Posted on 02/21/2008 8:32:58 AM PST by decimon
A team of academic, industry and independent researchers has demonstrated a new class of computer attacks that compromise the contents of “secure” memory systems, particularly in laptops.
The attacks overcome a broad set of security measures called “disk encryption,” which are meant to secure information stored in a computer’s permanent memory. The researchers cracked several widely used technologies, including Microsoft’s BitLocker, Apple’s FileVault and Linux’s dm-crypt, and described the attacks in a paper and video published on the Web Feb. 21.
The team reports that these attacks are likely to be effective at cracking many other disk encryption systems because these technologies have architectural features in common.
“We’ve broken disk encryption products in exactly the case when they seem to be most important these days: laptops that contain sensitive corporate data or personal information about business customers,” said Alex Halderman, a Ph.D. candidate in Princeton’s computer science department. “Unlike many security problems, this isn’t a minor flaw; it is a fundamental limitation in the way these systems were designed.”
The attack is particularly effective against computers that are turned on but are locked, such as laptops that are in a “sleep” or hibernation mode. One effective countermeasure is to turn a computer off entirely, though in some cases even this does not provide protection.
Halderman’s Princeton collaborators included graduate students Nadia Heninger, William Clarkson, Joseph Calandrino, Ariel Feldman and Professor Edward Felten, the director of the Center for Information Technology Policy. The team also included Seth Schoen of the Electronic Frontier Foundation, William Paul of Wind River Systems and independent computer security researcher Jacob Appelbaum.
Felten said the findings demonstrate the risks associated with recent high-profile laptop thefts, including a Veterans Administration computer containing information on 26 million veterans and a University of California, Berkeley laptop that contained information on more than 98,000 graduate students and others. While it is widely believed that disk encryption would protect sensitive information in instances like these, the new research demonstrates that the information could easily be read even when data is encrypted.
“Disk encryption is often recommended as a magic bullet against the loss of private data on laptops,” Felten said. “Our results show that disk encryption provides less protection than previously thought. Even encrypted data can be vulnerable if an intruder gets access to the laptop.”
The new attacks exploit the fact that information stored in a computer’s temporary working memory, or RAM, does not disappear immediately when a computer is shut off or when the memory chip is taken from the machine, as is commonly thought. Under normal circumstances, the data gradually decays over a period of several seconds to a minute. The process can be slowed considerably using simple techniques to cool the chips to low temperatures.
Disk encryption technologies rely on the use of secret keys -- essentially large random numbers -- to encode and protect information. Computers need these keys to access files stored on their own hard disks or other storage systems. Once an authorized user has typed in a password, computers typically store the keys in the temporary RAM so that protected information can be accessed regularly. The keys are meant to disappear as soon as the RAM chips lose power.
The team wrote programs that gained access to essential encryption information automatically after cutting power to machines and rebooting them. The method worked when the attackers had physical access to the computer and when they accessed it remotely over a computer network. The attack even worked when the encryption key had already started to decay, because the researchers were able to reconstruct it from multiple derivative keys that were also stored in memory.
In one extremely powerful version of the attack, they were able to obtain the correct encryption data even when the memory chip was physically removed from one computer and placed in another machine. After obtaining the encryption key, they could then easily access all information on the original machine.
“This method is extremely resistant to countermeasures that defensive programs on the original computer might try to take,” Halderman said.
The attacks demonstrate the vulnerability of machines when they are in an active state, including “sleep mode” or the “screen lock” mode that laptops enter when their covers are shut. Even though the machines require a password to unlock the screen, the encryption keys are already located in the RAM, which provides an opportunity for attackers with malicious intent.
None of the attacks required specialized equipment. “I think we're going to see attackers doing things that people have previously though impractical or impossible,” Appelbaum said.
The researchers were able to extend the life of the information in RAM by cooling it using readily available “canned air” keyboard dusting products. When turned upside down, these canisters spray very cold liquid. Discharging the cold liquid onto a memory chip, the researchers were able to lower the temperature of the memory to -50 degrees Celsius. This slowed the decay rates enough that an attacker who cut power for 10 minutes would still be able to recover 99.9 percent of the information in the RAM correctly.
“Hints of problems associated with computers retaining their temporary memory have appeared in the scientific literature, but this is the first systematic examination of the security implications,” said Schoen.
The researchers posted the paper describing their findings on the website of Princeton’s Center for Information Technology Policy. They submitted the paper for publication and it is currently undergoing review.
In the meantime, the researchers have contacted several manufacturers to make them aware of the vulnerability: Microsoft, which includes BitLocker in some versions of Windows Vista; Apple, which created FileVault; and the makers of dm-crypt and TrueCrypt, which are open-source products for Windows and Linux platforms.
