Many
people think that the data that is stored in DRAM, is erased away instantly
after the power is turned off in a Computer. But this is not true. The data
still remains in the DRAM for some seconds even in the room temperature and
even if DRAM is taken out from the system. The term “Cold Boot Attack” is a
term that is mostly used in cryptography and is also known as “Platform Reset
Attack”. The Cold Boot Attack is a type
of attack in which the attacker who has the physical access to the computer,
tries to retrieve the encryption keys using the cold booting. The term Cold
Boot also known as Hard Boot is to power off a computer intentionally. In other
words, a cold boot attack
is “a process for obtaining unauthorized access to a computer's encryption keys when the computer is left physically unattended”.
Researchers from Princeton University, the Electronic Frontier Foundation and Wind River Systems found that a cold boot attack is possible because dynamic random access memory (DRAM) chips hold data for a long period of time after a computer is turned off. This is also known as data remanence. The time to erase the data from a DRAM is related with the temperature around it. The temperature less than -50 degree Celsius can be obtained using a simple sprays such as Spray Duster (shown below). Researchers have found that at this temperature, less than 1% of bits are erased and remain in the RAM for more than 10 minutes. Instead of common sprays, if Liquid nitrogen is used, the temperature can be decreased up to -196 degree Celsius and at this temperature, less than 0.17 % of bits are erased and remain in RAM for more than 1 hours.
Researchers from Princeton University, the Electronic Frontier Foundation and Wind River Systems found that a cold boot attack is possible because dynamic random access memory (DRAM) chips hold data for a long period of time after a computer is turned off. This is also known as data remanence. The time to erase the data from a DRAM is related with the temperature around it. The temperature less than -50 degree Celsius can be obtained using a simple sprays such as Spray Duster (shown below). Researchers have found that at this temperature, less than 1% of bits are erased and remain in the RAM for more than 10 minutes. Instead of common sprays, if Liquid nitrogen is used, the temperature can be decreased up to -196 degree Celsius and at this temperature, less than 0.17 % of bits are erased and remain in RAM for more than 1 hours.
How
the Cold Boot Attack Works:
1)
Freezing
DRAM: To perform a cold boot attack, as soon as the intruder has a physical
access to the computer, some sprays such as Spray Duster or Liquid Nitrogen is
sprayed into the DRAM of the computer so that less amount of data is erased.
2)
Connecting
the External Disk: As soon as RAM is freezes, the computer is connected with an
external disk where the intruder can perform the attack in different ways. One
of the simple method is the intruder can reboot the system and can run a small
Kernel that is in the External disk from which the intruder can access the
memory.
The second method is to cut off the power and
turned on the power on and run a kernel preventing the operating system to
overwrite the memory.
The third method is to cut off the power and
take out the RAM and run it into a second computer which the intruder already
has; thus preventing the operating system to overwrite the contents of RAM.
3)
Handling
corrupted data: Despite cooling the RAM immediately after the power is off,
some amount of data are still erased and contains some errors. To retrieve or
correct those errors, some algorithms can be applied to correct the errors in
private and symmetric keys. Using such algorithms, the memory images with very
less error rate from which keys and other important data can be extracted. Even
the popular encryption mechanisms such as BitLocker, TrueCrypt, and FileVault
etc. have failed to prevent from a cold boot attack. The MAC OS stores the
username and password into the memory which can easily be disclosed using cold
boot attack.
Cold
Boot Attack Tools:
1)
RAM
imaging tools: These tools can take the
image copy of the RAM. These tools can be stored in USB or other disks and
contains a small executable files that can take the copy of the RAM.
2)
Key
scanning tools: These tools scan the Image of the RAM to find the hidden
encryption keys in the RAM.
Prevention
measures to prevent from Cold Boot Attack:
1) Never leave your
computer unattended. Have a habit of having the computer turned off when using
it on public places.
2) To perform a cold boot attack, an intruder needs to freeze out the
RAM and take make the data remain in the memory for longer time. As the attacker needs to access the RAM, make your
computer casing strong enough so that the attacker may take time to reach it.
3) If the casing is made strong, the intruder might attempt to use
the Liquid nitrogen through the casing ventilations. A proper aluminum coil can
be wrapped over RAM to prevent it from spray.
4) The intruder tries the operating system not to overwrite the
memory. So the intruder loads a kernel to be loaded. To make the time delay one
can enable bios memory testing on power up which is generally disabled in most
computers. This will cause
bios to overwrite some data in RAM.
5) Encrypting random access
memory (RAM) mitigates the possibility of an attacker being
able to obtain encryption keys or other material from memory via a cold boot
attack.
6) If a computer is properly shut down, a lot of
encrypted keys will be erased from the memory and terminated. When a machine is shut
down or loses power and encryption has not been terminated for example, sudden
loss of power, data may remain
readable from tens of seconds to several minutes depending upon
the physical RAM device in the machine. Ensuring that the computer is shut down
whenever it might be stolen can mitigate this risk.
7) By using long and multiple encryption keys
the Cold boot attack can be mitigated. If there is such encryption keys, faster
will the keys erase if the machine is turned off and it will be hard for
intruder to read those keys.
8) The encrypted keys and important data can be
stored in the cache memory. RAM is a separated device which is easy to handle
whereas cache resides on the CPU and it’s hard to dangle with it.
9) To make the intruder have difficulty in
getting the encryption keys, the keys can be break into multiple fragments.10) Even
with these precautions, the intruder can perform a Cold Boot Attack since
everything is not feasible.
11) By
using multiple keys also it is not sure that the important data is present in
exposed part.
12) If
the keys are divided into multiple fragments, the owner will also have a
disadvantage of decryption time.
13) The
intruder has the option to move the DRAM into another computer.
14) Even
if the casing is made strong enough, the intruder has several ideas to open it
up within seconds.
Conclusion:
The
cold boot attack is a type of attack where the encryption keys are extracted
using a cold boot. To perform a cold boot attack, an intruder freezes the RAM
of a computer using some chemical such a Liquid Nitrogen. Such chemical
instantly decreases the temperature around the RAM. RAM can be thought of as a
capacitor. If the temperature is cooled down, data can stay on ram for longer
period of time. At the meantime, the intruder can retrieve the encryption keys
from the RAM. This process is termed as a Cold Boot Attack. There are various
ways to minimize the attack. However, intruder also has 100’s of ways to
perform an attack. So the most important thing to note is to avoid storing classified
or important data in DRAM.
References:
1) http://searchsecurity.techtarget.com/definition/cold-boot-attack
3)
http://en.wikipedia.org/wiki/Cold_boot_attack
6) citp.princeton.edu/pub/coldboot.pdf
No comments:
Post a Comment