The Cold Boot Attack

Nadia Heninger

November 20, 2009

Joint work with: J. Alex Halderman, Seth D. Schoen, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Rick Astley, Jacob Appelbaum, and Edward W. Felten The Persistence of Memory

For a good time, run

sync

then run something like the following Python program until you get bored:

a = "" while 1: a += "ARGON"

Then yank the power on your computer, reboot, and

sudo strings /dev/mem | less

Do you find any ARGON?

(Extended instructions at citp.princeton.edu/memory/exp/) The Persistence of Memory: Why? DRAM is an array of tiny capacitors. To write a bit, the capacitor is charged. When power1 is( on,/2 the, state&#) is: refreshed*;)< every.5 102'µ&s.5&'( Without power, they discharge to a ground state. 1:*;)A"55 BA2-2#&'.%C

9= = 9

!"#>$%%&&''"())?*=+@+$,-'&./:+"03%"+7 But> this72' process)&3)6" takes)4./ secondsH')%"3 to%" minutes.+7I 12'2)324"+)25,.+'B):&/"+2'42)2//'42)/%""6.%$&'+"5(C )6&'7.$')%"3%"+7 */()%"+&4$25)42'2):&+")43%&"3+3&7#)$D/5'")'%.82)%5)"E#)F.G8),"%+ DRAM Decay Rates

55

50

45

40

35 B Dat a 30 B Fi t 25 D Data

% Decay D Fit 20 E Dat a 15 E Fi t 10 F Data F Fit 5

0 0 2 4 6 8 10 Seconds Without Power

The Persistence of Memory

5s. 30s. 1m. 5m. Slowing Decay by Cooling

-50℃ < 0.2% decay

!"#$%&''(#) Even cooler

Liquid Nitrogen -196℃ /<010.1%203%4 decay05)'6 after#$ 1* hour+,-.& (not necessary in practice) 7%89+:;%3#<=>%=?5#)%!"#$%&

!"#$%&'&(()*+$,%$-*)'#,'& Easy targets: Unsanitized data

Plain text passwords from Loginwindow.app in OS X 10.4, 10.5.

Bug had been around for 4 years. Slightly more difficult targets: Encryption keys

!"#$%&'($)*$&$%+",(-$.&/+"/0

!"#$%&'( -$%&'( -$%&'(. !"'"%)*+,'( !"'"%)*+,'( /"%)*+,'( 1"$/2"+(3+)"- 4)-)5&,$/2"+(3+)"- 6-78*+29$:(*+$/2&3+)3( Slightly more difficult targets: Encryption keys Slightly more difficult targets: Encryption keys

/,,5879"8$)542-(

!"#$$%& "'(%$)*+,-+./0

!123$4)5,$& "'(%$)*+,-+62(7 "84$$)9:-87$* Slightly more difficult targets: Encryption keys !"##"$%&''()*%+),$(-." !"##"$%&''()*%+Security),$( Assumptions-." +,)/-.'0%&11/#2'."$1 %%+,3)4/,The-%.,'$0)%&- encryption0121'/."#$%2.1'%1."'-$" is$15 strong %% 3344,The%,6%,+$%2 OS)--"0'2, protects').'"1$%'%4.1,%1%*',- the"0%$.$5% key in RAM 7&834,%6+%2-"',)'1%'4,%*,0%.$% 7&8

9'4,%(...''() the*,-% attacker#.54'%-,:" might"'%'"% reboot to ).-)/#circumvent;,$'%'4,%6+<% the:/'%1 OS,.$),% but7&8 since% RAM 9'4,%is(' volatile,'()*,-%#. the54'%- key,:" will"'%'" be% lost... .1)%;.-")=/(#'.=,;<,%'$4',%'%4*,0%6%>+.<=%=:%:/,'%%=1".1$')9,%7&8% !"#...$%& Right?' .1%;"=('.=,<%'4,%*,0%>.==%:,%="1'9 !"#$%&' Capturing Residual Data

Residual data can be captured easily, with no special equipment Complication Booting a full OS overwrites large areas of RAM. Solution Boot a small low-level program to dump contents of memory. Implementations

PXE Dump (9 KB) EFI Dump (10 KB) USB Dump (22 KB)

Available at citp.princeton.edu/memory/code/ Delivering the Attack !"#$%"&$'()*+"),**-./ Looking for cryptographic keys

“Playing hide and go seek with stored keys” Shamir and van Someren The reality of the entropy approach Finding Keys: Use the structure of the key data.

AES implementations typically precompute a sequence of round keys from the single 128 or 256-bit key.

Round Key 1

Core

Round Key 2

. .

Generation of the 128-bit AES key schedule. Identifying AES keys in memory

Every encryption program we looked at computed and stored the key schedules in exactly the same way. Identifying AES keys in memory

To identify an AES key schedule in memory, scan for a block of memory that has the properties of a key schedule. Identifying AES keys in memory

To identify an AES key schedule in memory, scan for a block of memory that has the properties of a key schedule. Identifying AES keys in memory

To identify an AES key schedule in memory, scan for a block of memory that has the properties of a key schedule. Identifying AES keys in memory

To identify an AES key schedule in memory, scan for a block of memory that has the properties of a key schedule. How to identify RSA keys in memory?