“There’s not much they can do at this point,” Halderman said. “In the short term, they can warn their customers about the vulnerability and tell them to shut their computers down completely when traveling.”
In the longer term, Halderman said new technologies may need to be designed that do not require the storing of encryption keys in the RAM, given its inherent vulnerability. The researchers plan to continue investigating this and other defenses against this new security threat.
Mike
Biometric lock? hardware key? Shutdown subroutine that overwrites all RAM at shutdown?
Don’t give up the ship, just yet.
You must submit.
Businesses and agencies who allow sensitive material to leave the office on a laptop are insane. That data can be accessed securely via robust encryption remotely and any new data derived stored remotely.
That doesn’t sound very secure; the likes of public keys have existed for years where even if the key is recovered it can’t be decrypted (these rely on ‘unreversable’ forumulas; however I’d imagine that with enough computing power they aren’t truly 100% unreversable, still you’d need to be a maths genius with a supercomputer to crack them) - in the case of a hard drive though it would be mean storing the key in at least two different places - a pen drive or MP3 player or camera memory could do that.
Another way would be using a one-time key, so that even if the key in the RAM is read, the key itself is encrypted - using a once-only realworld-random-generated large-bit-size forumula.
But even then, you’re forgetting about the one thing no programmer or IT manager can completely develop to be fool proof... The User
Before walking about with that info was possible there was no need to do so. Now there supposedly is. Yes, irrational.
Bingo! I’ve cautioned against the loose nut behind the keyboard for years in my IT roles.
Any Tech that you do not completely understand is not secure...period...
Considering how they key is stored now (in RAM...HELLO?!!), that's not a bad idea.
So how do you propose using a pen drive? If not stored in RAM, where the OS can access it QUICKLY to read the hard drive, it would require that every disk read/write first make a call to the pen drive.
If that is the case, your machine will slow to a crawl.
That’s still not a good idea, you can remove the pen driver and probably hold onto the key that way.
The best way I can think of doing it is put an encrypted dram chip on the motherboard that is read/write restricted, and can only be read and written to using a separate encryption key that’s that randomly generated based off of various hardware serial numbers.
Why not randomize critical areas of RAM as part of the shutdown process? That should fix the problem.
Ok, I'm calling BS on this. This might be theoretically possible, but practically impossible.
Try it yourself: Shut down your computer and then open the case, remove the RAM, open another machine, install the RAM in that nother machine, and boot that machine in less than a minute.
Still not convinced this story is BS?
When a computer is turned on, the BIOS (Basic Input-Output System) routines stored in permanent memory chips (CMOS) perform a "POST", or "Power On Self Test". One of the things that happens during the POST is a memory test. How do you suppose memory gets tested? It gets written to and read from. So, if there WERE any residual data in RAM, the POST would effectively overwrite it.
Now, think about the whole concept of someone breaking into your machine and installing whatever equipment necessary to chill your RAM chips to the point where electrons on a silicon substrate are moving CONSIDERABLY slower. You would certainly notice a HUGE decrease in computer performance, not to mention the chill in the air (or the increased heat, depending on the mechanism used to super-cool your RAM chips).
It is possible, I suppose, to create a BIOS-level virus that would reboot a machine immediately after it was shut down. But then, if you're THAT clever you should be able to write a virus that would simply READ the encryption key while the computer was up and running. And at that point there's still the POST memory test to contend with.
My opinion is that the article is horse-squeeze.
You could easily do a protocol to get around that. For example, the encrypted hd is unlocked as long as the flash drive is inserted, locked when the drive is pulled, etc.
That’s a good idea, too. There are dedicated chips that’ll take care of key encryption, but the laptop/mobo manufacturers would have to design them in and market their machines as such. Probably not likely...
Encryption is considered stronger than locking because a locked drive can be read after removal from the laptop (as in the case of it being stolen) by another machine.
Encryption requires the use of a key to decrypt the drive. In order for the decryption to occur, the key must be located in RAM at some point in order for the decryption algorithm to actually work ... or ... the target (thing to be decrypted) must be sent out to a secondary processor. The key may or may not be sent as well depending on the key distribution architecture adopted by the software.
So if you use the pen drive (USB port) to only lock/unlock the drive, in the case when a laptop is stolen, you will still allow the reading of the data on the drive if not encrypted.
If encrypted, the USB port could be used to either store the key, or run an external crypto engine that stores the key and provides the decrypt processing for the target provided to it by the OS. In either case, the additional overhead will significantly slow the drive read/write time.
