RAM attacks against encryption keys

Introduction

The goal of this article is to explain, to comment and to assess the risk of an attack which uses persistence of data in RAM memory to defeat the protection relying on disk encryption software. In fact, a recent study [1] published by the Princeton university shows that this risk is higher than popular assumption suppose it to be. Actually, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious acquisition of usable full-system memory images. The study shows that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access.

Remanence of DRAM memory has been a known phenomenon for more than 20 years and it has been suggested that it could have some security implications. But until now, there hasn’t been any real study describing the phenomenon, dealing with key reconstruction algorithms, applying the attack to real disk encryption software and offering a systematic discussion of countermeasures.

 

Overview of the attack

Most experts assume that computer’s memory is erased almost immediately when it loses power or that it is too difficult to recover data from RAM when a computer has been switched off without specialized equipments. The Princeton’s study shows that these assumptions are incorrect. Ordinary DRAMs gradually lose their contents over a period of seconds even at standard operating temperatures and even if the chips are removed from the motherboard and data will persist for minutes or even hours if the chips are kept at low temperatures. As a consequence, simple non-destructive techniques allow to recover some residual data, only requiring momentary physical access to the machine. The attack can be performed even if the screen is locked or if the computer is in “suspend” or “sleep” modes.

The study first describes several experiments that have been conducted to characterize DRAM remanence in a variety of memory technologies.

Here are a few observations summarizing these experiments:

• most DRAM modules retained much of their states without refresh, and even without power, for periods lasting thousands of refresh intervals,
• At normal operating temperatures, a low rate of bit corruption is observed for several seconds, followed by a period of rapid decay (more than 50% after 60 seconds without power). This short period is sufficiently long to allow the attacker to cold-boot the computer and extract sensitive data without having to remove the DRAM chip from the motherboard,
• Newer memory technologies, which use higher circuit densities, appeared to decay more quickly than older ones,
• In most cases, during the experiments, almost all bits decayed at predictable times and to predictable “ground states” rather than to random values,
• And finally, decay rates vary dramatically with temperature.

 
So, the parameter that is easier to modify is the temperature. The study mentions two ways that have been used to reduce the operating temperature:

• Using a simple cooling technique: discharging inverted cans of “canned air” duster spray directly onto the chips. This technique has allowed Princeton University’s researchers to reach a surface temperature of -50°C. At this temperature, the loss of data is evaluated around 1% after 10 minutes.
• Using a more advanced technique: submerge the DRAM chip in liquid nitrogen (-196°C). At this temperature, the data loss has been measured to 0.17% after 1 hour out of the computer. With this observation in mind, we can easily imagine that data can be retained in RAM for hours or days with sufficient cooling.

 
The study then presents 3 variants of the attack of which the goal is to extract private encryption keys and other sensitive data. They are as follow, in order of resistance to countermeasures:

• The simplest is to shutdown the machine and to restart it with a custom kernel with a small memory footprint that gives the attacker access to the retained memory.
• A more advanced variant consists in briefly cutting power to the machine, and then to restore power and to boot a custom kernel. This attack additionally allows preventing the operating system from scrubbing memory while shutting down.
• Finally a stronger attack consists in cutting the power and then transplants the DRAM modules to a second PC prepared by the attacker. This attack additionally deprives the original BIOS and PC hardware of any chance to clear the memory on boot.

 
In all the cases mentioned above, the attacker needs to boot the machine with a custom operating system. In fact, when a system is booting, it necessarily overwrites some portions of memory. Booting a full operating system would be very destructive. So, the custom system not only has to include some tools to search and extract keys from the DRAM memory, but it also has to be very small so that the memory is not overwritten when the system is started up.

If the attacker is forced to cut power to the memory for too long, the data will become corrupted. Princeton University’s researchers have tested out 3 methods which allow reducing corruption and for correcting errors in recovered encryption keys:

• The first is to cool the memory chip before cutting power which dramatically reduces the error rate.
• The second is to apply heuristics and algorithms specially developed by Princeton University’s researchers. Their goal is to locate symmetric and private keys in memory and to correct errors in them.
• The third is to replicate the physical conditions under which the data was recovered and experimentally measure the decay properties of each memory location; with this information, the attacker can conduct an accelerated error correction procedure. In fact, it had been shown that errors are predictable in most cases.

 
These techniques can be used alone or in combination. While used in combination, they can be very powerful allowing for example to reconstruct cryptographic keys even if the error rate is quite high (10, 20 or even 30 %).

Rather than attacking the key directly, most of the methods focus on values derived from it, such as “key schedules” (subkeys generated during a cryptographic procedure), which have a higher degree of redundancy. For performance reasons, many applications precompute these values and keep them in memory for as long as the key itself is in use. For example, to reconstruct an AES key, the attack consists in treating the decayed key schedule as an error correcting code and finding the most likely values for the original key.

