Wednesday, October 29, 2008

My Own Worst Enemy "Butterfly"

In July 2008, a group a researchers from Princeton University released a paper that described a new technique that recovered encryption keys from volatile memory on a freshly rebooted laptop. This technique is now known as a cold boot attack. These findings went against a long standing assumption that once power was cut to this type of memory, all data would be lost almost immediately.

Volatile memory, commonly known as RAM or Random Access Memory, is used by a computer to store data it needs temporarily for computational activities. Long term data storage is done with non-volatile memory, such as a hard drive or USB key fob. A frequent way to describe the difference between the two is to say that volatile memory loses its data when a computer is turned off, but non-volatile memory does not.

This distinction is often used when computer software is designed. For example, when an application stores passwords on a hard drive they are (hopefully) encrypted; when those passwords are moved into memory, they are typically stored in plain-text. It was generally assumed that this was a safe practice, and in defense of this type of thinking, encrypted data has to decrypted at some point in time and non-volatile memory is the safer place to store the plain-text.

To prevent attackers from grabbing passwords and other sensitive information from running memory , developers began clearing, or wiping, the areas of non-volatile memory that contained the sensitive data once it is no longer needed. Some operating systems also provide an additional level of protection by preventing other running application from accessing the memory locations where the sensitive data reside.

The decrypt and wipe process works fairly well for applications that only need to use the password or key once at start up, or intermittently during user activity, but for high performance applications that need a password or cryptographic key for every transaction, it may not be feasible from a performance stand-point. One such application is full disk encryption.

Modern hard drives are capable of transferring 80 or more megabytes of data per second, so you will see a pretty substantial performance decrease every time the operating system has to transfer encrypted data to or from the hard drive. If you have to decrypt and then wipe the encryption key every time you read or write data, you make these performance problems much worse.

To reduce this additional overhead, most whole disk encryption software loads the plain-text encryption keys in memory at startup and rely on the assumption that the key is erased when the computer is shutdown or loses power. Which leads us back to the Princeton researchers.

What the researchers discovered is that non-volatile memory actually loses its data slowly and predictably over a time frame of a few seconds to a few minutes. This allows an attacker to cut power to a computer and reboot it with a specially designed operating system and extract the encryption keys from memory before the data has time to fade away.

Additionally, they found that when the memory chips where cooled to -50 °C, you have more than enough time to remove the memory chip and read it on another computer or device. This can be accomplished by spraying the chip with an upside down canned-air spray duster, such as Dust-Off. For more advanced attackers, the chip can be cooled with liquid nitrogen to increase the decay time to a few hours.

The writers of this episode got most of their facts right, but in the first clip, the tech guy says that cooling the memory chips enables you to extract the keys, which is not correct because you can actually perform that attack without doing so.

The second clip shows one of the agents pulling a single cooled memory chip from a server and putting it into a device that extract the encryption keys. In this scenario, the cooling would be important to give the agent time to remove the chip and install it in the second computer.

The problem I have with this scene is that, unlike laptops, servers usually have several memory chips to provide redundancy and additional capacity. Depending on how the server spreads the data out across the individual chips, pulling out only one chip, or pulling out one chip at a time, would probably not get you the encryption key. To make things worse, the agent pulls the chip out of what appears to be a running system, which would potentially introduce unpredictable errors into the memory and would likely cause a complete system failure unless the system had hot swappable memory.

The only way to ensure that the keys would be extracted in the short period of time that agent had, rebooting the server with the special operating system would be the only viable approach.