Lastly, if you use a unique USB device, then if that device is lost then the data is also lost. If the device is not unique, then duplication of the USB device will allow for access of the data. In the second case, you increase the difficulty of decrypting the drive as you have a two factor element that must be in your possession in order to read the drive. It is all about trade offs.
OK, let’s not get lost in terminology. Go ahead and substitute “encrypt/decrypt” for “lock/unlock” in my scenario. Yes, there are tradeoffs in any design—how secure do you want it? For me, if I wanted to be damn sure my data was secure then I’d use an external key to secure it, and have a backup in case of loss.
Any encryption method and security implemented slows a machine down somewhat - to suggest it’s to a crawl is not in the region of being true.
I’m unsure whether or not all usb port devices utilise the RAM; they certainly don’t need to so it depends on how the system board is designed. In any case - having direct access to a computer means it can certainly be compromised in all kinds of ways, you wouldn’t need anything as is described in the article.
I’m not sure what sort of situations anyone would be in, where they are encrypting information yet allowing their computers to be accessed by anyone else, other than in matters of theft.
Maybe a simpler solution then would be to unplug the hard drive, in the same way cyclists take a wheel with them. Then if the RAM is compromised the drive isn’t there to be read from anyway.
I think what they’re claiming could be done, it’s just very unlikely that anyone that had the laptop or computer already would bother to go through the process of cooling the RAM down then using whatever memory reader / other computer and the required software to find out what’s still stored on the RAM - they could just look at what’s on the hard drive.
If the hard drive needed a password to get into it, that is very easy to brute-force compared to RAM cooling. There’s other ways too to go around that. Then, they have access to the user’s desktop - that would include being able to decrypt any files.
I’d missed that when unlocking was mentioned here it was meant in the read/write-head way - that is indeed different from files being encrypted.
Again though, if the computer is in the hands of someone that wants to read what’s on the hard drive, it’s also easier to unlock the heads than it is to steal the machine precisely after the user has just finished using it - and quickly go someplace safe enough to open it up (which itself takes a bit of time to do), spray it with canned air, then either insert the RAM into another machine or power-up the current machine, install software on it to read what’s on the RAM........without being caught or seen - and doing all that in the offchance that the computer will have really useful data on it.
If your laptop is stolen - change your online account passwords right away.
But your idea of storing the encryption key on (two!) non-volatile memory devices is incredibly insecure. Typically the encryption key is "stored" in the user's brain and when accessing the encrypted files/hard drive the encryption program prompts the user for the key. Why you think storing something in RAM is bad is beyond me; I don't think you understand the technology. Finally, keeping track of a laptop is orders of magnitude easier than keeping track of two non-volatile "pen-drives"
I’m calling BS on your reply: not only is it theoretically possible, but pretty easy to do, in fact. As an engineer with over 20 years experience at a DRAM manufacturing company, I am also not impressed with any notions about “electrons on a silicon substrate are moving CONSIDERABLY slower” or any of the other misconceptions about the BIOS, CMOS, or POST...
For the intellectually curious, this article hinges on a DRAM spec called “refresh time”, which refers to the maximum time allowable between refresh cycles (or reads) of the same row address required to keep the data [on that row] intact. Although it is normally something on the order of 64 milliseconds, this would be for the maximum operating temperature, e.g., 70 or 85 degrees Celsius. At room temperature, the refresh time is easily 5 or 10 seconds; cool down to the temperatures suggested in the article and several minutes is not out of the question.
Could someone open a “sleeping” laptop, spray the memory modules with “Freeze-it” or some such, pull the modules, put them into another computer and “boot” it with a boot disk containing a special copy routine to recover the contents of the memory? Absolutely. In fact, with a special test jig purpose built for the task, no re-booting would be required: just pop in the modules and scan the data — it wouldn’t take more than a few seconds (depending on the memory size) to do it.
Did you read the article? Explain to me the following:
Something you know. Something you have. Something you are.
This problem could be dealt with at the memory module level. It would require a capacitor to hold some energy and a circuit (driven by the capacitor) that scrambles memory when the primary voltage drops.
I agree. I'm thinking this is a pretty difficult hack to actually pull off with any reliability.
I'm surprised by this, I'll admit... I wasn't aware that RAM isn't totally volatile, beyond a few seconds or fractions thereof. I wouldn't have guessed that it could retain information many seconds or a minute without power.
That's interesting.
hohoho! This could also be used to defeat most DRM! Isn’t this cute, considering how much investment in copy control technology has just been rendered moot, again!
