On The Insecurity of RAM Mostafa El-Said College of Engineering and Computing School of Computing and Information Systems Grand Valley State University Allendale, Michigan, USA Email: [email protected] and David Connett College of Engineering and Computing School of Computing and Information Systems Grand Valley State University Allendale, Michigan, USA Email : [email protected] ABSTRACT 1. INTRODUCTION Recent studies have illustrated that RAM is not as With the advent of new attacks targeting RAM, the secure as previously thought. There are a few importance of understanding these attacks and devastating attacks that, if executed properly, could mitigating any potential threat becomes paramount. allow a malicious user to recover plain text The two attacks mentioned in this paper are (i) core passwords from a victim’s computer [5]. dump exploitations and (ii) the cold boot attack, with the experiments focusing on core dumps. This paper explores the nature of the cold boot and Both attacks exploit the fact that data is stored core dump attacks, extends them with remote unencrypted in RAM. exploitation, and proposes a possible solution: encrypting RAM. The two primary concerns with The cold boot attack is a technique that allows an encrypting RAM are twofold: speed degradation, attacker to obtain an image of a victim’s RAM. and the storage of the encryption key itself. Contrary to popular belief, the electric charge stored in RAM does not dissipate immediately An empirical study is carried out by setting up an upon removal of a power source. An attacker can experiment to test exactly how much speed is lost unplug a computer and have up to 10 seconds after encrypting RAM, and to test if encryption (minutes longer if the RAM was subjected to actually defends against these RAM vulnerabilities. coolant) to boot a light weight operating system Results showed that encrypted RAM still operates from an external device (USB, Live CD, etc) and significantly faster than hard drives; however, plain image the latent image in RAM. There are also text passwords were still recoverable from RAM devices that allow a bank of RAM, after being even after encryption because of the way programs removed from the victim’s computer, to be directly cache sensitive information. inserted into an interface and imaged with minimal data corruption. Keywords: Computer Forensics, Memory Forensics, Memory Core Dump, ,Memory A core dump is an image of a process as it resides Encryption, Biometric Data Encryption in RAM. They usually take place during program crash, but can be initiated via the kill command in Linux (the kill command has many options for The remainder of the paper is organized as follows. causing core dumps detailed in the man page) [4]. Section 2 describes the proposed solution and These core dumps are important for debugging summarizes the experimental analysis for the cold purposes but can contain sensitive information boot attack problem. Section 3 concludes the paper about the process in question. Core dumps are and outlines. Finally section 4 introduces the future disabled by default on most systems and can be work. enabled by using the ulimit command per session, or globally by editing a configuration file 2. EXPERIMENTAL ANALYSIS (/etc/security/limits.conf in Ubuntu) such as given in figure 1. There are also utilities that can create a 2.1. Memory Base Line Test core dump without crashing a process at all, and can be used to discreetly steal sensitive information The first experiment was set up in order to from running processes. determine speed degradation of encrypted RAM and to a lesser extent determining whether encrypting RAM is even a feasible solution to the cold book attack problem. The experiment was performed on Viper Vast 2.74 [9], a security based Linux distribution. Additionally, the experimental testbed includes a laptop in which the tests were performed on has an Intel Mobile Core 2 Duo P8400 processor with 4 GB of Dual Channel DDR2 RAM clocked at 400 MHz. The programs used for the tests: gcore (a core dump utility), Skype (a popular VoIP program), TrueCrypt (encryption program) [6], and Postmark (benchmarking tool) [10]. A file system was created directly on RAM by using of a RAM disk (the folder /dev/shm was used on this machine). This was done to allow comparable speed tests between RAM and a hard drive [2]. Figure 1. Controlling Memory Core Dump The first course of action was to determine the performance of: Unencrypted RAM disk, encrypted Both the cold boot and the core dump rely on the RAM disk, unencrypted hard disk, encrypted hard plain-text nature of RAM. Encrypting RAM disk. seemed to be a simple solution, but there are a few complications that come with the idea. The first Two identical encrypted volumes were created and foremost