[Noisebridge-discuss] Cold Boot Attacks on Disk Encryption

Kristian Erik Hermansen kristian.hermansen at gmail.com
Fri Feb 22 04:16:04 UTC 2008


On Thu, Feb 21, 2008 at 9:53 AM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>  Abstract:
>  Contrary to popular assumption, DRAMs used in most modern computers
>  retain their contents for seconds to minutes after power is lost, even
>  at operating temperatures and even if removed from a motherboard.
>  Although DRAMs become less reliable when they are not refreshed, they
>  are not immediately erased, and their contents persist sufficiently for
>  malicious (or forensic) acquisition of usable full-system memory images.
>  We show that this phenomenon limits the ability of an operating system
>  to protect cryptographic key material from an attacker with physical
>  access. We use cold reboots to mount attacks on popular disk encryption
>  systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no
>  special devices or materials. We experimentally characterize the extent
>  and predictability of memory remanence and report that remanence times
>  can be increased dramatically with simple techniques. We offer new
>  algorithms for finding cryptographic keys in memory images and for
>  correcting errors caused by bit decay. Though we discuss several
>  strategies for partially mitigating these risks, we know of no simple
>  remedy that would eliminate them.
>
>  A good intro is on Ed Feltens blog:
>  http://www.freedom-to-tinker.com/?p=1257
>
>  Our full paper, with a nice video and photos is here:
>  http://citp.princeton.edu/memory/
>
>  If you'd like to test your system, I think we can arrange something at
>  the next Noisebridge meeting!

Now this is *real* hacking.  Excellent stuff :-)  Looking forward to
testing it out...
-- 
Kristian Erik Hermansen
--
"It has been just so in all my inventions. The first step is an
intuition--and comes with a burst, then difficulties arise. This thing
gives out and then that--'Bugs'--as such little faults and
difficulties are called--show themselves and months of anxious
watching, study and labor are requisite before commercial success--or
failure--is certainly reached" -- Thomas Edison in a letter to
Theodore Puskas on November 18, 1878



More information about the Noisebridge-discuss mailing list