This could be used on Las Vegas slot machines to see when a million dollar payoff is going to happen or even set it up to happen. Someone well funded, such as the Chinese government, could get into computer voting machines to influence an election. If they were going to invade Taiwan it would be useful to have a pacifist like Obama in power.
bttt
Interesting article. It just goes to show that if someone has physical access to a computer, all bets are off as far as security is concerned.
Kind of hard to believe it didn't crack the chip, isn't it?
"The team wrote programs that gained access to essential encryption information automatically after cutting power to machines and rebooting them. The method worked when the attackers had physical access to the computer and when they accessed it remotely over a computer network."
Interesting but poorly written, IMO. The article lost me as to exactly what it is addressing. Maybe there will be some follow-up.
Would you still question this knowing many Princetonians went to the CIA? ;-)
Totally possible but extremely unlikely. Again, that had to have physical and unfettered access to the computer.
Yeah, that's why I said "theoretically possible", "practically impossible".
But if you had spent, say, 20 years working in the mailroom at a DRAM factory (or maybe 20 years drinking drams) you might think it easily accomplished. Especially if you disregarded the effects of temperature on electron movement up front, but insisted on it's effects on the backside of your argument; and if you thought that chips operated at room temperature or below in the average computer; and if they were running hot a spray of sub-zero liquid like "Freeze-it" wouldn't crack the chips (I've seen it happen); and if you didn't understand the BIOS and the POST process so you disregarded those as "unimpressive"...then I suppose you could come up with some tin-foil hat scenarios where this happened all the time. Why, probably more often than not. Somebody call Art Bell right away! Use the "West of the Real World" line! [/sarcasm]
It almost reads as if it was targeted towards...umm, I don't know...pencil-pushers who approve research grant requests, maybe?
Gee, I only told you about this...8 years ago!
Yes, I read and understood the article. I don't believe the same can be said for you based on your responses.
Dynamic RAM (DRAM) is composed of lots and lots of tiny capacitors whose charge states (charged or not) determine the value of the bit that is stored in that cell (1 or 0). When voltage is removed from a capacitor (in this case, the computer is turned off) it discharges: Vc = V*e(-t/RC) (where R is the circuit resistance and C is the capacitance value) For DRAM cells, the capacitance is REALLY small, so the discharge time is quite fast. In fact, the time that you can reliably count on DRAM cells retaining their charge is so short that the DRAM module must be continually read and written back.
So, yeah, these guys have found something that theoretically is a security hazard, but your suggestion of storing encryption keys on two small non-volatile devices (which are much more easily lost than an entire laptop) is infinitely worse.
So I take it you don’t know the meaning of something you are, know, and have....?
Secure kernal virtualization and memory addressing. In fact, the “study” may well be a roundabout plug for this new technology -which is being developed by MS among others.
I still don't get the impression that you understand the technology and I've lost interest. Enjoy the rest of the thread.
It's been fun. I guess I should let you know now (I should have earlier) that I'm a EE and have designed highly secure network systems and embedded devices (some with DRAM) used by the gaming industry. Take care.
I don't think they're talking about that. I think they're talking about quickly inserting the memory card into a specially-constructed piece of hardware that will be already on and running, and automatically quickly read the contents of the card and store it to disk for analysis
And the sequence would be: open the case with power still on (you care more about recovering the data than risking damage to the laptop), have helper cut power while you immediately yank out the card, spray it with coolant, and insert it into the slot of your cracker hardware. Elapsed time from extraction from laptop socket to insertion in cracker socket: 3 seconds
Actually they were refering to something I wrote re: the storing of keys on separate devices, which for some reason a few replies here managed to completely overlook.
The idea was that one-time keys in PGP style rely on having both bits of the key in order to use it. If the other half of the key is on something like an SD card, then even in the unlikely event of being able to recover the RAM stores before they decay - it wouldn’t be usable as a key anyway.
What was pointed out was that if the architecture is using RAM for every operation, including on plug-in devices, then whatever was held on them could still also be held on the RAM. That could be a problem - however, it can also be circumvented by hardware design that considers it. For example with graphics cards they have their own CPUs and their own RAM.
In any case, using one-time keys as the name suggests, means that they cannot be used again anyway, rendering their theft utterly valueless.
Or just have your confidential data on a USB flash drive that never leaves your personal possession. You can get 8GB flash drives for under $30 these days. Put a long tether on the flash drive and have the other end attached to your belt or wrist.
LOL! This is where I'm supposed to be impressed?
I'm also an EE and some of my stuff is in theater in Iraq & Afghanistan. Our "customers" would not look favorably upon your idea of storing the encryption key on a small, easily lost non-volatile memory device. Ciao!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.