would be performance degradation. using TrueCrypt. One was placed on the RAM disk, and the other was placed in a normal folder An experimental study is carried out to determine (stored on the hard drive). Postmark simulates a what effect encrypting RAM would have on small file-server in a given directory and times the performance. Specifically, the following speed of file transactions. experiment was set up to answer two specific questions: (i) is encrypting RAM feasible with respect to performance and (ii) whether or not this encryption provides any benefit against the aforementioned attacks. stored in RAM is lost very quickly after power loss without cooling, and would thus prove complicated for the experimental results needed. This disadvantage to it, but the integrity of data stored in RAM is lost very quickly after power loss without cooling, and would thus prove complicated for the experimental results needed. Two instances of Skype were installed. One is installed on the encrypted RAM disk volume and the other one is installed in the unencrypted hard drive. Two test accounts were created for each instance and a call was initiated between them. From here it was a simple matter of obtaining the process IDs for both instances using ps –e | grep skype and inputting them into gcore using the command gcore [pid]. Gcore outputted a file to a working directory and has been analyzed using a hex editor to confirm that an unencrypted password could indeed be recovered from this process. Figure 2 Benchmark Testing for Encrypted RAM As expected, the core dump of the unencrypted The results shown in figure 2 demonstrated that, Skype instance contained sensitive information although encrypting a file system on RAM slows it such as given in figure 3. The following screenshot down by a factor of 4, it is still significantly faster contains the password for the test account. than a hard drive. The downside to this performance evaluation is the fact that it is testing many small file transactions on a file system in RAM and not the actual encrypted processes. This does not necessarily translate to the speed of encrypted processes. Another important factor to keep in mind is the RAM disk benchmarks were run using the same processor and RAM as the actual benchmarking software, although the RAM size was controlled while testing non RAM disk partitions. This benchmark was used as an approximation of speed degradation. We decided to go ahead with the rest of the experiment to see if encryption really provides a defense against RAM exploitation. 2.2. Evaluating the Efficacy Of RAM Encryption For the purpose of evaluating the efficacy of RAM Figure 2. Core Dump of the Unencrypted encryption, core dumps were the sole exploit used Skype Instance for the experiments; however, it should be noted that all of the attacks performed require Unfortunately, the core dump for the encrypted administrator access to a machine or the ability to version of Skype revealed that it is still possible to crash a program (assuming core dumps are enabled obtain sensitive information such as shown in on a system). The cold boot attack does not have this disadvantage to it, but the integrity of data figure 4. The following screenshot shows the attacker) using putty (a popular SSH client) to recovered password. connect to Ubuntu 9.04. Skype was used again as a test program with the same test user as before. The following screenshot in figure 5 shows that an SSH connection is established with the victim machine and the attacker invoking gcore to image Skype in memory. It worth mentioning that gcore did not crash Skype, the victim in this test would have no idea that Skype was exploited). Figure 3. Core Dump of the Encrypted Skype Instance The password is recoverable because the RAM disk only encrypted the installed program Skype, which is not where the sensitive information is Figure 4. Remote Core Dump Attack stored (It is in the process which is copied directly Execution from the RAM disk into the main memory). This does not, however, invalidate the idea of After the core dump has been created Core FTP (a encrypting RAM (at least partially). Critical popular FTP client) was used to initiate an SCP operating system functions could remain connection in order to retrieve the file such as unencrypted with a “secure processes” section of shown in figure 6. RAM, allowing processes to be decrypted only when they need to be used by the processor. There will still be an encryption key stored in RAM that could be recovered via a cold boot/core dump attack (otherwise the processor would not know how to decrypt the information). Biometrics can be used, in this case, to help secure RAM. 2.3. Escalating the Attack Core dumps are not limited to the physical location of a machine like the cold boot attack.