Cold Boot Attack 2023
In this article we will learn about Cold Boot Attack.
Introduction to Cold Boot Attack:
Although many believe that a computer’s memory is erased when it loses power and therefore there is no information at risk, this assumption is incorrect. The DRAM memories used in most modern operating systems today can gradually lose their contents over time. When keeping the DRAM at a lower room temperature, say -50 degrees C, the contents of the DRAM can last for several minutes to even hours. This property of DRAM chips can play a destructive role and can lead to the compromise of sensitive cryptographic materials such as cryptographic keys.
What is a cold shoe attack?
A cold boot attack is a type of attack in which the computer’s power is turned off and on without properly shutting down the operating system. DRAM cells used in most operating systems today can retain data due to their data remanence property, and thus sensitive cryptographic material stored in a DRAM cell can be stolen.
In order for any software to perform encryption, the software must load the encryption keys into the system’s main memory before being executed by the processor. So, to get the encryption keys, you just need to load the contents of the computer’s main memory. So what made DRAM retain content? A DRAM cell is essentially a capacitor. Each cell encodes a capacitor lead with a 0 or 1 bit. At room temperature, the cell can lose this material very quickly, even under the attack of cold shoes.
Experiments have revealed that if the cell is kept at a lower room temperature under a cold start attack, the DRAM cell can retain the cell value for a longer period of time. The decay pattern of a DRAM cell can also be predicted at a fixed room temperature. After preserving the state of the main memory, when the system reboots, the BIOS usually overwrites a small portion of the memory. Therefore, during boot-up, it is necessary to save the contents of the memory to an external medium, such as a USB device, which can boot the computer externally.
Understanding the virtual address space
Before delving further into the nature of this attack, it is important for us to understand the memory management of a particular operating system. This article will consider the memory management of a 32-bit Windows operating system.
Whenever a processor performs a read or write operation, it uses a virtual address. The virtual address is translated back to a physical address using a page table that acts as a memory index. The virtual address of a 32-bit Windows operating system has a size of 4 GB and is divided into 2 partitions. These 2 partitions are called user mode and kernel mode.
User mode
In this mode, the execution code of the process does not have access to the underlying hardware. To access the underlying hardware and memory, a process in this mode references system APIs to make calls. User mode also does not have access to kernel mode space. This mode can be adjusted in the OS according to needs.
Kernel mode
In kernel mode, the execution code of a process has full access to the underlying hardware. Processes running in kernel mode have good access to user mode space. The lower-level functions of the operating system run in kernel mode, and any CPU instruction can be executed in kernel mode space. A crash in kernel mode usually crashes the entire system.
Reducing the search scope in the virtual address space
If we analyze the entire memory that is stored in the boot device, it will be very difficult to get relevant and accurate material from it, because the memory usually contains gigabytes of data. So we should limit the scope of the main memory search so that it is easy to get the cryptographic keys from the main memory.
Cryptographic keys are located in the kernel mode space of the virtual address space, but before we get into the details, let’s first look at the concept of a page file. The page file is the space into which, if we run out of RAM, our system moves the least recently used pages from memory. For example, let’s say a user has opened multiple applications in the system and after some time the user has minimized some applications. If active applications need more RAM, the system moves the minimized applications to the pagefile.sys file in the root of the drives to make more RAM available for running applications. This paging.sys file is encrypted by default.
Going back to our virtual address space scaling scenario, we removed user mode, and outside of kernel mode we can also remove the page allocated as a pool for paged content, as this space is encrypted and will result in more computation to extract keys from this space for the supplier itself. So we are left with a non-paged memory pool of kernel mode space where cryptographic keys are most likely to be present.
Key identification
After storing the memory in an external device or after moving the entire DIMM, identifying the keys in the memory is the most important and difficult task. A simple approach to identify keys in memory is to test each byte sequence or check that this block of bits can be used to decrypt any plaintext, and you should also make sure that the error bit rate is covered, as a small error rate in the bit sequence can lead to failure.
Best practices
Below are other best practices that should be practiced as countermeasures to prevent this type of attack.
Key storage
The memory in which the keys are stored should be overwritten when the resident keys are no longer in use, and the keys should be protected from being paged to disk. Systems should also be configured to clear RAM before booting using techniques such as Power-On-Self-Test (POST). Local memory display will not be possible with POST.
Booting from removable media
This type of attack can be controlled by controlling or limiting the type of device that the computer can boot from, as this attack is mostly supported by booting from removable media. Computers can be configured to require an administrator password to boot from these resources.
Nice system shutdown
Systems should be shut down properly and machine re-awakening should be password protected. The chosen password must be strong and resistant to a password guessing attack. The system can also be set to encrypt only those pages or areas that contain encryption keys.
Physical security
The POST mentioned above can only protect the memory display from locally installed software, but cannot protect if an attacker could physically move the memory chips from one system to another. DRAM chips should have limited physical access. The DRAM chips should be placed inside the machine and the machine should be locked. Active sensor systems should be deployed to respond to low temperatures or opening the computer case by attempting to overwrite the memory.
Key reconstruction
Another defense mechanism that can be used to prevent this type of attack is to transform the key so that it is difficult to reconstruct the key. Keys should be recalculated when used and deleted immediately after use.
Avoid key precomputation
Key precomputation certainly helps improve performance, but it leads to storage of key information that can be used to reconstruct keys. Therefore, pre-computation of keys should be avoided.
Related article:Ethical Hacking Interview Questions 2023
Trusted Platform Module
The Trusted Platform module used in most computers today can be used to decide whether it is safe to store a key in RAM or not. It can thus restrict software from using keys from RAM and also protect keys from being loaded into memory itself.
References for Cold Boot Attack
- http://msdn.microsoft.com/en-us/library/windows/hardware/hh439648(v=vs.85).aspx
- http://citpsite.s3-website-us-east-1.amazonaws.com/oldsite-htdocs/pub/coldboot.pdf
- http://cryptome.org/0003/RAMisKey.pdf
