ioerror: Cold Boot Attacks on Disk Encryption

Jacob Appelbaum (

ioerror) wrote,
@ 2008-02-21 08:58:00

Cold Boot Attacks on Disk Encryption
Our project is released!

Abstract:
Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.

Boing Boing!
C|Net coverage (photos)
New York Times
Slashdot coverage
Wired 1 and 2
LWN
BBC
The Washington Post
CRN
Ars Technica
New Scientist
The Register
Digg
Engadget
Schneier
Ed Felten has written about it (He's a coauthor).
And finally, our actual website with research paper and videos is also online.
Drudge Report
Reddit
Risks
Hack A Day
Metafilter
(Various press release places have also picked up the EFF and Princeton press release, such as EurekAlert!. As usual, the YouTube Video has the worst comments of any site yet. It's currently the number 3rd most emailed story on the New York Times website.Even my old housemate and close friend Alex Graveley)

Wikipedia article

(31 comments) - (Post a new comment)

	enochsmiles 2008-02-21 05:14 pm UTC (link)
	Congrats on the acceptance! (Reply to this)

	strontium90 2008-02-21 05:20 pm UTC (link)
	Congratulations and well done sir! (Reply to this)

	uke 2008-02-21 05:41 pm UTC (link)
	applause (Reply to this)

	mikeys 2008-02-21 05:43 pm UTC (link)
	rock on! (Reply to this)

	rezendi 2008-02-21 05:57 pm UTC (link)
	That is very cool. (Reply to this) (Thread)

	rezendi 2008-02-23 01:22 pm UTC (link)
	Oh, and it's also in today's International Herald Tribune. (Reply to this) (Parent)

	ryanlrussell 2008-02-21 06:15 pm UTC (link)
	Oh, that's you? Nice one. I have it open in another window waiting to read. I hadn't spotted your name on it yet. (Reply to this)

	icis_machine 2008-02-21 06:27 pm UTC (link)
	So you are saying that you can just take advantage of the capacitor arrays in the banks on the chip? Have you considered putting this in larger, more reputable security journals such as those for CIOs? (Reply to this) (Thread)

	enochsmiles 2008-02-21 06:32 pm UTC (link)
	You don't get much more reputable than Usenix, which I believe is where Jake said this was submitted? (Sure, there's a couple IEEE conferences, and CCS, that are better, but on a 1-10 scale, Usenix is ranked a 9 by my research group.) Security journals for CIOs are generally crap. (Reply to this) (Parent)(Thread)

icis_machine
2008-02-21 06:56 pm UTC (link)

From what I have seen (which isn't much) CIOs would find this more useful to know.

And I am unsure of which ieee group would use it. However, spinning it toward more hw-centric/bios (embedded groups) groups might find it applicable outside of "consumer" computing.

That said, I find this an interesting (social) systems problem. Hw (chip, board, and even some firmware) people know about this refresh/cap characteristic. Most sw haven't given it much thought. Neither group would think to communicate about this with each other.

also, that princeton.edu's pdf link is busted.

(Reply to this) (Parent)

	ephermata 2008-02-21 06:53 pm UTC (link)
	Congrats! (Reply to this)

	loic 2008-02-21 07:55 pm UTC (link)
	Very nice! I was excited when I heard about the cool hack, It's great to see it as a paper an an exploit! Congratulations! (Reply to this)

	occupant 2008-02-21 07:59 pm UTC (link)
	I thought of you when I saw this headline, but didn't put 2+2 together. Keep the pressure on! (Reply to this)

	jkuroda 2008-02-21 09:38 pm UTC (link)
	Good work. the vulnerability of memory to offline attack was surprising to some faculty here. have some ideas on mitigation, probably similar to ones you've come up with. (Reply to this)

	josephhall 2008-02-21 10:37 pm UTC (link)
	bad-freakin'-ass yos! (Reply to this)

	matrushkaka 2008-02-21 10:49 pm UTC (link)
	Yay Jake! (Reply to this)

	scosol 2008-02-21 11:45 pm UTC (link)
	Yeah- I picked that up on BoingBoing- interesting shit indeed. It would have never occurred to me that the state could be maintained for so long because of cold- Makes me think about fun things like DRAM in a Dewer acting like SRAM. (Reply to this)

	fuzzel 2008-02-22 12:26 am UTC (link)
	See your inbox for some comments already, it got noticed in some other place too. Congrats again with the publication and the publicity it is getting too! (Reply to this)

	occupant 2008-02-22 02:46 am UTC (link)
	You made Drudge Report. (Reply to this) (Thread)

	ioerror 2008-02-22 02:58 am UTC (link)
	What, no CNN? Hah. (Reply to this) (Parent)(Thread)

	occupant 2008-02-22 04:21 am UTC (link)
	They usually seem to be about a week behind when it comes to tech stories; they're worse than Slashdot. (Reply to this) (Parent)

	sfllaw 2008-02-22 03:25 am UTC (link)
	Hurray! (Reply to this)

	Congratulations! rukzise 2008-02-22 09:09 am UTC (link)
	Now let's submit something to WOOT 2008 next. They are co-located to Usenix Security. Cheers, .:ralf:. (Reply to this)

	akashayi 2008-02-22 06:04 pm UTC (link)
	Interesting stuff, congrats :D (Reply to this)

	ravyn440 2008-02-22 06:29 pm UTC (link)
	Oh shit, that's you? I saw the article blurb yesterday on slashdot. Well done! (Reply to this)

	fxl 2008-02-22 10:48 pm UTC (link)
	Congrats! Found it on CNET and was surprised to see a few names a I recognized. (Reply to this)

	tenbris 2008-02-23 07:47 pm UTC (link)
	I've been on an LJ hiatus so I didn't see your post until just now; however, that was after my Crypto prof sent a link to the entire class and I saw your name. Congrats! :D (Reply to this) (Thread)

	ioerror 2008-02-23 09:15 pm UTC (link)
	Nice. What school was this? (Reply to this) (Parent)

enochsmiles
2008-03-06 05:17 pm UTC (link)

BTW, you should probably cite the following if you haven't gone to camera-ready yet:

Dirk Janssens, "Heuristic methods for locating cryptographic keys inside computer systems", PhD Thesis, K.U. Leuven ESAT-COSIC, 2000.

and

Dirk Janssens, Ronny Bjones, Joris Claessens: "KeyGrab T00: The search for keys continues..." Whitepaper, Utimaco Safeware AG and K.U. Leuven ESAT-COSIC, 2000.

(The whitepaper is here: http://joris.claessens.ws/pub/keygrab2.pdf; I have a hard copy of the thesis, and am looking for a PDF for you. Let me know what your deadline is?)

(Reply to this) (Thread)

	enochsmiles 2008-03-06 05:24 pm UTC (link)
	I'm sorry, Dirk's thesis is from 1999. (that, and Keygrab T00, were the first extensions/implementation of the Shamir and van Someren work, afaik.) (Reply to this) (Parent)

	(Anonymous) 2008-04-01 07:37 pm UTC (link)
	Found this by accident while googling :-) If you have any questions, you can always contact me :-) Dirk Janssens keygrab at kuleuven.net (Reply to this) (Parent)

(31 comments) - (Post a new comment)

Username:		Create an Account Forgot your login or password? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

LJ Labs

Store