, run
sync
then run something like the following Python program until you get bored:
a = "" while 1: a += "ARGON"
Then yank the power on your computer, reboot, and
sudo strings /dev/mem | less
Do you find any ARGON?
(Extended instructions at citp.princeton.edu/memory/exp/) The Persistence of Memory: Why? DRAM is an array of tiny capacitors. To write a bit, the capacitor is charged. When power1 is( on,/2 the, state) is: refreshed*;)< every.5 102'µ&s.5&'( Without power, they discharge to a ground state. 1:*;)A"55 BA2-2#&'.%C
9= = 9
!"#>$%%&&''"())?*=+@+$,-'&./:+"03%"+7 But> this72' process)&3)6" takes)4./ secondsH')%"3 to%" minutes.+7I 12'2)324"+)25,.+'B):&/"+2'42)2//'42)/%""6.%$&'+"5(C )6&'7.$')%"3%"+7 */()%"+&4$25)42'2):&+")43%&"3+3&7#)$D/5'")'%.82)%5)"E#)F.G8),"%+ DRAM Decay Rates
55
50
45
40
35 B Dat a 30 B Fi t 25 D Data
% Decay D Fit 20 E Dat a 15 E Fi t 10 F Data F Fit 5
0 0 2 4 6 8 10 Seconds Without Power
The Persistence of Memory
5s. 30s. 1m. 5m. Slowing Decay by Cooling
-50℃ < 0.2% decay
!"#$%&''(#) Even cooler
Liquid Nitrogen -196℃ /<010.1%203%4 decay05)'6 after#$ 1* hour+,-.& (not necessary in practice) 7%89+:;%3#<=>%=?5#)%!"#$%&
!"#$%&'&(()*+$,%$-*)'#,'& Easy targets: Unsanitized data
Plain text passwords from Loginwindow.app in OS X 10.4, 10.5.
Bug had been around for 4 years. Slightly more difficult targets: Encryption keys
!"#$%&'($)*$&$%+",(-$.&/+"/0
!"#$%&'( -$%&'( -$%&'(. !"'"%)*+,'( !"'"%)*+,'( /"%)*+,'( 1"$/2"+(3+)"- 4)-)5&,$/2"+(3+)"- 6-78*+29$:(*+$/2&3+)3( Slightly more difficult targets: Encryption keys Slightly more difficult targets: Encryption keys
/,,5879"8$)542-(
!"#$$%& "'(%$)*+,-+./0
!123$4)5,$& "'(%$)*+,-+62(7 "84$$)9:-87$* Slightly more difficult targets: Encryption keys !"##"$%&''()*%+),$(-." !"##"$%&''()*%+Security),$( Assumptions-." +,)/-.'0%&11/#2'."$1 %%+,3)4/,The-%.,'$0)%&- encryption0121'/."#$%2.1'%1."'-$" is$15 strong %% 3344,The%,6%,+$%2 OS)--"0'2, protects').'"1$%'%4.1,%1%*',- the"0%$.$5% key in RAM 7&834,%6+%2-"',)'1%'4,%*,0%.$% 7&8
9'4,%(...''() the*,-% attacker#.54'%-,:" might"'%'"% reboot to ).-)/#circumvent;,$'%'4,%6+<% the:/'%1 OS,.$),% but7&8 since% RAM 9'4,%is(' volatile,'()*,-%#. the54'%- key,:" will"'%'" be% lost... .1)%;.-")=/(#'.=,;<,%'$4',%'%4*,0%6%>+.<=%=:%:/,'%%=1".1$')9,%7&8% !"#...$%& Right?' .1%;"=('.=,<%'4,%*,0%>.==%:,%="1'9 !"#$%&' Capturing Residual Data
Residual data can be captured easily, with no special equipment Complication Booting a full OS overwrites large areas of RAM. Solution Boot a small low-level program to dump contents of memory. Implementations
PXE Dump (9 KB) EFI Dump (10 KB) USB Dump (22 KB)
Available at citp.princeton.edu/memory/code/ Delivering the Attack !"#$%"&$'()*+"),**-./ Looking for cryptographic keys
“Playing hide and go seek with stored keys” Shamir and van Someren The reality of the entropy approach Finding Keys: Use the structure of the key data.
AES implementations typically precompute a sequence of round keys from the single 128 or 256-bit key.
Round Key 1
Core
Round Key 2
. .
Generation of the 128-bit AES key schedule. Identifying AES keys in memory
Every encryption program we looked at computed and stored the key schedules in exactly the same way. Identifying AES keys in memory
To identify an AES key schedule in memory, scan for a block of memory that has the properties of a key schedule. Identifying AES keys in memory
To identify an AES key schedule in memory, scan for a block of memory that has the properties of a key schedule. Identifying AES keys in memory
To identify an AES key schedule in memory, scan for a block of memory that has the properties of a key schedule. Identifying AES keys in memory
To identify an AES key schedule in memory, scan for a block of memory that has the properties of a key schedule. How to identify RSA keys in memory?
