Lest we remember: cold-boot attacks on encryption keys

Contrary to widespread assumption, dynamic RAM (DRAM), the main memory in most modern computers, retains its contents for several seconds after power is lost, even at room temperature and even if removed from a motherboard. Although DRAM becomes less reliable when it is not refreshed, it is not immediately erased, and its contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access to a machine. It poses a particular threat to laptop users who rely on disk encryption: we demonstrate that it could be used to compromise several popular disk encryption products without the need for any special devices or materials. We experimentally characterize the extent and predictability of memory retention and report that remanence times can be increased dramatically with simple cooling techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for mitigating these risks, we know of no simple remedy that would eliminate them.

[1]  R. Anderson,et al.  Low-temperature operation of silicon dynamic random-access memories , 1989 .

[2]  Peter Gutmann,et al.  Secure deletion of data from magnetic and solid-state memory , 1996 .

[3]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[4]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[5]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[6]  Adi Shamir,et al.  Playing "Hide and Seek" with Stored Keys , 1999, Financial Cryptography.

[7]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[8]  Eyal Kushilevitz,et al.  Exposure-Resilient Functions and All-or-Nothing Transforms , 2000, EUROCRYPT.

[9]  L. Scheick,et al.  Analysis of radiation effects on individual DRAM cells , 2000 .

[10]  Sean W. Smith,et al.  Building the IBM 4758 Secure Coprocessor , 2001, Computer.

[11]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[12]  Peter Gutmann,et al.  Data Remanence in Semiconductor Devices , 2001, USENIX Security Symposium.

[13]  Sergei Skorobogatov Low temperature data remanence in static RAM , 2002 .

[14]  Johannes Blömer,et al.  New Partial Key Exposure Attacks on RSA , 2003, CRYPTO.

[15]  Andrew W. Appel,et al.  Using memory errors to attack a virtual machine , 2003, 2003 Symposium on Security and Privacy, 2003..

[16]  Joe Grand,et al.  A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[17]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[18]  밀러웨슬리쥐. Three way validation and authentication of boot files transmitted from server to client , 2004 .

[19]  Sean W. Smith Trusted Computing Platforms: Design and Applica-tions , 2004 .

[20]  Gerard Hartnett,et al.  Designing Embedded Network Applications: Essential Insights for Developers of Intel R IXP4XX Network Processor based Systems , 2005 .

[21]  Ruby B. Lee,et al.  Architecture for protecting critical secrets in microprocessors , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[22]  Ruby B. Lee,et al.  Architecture for Protecting Critical Secrets in Microprocessors , 2005, ISCA 2005.

[23]  Sean W. Smith Trusted Computing Platforms - Design and Applications , 2005 .

[24]  Tal Garfinkel,et al.  Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation , 2005, USENIX Security Symposium.

[25]  Timothy M. Vidas,et al.  The Acquisition and Analysis of Random Access Memory , 2007, J. Digit. Forensic Pract..

[26]  Brent Waters,et al.  Harvesting verifiable challenges from oblivious online sources , 2007, CCS '07.

[27]  Xavier Boyen,et al.  Halting Password Puzzles: Hard-to-break Encryption from Human-memorable Keys , 2007, USENIX Security Symposium.

[28]  Ruby B. Lee,et al.  Hardware-rooted trust for secure key management and transient trust , 2007, CCS '07.

[29]  Roy H. Campbell,et al.  BootJacker: compromising computers using forced restarts , 2008, CCS.

[30]  N. Heninger Improved RSA Private Key Reconstruction for Cold Boot Attacks , 2008 .

[31]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, Journal of Cryptology.

[32]  J. Alex Halderman,et al.  Ethical Issues in E-Voting Security Analysis , 2011, Financial Cryptography Workshops.

[33]  Ian Goldberg,et al.  Telex: Anticensorship in the Network Infrastructure , 2011, USENIX Security Symposium.

[34]  J. Friedrich,et al.  Security Engineering: a Guide to Building Dependable Distributed Systems Banking and Bookkeeping , 2022 .