Try multiplying blocks of memory together?

Try decrypting with every block of memory? PKCS #1: RSA Cryptography Standard RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicExponent INTEGER -- e }

RSAPrivateKey ::= SEQUENCE { version Version, modulus INTEGER, -- n publicExponent INTEGER, -- e privateExponent INTEGER, -- d prime1 INTEGER, -- p prime2 INTEGER, -- q exponent1 INTEGER, -- d mod (p-1) exponent2 INTEGER, -- d mod (q-1) coefficient INTEGER, -- (inverse of q) mod p otherPrimeInfos OtherPrimeInfos OPTIONAL } PKCS #1: BER-encoding

30 SEQUENCE 82 02 5d length: 605 bytes 02 INTEGER 01 length: 1 byte 00 (version) 02 INTEGER 81 81 length: 129 bytes 00 99 63 66 d5 ... (n) 02 INTEGER 03 length: 3 bytes 01 00 01 (e) 02 INTEGER 81 80 length: 128 bytes 6e 77 ef 54 a7 ... (d) ...... What if the recovered memory contains bit errors? Correcting Errors in Cryptographic Keys: AES

Use the structure of redundant key data to correct errors.

Round Key 1

Core

Round Key 2

Can retrieve an AES key from 30% of a key schedule in seconds. Correcting Errors in Cryptographic Keys: RSA

Use the structure of redundant key data to correct errors.

pq = N

ed = 1 (mod (p − 1)(q − 1))

edp = 1 (mod p − 1)

edq = 1 (mod q − 1)

Can retrieve an RSA key from 27% of key data in seconds. Attacking disk encryption systems

1. Cut the power to the computer. 2. Reboot into a small memory extracting program. 3. Dump the data from RAM to a device of your choosing. 4. Find keys, fix any errors, decrypt hard drive.

Works against:

and others... Microsoft BitLocker Apple Filevault TrueCrypt Loop-AES dm-crypt ”BitLocker,!"#$% meet&'( Bit)*Un+,-Locker.”))$,"#$!".&'()*/

0)1&23$*4$#&2,&5,56..7,46$&14$)8,4$$4'(9, Demonstration of fully automated attack: Connect:&2 USB2)'$ drive,,;<" reboot,,8*#=)+ and,*)> browse&&$+,4 files28,>*&?3),5#.)3 Countermeasures

No Magic Bullet

Possible Mitigations

I Encrypt key in memory when screen-locked.

I Avoid precomputation.

I Fully-encrypted memory

I Trusted Platform Module (TPM) !"#$%&'()*+,$%(-.$/"0(12**&

34*"(*"'*$/"0(5#$**"62,#784/9*$":'*852**&; ! !"#$%Encrypt&'(<= Memory)(>/ During'4(.5* Sleep$?5(&:55>,$@ 34*"(:>:When7* entering"*@; screen-lock/hibernate/sleep: I Encrypt RAM with user’s password ! <*A./$*(.5*$?5(&:55>,$@(',(@*#$%&'(<=) When awakened: )/",$(9*4:I BRequire/,$: user’s2(# password4:"0 to* decrypt5 RAM Minor behavioral changes CDDDEF

Zzzz... Avoid Precomputation

This makes recovery harder, but:

I Hurts Performance Having key schedule speeds computation

I Attacker can reduce the incidence of errors

I Alternative recovery schemes may perform well without this data !"#$%&'()*+,$%(-.$/"0(12**&

34*"(*"'*$/"0(5#$**"62,#784/9*$":'*852**&;

! !"Encrypted#$%&'(< Memory=)(>/'4(.5*$?5(&:55>,$@ 34*"(:>Memory:7* encrypted"*@; with key I Randomly chosen at boot ! <*A.On/$* cache(.5 read/write*$?5(&:55>,$@(',(@*#$%&'(<=) )/",$(9*I4Data:B/ encrypted/decrypted,$:2(#4:" when0* written/read5 CPU reset clears key CDDDEF TPM? Current TPMs may help!" attacker#$

%&''()Windows*+!"#, BitLocker+-./+0 in(1 Basic2+.** Mode.34(' 56)789I,+On:6* boot,;83 OS4( loads'+6)+ key:. from,63+# TPM87 into( RAM (No password)

! <)+=I8Vulnerable8*>+

! F&Future1)('.= TPMs1(+*8+ may3817 helpG=88*+.**.34 CHI()+6@+38-21(*(1/+8@@E I Need bulk encryption J&*&'(+!"#,+-./+0(12 ! D((7+=&14+()3'/2*68) Since the original paper...

... a lot of interesting follow-up work.

I Reviving an entire computer, VPN sessions and all. “Bootjacker: compromising computers using forced restarts.”

I Improvements in key error-correction.

I Theoretical cryptographic work for “leakage-resilient” cryptosystems. “Cryptography without (hardly any) secrets” For video, paper, and source code, visit:

citp.princeton.edu/memory