[HN Gopher] Show HN: Simple demo of a cold boot attack using a R...
___________________________________________________________________
Show HN: Simple demo of a cold boot attack using a Raspberry Pi
Author : anfractuosity
Score : 78 points
Date : 2024-02-03 17:03 UTC (5 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| alana314 wrote:
| I'd never even heard of cold boot attacks. Is there any
| prevention of this?
| anfractuosity wrote:
| I believe both recent Intel and AMD processors enable you to
| encrypt memory, such as Intel Total Memory Encryption.
| dist-epoch wrote:
| That is correct, AMD Zen4 (Ryzen 7000) supports transparent
| full memory encryption. It also supports more granular memory
| encryption, for example to prevent the host accessing VM
| guest memory.
| Wool2662 wrote:
| Yes, control physical access to the hardware. You can also
| achieve some mitigation by using encrypted ram.
| bri3d wrote:
| * Hardware memory encryption / bus encryption. If implemented
| correctly, keys never touch RAM and will be discarded instantly
| across any power disruption.
|
| * Control physical access: don't allow an attacker access to
| the DRAM chips.
|
| * Control logical access: use trusted boot systems which don't
| allow an attacker to dump arbitrary memory, combined with
| physical access control so they can't directly address memory
| externally.
| Cheer2171 wrote:
| It is important to note they could access an image in the memory
| up to 0.75 seconds after cutting power, but after 1.0 seconds
| everything had completely decayed. This sounds less like a "cold
| boot" attack and more like the residual power is still flowing on
| the substrate for 0.75 seconds.
| anfractuosity wrote:
| I wasn't able to automate the use of the freeze spray alas, but
| I believe that did let me access data after more significant
| durations.
|
| With the freeze spray I did also manage to unplug the power
| cable completely and switch SD cards manually.
|
| Edit: In "Cold Boot Attacks are Still Hot: Security Analysis of
| Memory Scramblers in Modern Processors" they say "To assess the
| feasibility of cold boot attacks on today's denser and smaller
| components, we measured the retention time of five DDR3 and two
| DDR4 modules from various manufacturers. At normal operating
| temperatures, a significant fraction of the data is lost within
| 3 seconds of losing power."
|
| The Pi 4 I used makes use of DDR4 from what I recall.
| yonatan8070 wrote:
| What results would you expect to get if you simply put the
| whole setup in a regular freezer? Or if you just tried it
| during winter
| anfractuosity wrote:
| It sounds like a typical freezer cools to around -20C, I
| think the freezer spray I used directly on DDR chip, claims
| to chill to around -50C, but not sure how much the surface
| temperature decreases after spraying and how fast it warms
| up again.
| NavinF wrote:
| 0.75 seconds without cooling.
|
| I would not expect "residual power" to last for 0.75 seconds.
| Even if it did, RAM has to actively be refreshed by the memory
| controller. (DDR self-refresh is only enabled during sleep and
| I dunno if the Pi even supports that)
| yonatan8070 wrote:
| It would be interesting to do this with different delays to see
| how the noise level increases as the delay increases, then once
| you have a bunch of images recovered, make an animation of the
| image getting more and more noisy as the time increases, would
| also be interesting to compare the results for different ambient
| temperatures, how much more feasable would this be during January
| in Norway vs August in Texas?
| anfractuosity wrote:
| That's something they did in one of the original papers - "Lest
| We Remember: Cold Boot Attacks on Encryption Keys" by Halderman
| et al, with an earlier version of DDR, think it was DDR2.
|
| It's something I'd like to try too. Good point re. the
| temperature also, I bought a PT100 temperature probe I need to
| use to measure the surface temperature of the RAM chip too.
| RecycledEle wrote:
| I hope this leads to NVRAM one day.
| badrabbit wrote:
| Nice work. There is TME for intel, does anyone know its
| implementation state and if something similar exists for arm?
| https://www.intel.com/content/www/us/en/developer/articles/n...
| oskarw85 wrote:
| It's nice to recover an image but encryption keys are not that.
| One bit flip and it's game over. This experiment is more useful
| for human-readable document forensics than anything else.
| PrimeMcFly wrote:
| a passphrase is much shorter than a key and may be in memory
| multiple times.
| dist-epoch wrote:
| If from a 128 bit key 120 are correct, it's trivial to figure
| out the others, even if you don't know which bits are the
| flipped ones.
|
| Cryptographers worry even when a few key bits are leaked.
| orlp wrote:
| Alright let's test this hypothesis. Load up a bitcoin wallet
| and post the private key here with 1 random bit flip :)
| mjg59 wrote:
| This is mitigated by a Trusted Computing Group feature - at boot,
| the OS sets a non-volatile flag, and clears it again on clean
| shutdown after wiping any sensitive material from RAM. If the
| system boots with the flag set then the firmware wipes the RAM
| before booting anything. This doesn't protect you against someone
| pulling the RAM out of the system and dumping it there, but
| that's a much harder attack.
___________________________________________________________________
(page generated 2024-02-03 23:00 UTC)