Cold Boot Disk Attacks

For the last several years, whole-disk encryption has become a popular technology to push for the more tech-savvy. And for good reason. The last few years have had some major losses of data from things like lost laptops. Whole-disk encryption, a process where the operating system encrypts the disk during writes, seems like a fantastic method to stop these sorts of attacks.

While Disk Encryption, like in TrueCrypt or Microsoft’s BitLocker are still completely worth investing in, some research done at Princeton recently, shows that it may not be quite as effective as we’d believed. It turns out, that DRAM doesn’t lose it’s state as quickly as most people (myself included) believed.

It turns out, that standard DRAM can maintain state for anywhere from seconds to minutes at operating temperatures, and cooling the DRAM, which can be done with cheap aresol products, can extend that data maintenance for a significant period of time. The memory can then be dumped by using a memory dumper either by booting from attacker-controlled media or physically moving the RAM chips to an untrusted host.

The paper does an excellent job going through the attack, so I will not expand here, except to say that I believe this is likely to be of more use to forensic analysts in Law Enforcement, or other highly directed attacks. The person who stole that British laptop mentioned above, just as likely swiped it to sell and may not have even bothered to see what data was on it. Most laptop thefts aren’t for data, they’re for the hardware.

More interesting, is determining how these issues can be avoided. Princeton suggests a few possibilities. First, securing the RAM by soldering or epoxying it to the board. I don’t think we can depend on the hardware manufacturers to do this. It adds to their costs and makes it harder to customize systems. In this day and age, I would be reluctant to buy any system that didn’t allow me to upgrade my RAM.

A possibility that came up in a conversation with a co-worker about this, was the possibility of soldering a token amount of RAM onto the motherboard (MacBooks have 128MiB soldered on, PCs used to have 640k I don’t know if they still do). Ensuring this RAM had a low memory address, it would be fairly easy to ensure that encryption keys were stored in this space which was non-removable and could be scrubbed at boot without scrubbing everything. Dedicated encryption hardware also fits this requirement, but seems to not be cost effective for hardware implementors. While this wouldn’t require any major architecture changes, it would require cooperation between the major OS vendors to determine how this would best be handled. It’s hard to say when and if that would happen.

I don’t think we can expect the hardware to change. RAM needs to be fast, and that is part of the reason why modern RAM maintains it’s state. People aren’t going to be excited about giving up some of that speed. Changes to the overall system architecture only help in the event that the RAM is non-removable. The systems that Princeton used to dump the RAM for the attacks would overwrite a small amount of the RAM. It is possible that the RAM could be read while guaranteeing that the data couldn’t be over-written, by keeping a token amount of RAM at a low address that the OS was guaranteed not to overwrite the data.

There are some software changes that Princeton mentions that I suspect we will see soon. Stopping precomputation might slow things down a bit, but in this day and age, it would be worth it for me to have the increased security, and for those users trying to protect enormous amounts of confidential data, the trade-off would be worth it. I’m not even using disk encryption yet, but I have already taken some of the steps, ensuring that the BIOS wipes RAM at boot, and not allowing booting from removable media or the network. I know we all want our computers to be fast, but trading a tiny bit of speed for a good increase of security is worth it to me.