[Noisebridge-discuss] Cold Boot Attacks on Disk Encryption
Kristian Erik Hermansen
kristian.hermansen at gmail.com
Fri Feb 22 04:16:04 UTC 2008
On Thu, Feb 21, 2008 at 9:53 AM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> Abstract:
> Contrary to popular assumption, DRAMs used in most modern computers
> retain their contents for seconds to minutes after power is lost, even
> at operating temperatures and even if removed from a motherboard.
> Although DRAMs become less reliable when they are not refreshed, they
> are not immediately erased, and their contents persist sufficiently for
> malicious (or forensic) acquisition of usable full-system memory images.
> We show that this phenomenon limits the ability of an operating system
> to protect cryptographic key material from an attacker with physical
> access. We use cold reboots to mount attacks on popular disk encryption
> systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no
> special devices or materials. We experimentally characterize the extent
> and predictability of memory remanence and report that remanence times
> can be increased dramatically with simple techniques. We offer new
> algorithms for finding cryptographic keys in memory images and for
> correcting errors caused by bit decay. Though we discuss several
> strategies for partially mitigating these risks, we know of no simple
> remedy that would eliminate them.
>
> A good intro is on Ed Feltens blog:
> http://www.freedom-to-tinker.com/?p=1257
>
> Our full paper, with a nice video and photos is here:
> http://citp.princeton.edu/memory/
>
> If you'd like to test your system, I think we can arrange something at
> the next Noisebridge meeting!
Now this is *real* hacking. Excellent stuff :-) Looking forward to
testing it out...
--
Kristian Erik Hermansen
--
"It has been just so in all my inventions. The first step is an
intuition--and comes with a burst, then difficulties arise. This thing
gives out and then that--'Bugs'--as such little faults and
difficulties are called--show themselves and months of anxious
watching, study and labor are requisite before commercial success--or
failure--is certainly reached" -- Thomas Edison in a letter to
Theodore Puskas on November 18, 1878
More information about the Noisebridge-discuss
mailing list