Precomputation of subkeys or in a more general way keeping cryptographic keys in RAM suggests an interesting trade-off between performance and security. Best practice would say that software has to overwrite all copies of a private key when it has finished using it, but there are important cases where this is not realistic because the same key is used repeatedly. Two examples are an encrypted disk, where the root key must remain available to enable file access, and an SSL web server, where an RSA private key must be kept available for establishing new sessions.

 

Risk and impact assessment

Risk assessment

The risk associated with this attack strongly depends on physical security measures that are set up around a computer. As the attack requires a physical access to the machine, it is obvious that laptops (which are often carried from a place to another) are more at risk than desktop workstations. So, physical security policies probably have to be reviewed to take this kind of threat into account for companies which use disk encryption software and assume that their security are definitely unbreakable.

 

Impact assessment

Data persistence in DRAM potentially allows an attacker to extract all data stored in a running computer’s memory. This assumption leads us to the conclusion that all sensitive data which are stored in memory are exposed when a laptop for example is left somewhere without some physical protections. The attack can be performed either if the computer is powered on (even with a screen saver asking for credentials) or even if the computer is in “sleep mode”.

The study from the Princeton University shows several examples of critical data that can be extracted from a computer’s RAM memory:

• BitLocker’s encryption keys: allowing an attacker to read the full content of a disk encrypted with this software,
• TrueCrypt’s keys : allowing an attacker to get access to the entire content of a disk if the “full disk encryption” feature of TrueCrypt is used, or to read the contents of all encrypted virtual disks that are mounted when the attacker gets a physical access to the machine,
• FileVault’s keys: allowing a malicious person to have access to encrypted files on a MacOS X system,
• Dm-crypt’s keys : allowing an attacker to get access to an encrypted disk on Linux systems,
• MacOS X user’s login passwords,
• Apache RSA private keys.
  

But we can easily imagine other kind of data that are also stored in memory when a computer is running:

• E-mails or documents currently opened when the computer is locked,
• Web pages currently displayed in a browser even for a SSL connection,
• DRM (Digital Rights Management) keys.

 

 

Recommendations

Memory imaging attacks are difficult to defend against because cryptographic keys that are in active use need to be stored somewhere. Disk encryption software or other software dealing with sensitive data should erase keys in memory when they are not used anymore. But as mentioned previously, it is not always possible particularly for performance reasons. Moreover, the report also shows that using precomputation to speed cryptographic operations can make keys more vulnerable; precomputation often leads to redundant storage of key information in memory which helps an attacker to reconstruct keys even in the presence of bit errors.

Most of the suggested countermeasures in the Princeton University’s report focus on the following points:

• Discarding or obscuring encryption keys before an malicious person might gain physical access,
• Preventing memory-dumping software from being executed on the machine,
• Physically protecting DRAM chips,
• Possibly making the contents of memory decay more quickly.

Here are a few practical measures which can be applied to make the attack harder to perform:

• Some PCs can be configured to perform a destructive power-on self-test before they attempt to load the operating system. This feature if often called “quick boot” in the BIOS. Disabling “quick boot” will force the BIOS to check the memory erasing its contents. If an attacker has not the possibility to remove the DRAM chip from the computer, he would not be able to run imaging software on this machine.
• Most attacks involve booting a custom system from a removable media or via the network. Computers can generally be configured to ask for an administrative password to boot from these sources. If this feature is not present in the BIOS, it’s still possible to remove all these sources from the boot sequence and set a BIOS password preventing all unauthorized modifications. We can note that an attacker having a physical access to the computer can still reset the computer’s NVRAM (Non-Volatile RAM) to discard the BIOS configuration, re-enabling the boot from external sources.
• Suspending the system safely. The study’s results show that simply locking the screen of a computer (i.e. keeping the system running but requiring entry of a password to continue interacting with the user) does not protect the contents of memory. Suspending a laptop’s state (“sleeping”) is also ineffective as the RAM is still powered. Put a computer in hibernation mode will only be effective if a secret passphrase is required to resume normal operations.
• With most disk encryption systems, users can protect themselves by powering off the machine completely when it is not in use. Memory contents may be retained for a short period after power-off, so the owner should keep an eye on the machine for a minute or so after removing power. This recommendation is not effective for people using BitLocker and the TPM (Trusted Platform Module) hardware, because the encryption key is loaded into the memory before Windows starts.
  

Several disk encryption software vendors have been reacting since the publication of the study. Microsoft and PGP for example have published specific advisories and recommendations for their software (See links in the “for more information” section).

 

For more information

• [1] - Princeton University’s study : “cold boot attacks on encryption keys”
• [2] – Youtube video : “cold boot attacks on encryption keys”
• [3] – Microsoft : Protecting BitLocker from Cold Attacks
• [4] – PGP Corporation : Cold Boot Attack Response
• [5] – Internet Storm Center : vendor reactions