Try multiplying blocks of memory together?
Try decrypting with every block of memory? PKCS #1: RSA Cryptography Standard RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicExponent INTEGER -- e }
RSAPrivateKey ::= SEQUENCE { version Version, modulus INTEGER, -- n publicExponent INTEGER, -- e privateExponent INTEGER, -- d prime1 INTEGER, -- p prime2 INTEGER, -- q exponent1 INTEGER, -- d mod (p-1) exponent2 INTEGER, -- d mod (q-1) coefficient INTEGER, -- (inverse of q) mod p otherPrimeInfos OtherPrimeInfos OPTIONAL } PKCS #1: BER-encoding
30 SEQUENCE 82 02 5d length: 605 bytes 02 INTEGER 01 length: 1 byte 00 (version) 02 INTEGER 81 81 length: 129 bytes 00 99 63 66 d5 ... (n) 02 INTEGER 03 length: 3 bytes 01 00 01 (e) 02 INTEGER 81 80 length: 128 bytes 6e 77 ef 54 a7 ... (d) ...... What if the recovered memory contains bit errors? Correcting Errors in Cryptographic Keys: AES
Use the structure of redundant key data to correct errors.
Round Key 1
Core
Round Key 2
Can retrieve an AES key from 30% of a key schedule in seconds. Correcting Errors in Cryptographic Keys: RSA
Use the structure of redundant key data to correct errors.
pq = N
ed = 1 (mod (p − 1)(q − 1))
edp = 1 (mod p − 1)
edq = 1 (mod q − 1)
Can retrieve an RSA key from 27% of key data in seconds. Attacking disk encryption systems
1. Cut the power to the computer. 2. Reboot into a small memory extracting program. 3. Dump the data from RAM to a device of your choosing. 4. Find keys, fix any errors, decrypt hard drive.
Works against:
and others... Microsoft BitLocker Apple Filevault TrueCrypt Loop-AES dm-crypt ”BitLocker,!"#$% meet&'( Bit)*Un+,-Locker.”))$,"#$!".&'()*/
0)1&23$*4$#&2,&5,56..7,46$&14$)8,4$$4'(9, Demonstration of fully automated attack: Connect:&2 USB2)'$ drive,,;<" reboot,,8*#=)+ and,*)> browse&&$+,4 files28,>*&?3),5#.)3 Countermeasures
No Magic Bullet
Possible Mitigations
I Encrypt key in memory when screen-locked.
I Avoid precomputation.
I Fully-encrypted memory
I Trusted Platform Module (TPM) !"#$%&'()*+,$%(-.$/"0(12**&
34*"(*"'*$/"0(5#$**"62,#784/9*$":'*852**&; ! !"#$%Encrypt&'(<= Memory)(>/ During'4(.5* Sleep$?5(&:55>,$@ 34*"(:>:When7* entering"*@; screen-lock/hibernate/sleep: I Encrypt RAM with user’s password ! <*A./$*(.5*$?5(&:55>,$@(',(@*#$%&'(<=) When awakened: )/",$(9*4:I BRequire/,$: user’s2(# password4:"0 to* decrypt5 RAM Minor behavioral changes CDDDEF
Zzzz... Avoid Precomputation
This makes recovery harder, but:
I Hurts Performance Having key schedule speeds computation
I Attacker can reduce the incidence of errors
I Alternative recovery schemes may perform well without this data !"#$%&'()*+,$%(-.$/"0(12**&
34*"(*"'*$/"0(5#$**"62,#784/9*$":'*852**&;
! !"Encrypted#$%&'(< Memory=)(>/'4(.5*$?5(&:55>,$@ 34*"(:>Memory:7* encrypted"*@; with key I Randomly chosen at boot ! <*A.On/$* cache(.5 read/write*$?5(&:55>,$@(',(@*#$%&'(<=) )/",$(9*I4Data:B/ encrypted/decrypted,$:2(#4:" when0* written/read5 CPU reset clears key CDDDEF TPM? Current TPMs may help!" attacker#$
%&''()Windows*+!"#, BitLocker+-./+0 in(1 Basic2+.** Mode.34(' 56)789I,+On:6* boot,;83 OS4( loads'+6)+ key:. from,63+# TPM87 into( RAM (No password)
! <)+=I8Vulnerable8*>+
! F&Future1)('.= TPMs1(+*8+ may3817 helpG=88*+.**.34 CHI()+6@+38-21(*(1/+8@@E I Need bulk encryption J&*&'(+!"#,+-./+0(12 ! D((7+=&14+()3'/2*68) Since the original paper...
... a lot of interesting follow-up work.
I Reviving an entire computer, VPN sessions and all. “Bootjacker: compromising computers using forced restarts.”
I Improvements in key error-correction.
I Theoretical cryptographic work for “leakage-resilient” cryptosystems. “Cryptography without (hardly any) secrets” For video, paper, and source code, visit:
citp.princeton.edu/memory