[ad_1]
F-Secure attacks have spawned cold start attacks, used to extract sensitive data such as encryption keys and system memory passwords. First documented in 2008, cold boot attacks depend on the RAM's ability to store values even after rebooting the system. In response, the systems were modified to clear their memory early during the boot process, but F-Secure found that on many PCs, changing the firmware settings may skip the reset.
The RAM of any basic PC is more precisely called Dynamic RAM (DRAM). The "dynamic" contrast with other types of RAM (used for caches in the processor), static RAM (SRAM). SRAM retains its stored values as long as the chip is powered on; Once the value is stored, it remains until a new value is stored or the power is removed. It does not change, so "static". Each bit of SRAM generally requires six or eight transistors; it's very fast, but the high number of transistors makes it cumbersome, which is why it's only used for small caches.
DRAM, meanwhile, has a much smaller size per bit, using only a single transistor associated with a capacitor. These capacitors lose their stored charge over time; when they are exhausted, the DRAM no longer retains the value it was supposed to retain. To handle this, the DRAM is updated several times per second to complete the capacitors and rewrite the stored values. This rewrite is what makes the DRAM "dynamic". This is not just the power that needs to be maintained for DRAM; Refreshments must also take place.
But this refreshment is double-edged. Memory is typically refreshed every 64 milliseconds, with individual DRAM cells designed to retain their value for at least as long under normal operating conditions. But outside of normal operating conditions, the situation changes. At high temperatures, the memory needs to be refreshed more often. Cool the DRAM and refresh it less often. Cool it enough and it can take tens of seconds between refreshments.
This discovery formed the basis of the 2008 cold start attack discovery and discovery: the memory of a victim system is cooled down to -50 ° C, then the machine shuts down abruptly without stopping the system operating. This frozen memory can be placed in another machine equipped with a software to read the memory, or the machine can be restarted in another operating system that reads the same way the frozen memory and the memory. records on the disc.
Industry Response
The industry's response to this attack was to have the system erase the memory early in the boot process. This is useless if someone wants to move the chips to another machine, but in systems with welded memory, he has to protect himself against a reboot in another operating system and reverse the memory of that way:, the memory has already been erased, leaving nothing to empty.
But alas, nothing in the PC world is simple. Naively, one might think that this could be achieved simply by having the firmware or processor of the machine automatically erase the memory each time the system is booted. For no obvious reason, this is not the solution the PC industry has chosen.
Instead, the solution is something more complex: the operating system would set a special value (the "Memory Rewrite Request", MOR) in the nonvolatile firmware storage that would specify whether the cleanup of memory should take place or not. At startup, the firmware sets the value to indicate that a cleanup should take place at the next boot. The operating system can, however, clear the value to remove the cleaning if it has guaranteed that it has already overwritten the sensitive values in the RAM. This avoids the following cleaning of the boot; the firmware then sets the value again and the process continues.
In this way, if the operating system is stopped without performing a clean shutdown (such as during a cold start attack), the MOR will always indicate that cleaning is needed. Thus, booting into another operating system will always force the memory to be overwritten first.
Cold start, restart
The new attack takes advantage of this design in a way that seems rather obvious: crush the MOR to remove memory cleanup, and then perform a cold boot attack normally. The system starts, sees that it should not clear the memory, then loads the attacker's operating system and allows to clear the memory, including all the encryption keys and other secrets contained .
F-Secure researchers say the attack is effective against conventional corporate notebooks. In response, Microsoft has updated its BitLocker configuration recommendations to require a BitLocker PIN to start and disable system suspend (allowing only hibernation, which still deletes the memory encryption keys) . Apple claims that its systems equipped with its security chip T2 are not affected because they do not store any secret in the main memory. Beyond that, however, researchers say that there is no obvious solution to the problem.
The original specification does not seem blind to this problem either. It indicates that the value used to determine if a memory erase should occur should have its integrity protected to prevent attackers from being able to modify it and remove the replacement. The success of the attacks suggests that this protection of integrity does not occur or is not sufficient to protect the attackers.
Why memory cleaning is designed this way is not immediately clear, and the specification does not provide much elucidation. The entire process of wiping the memory is only intended to be activated when switching on a machine from power states S4 or S5 (S4 is off, everything is off except the power button on the front panel ). off "with even the front panel power button operational, so it seems easy to always clean the memory, there should be no harm in doing so.
The only time you do not want to erase the memory, it is when restoring from the S3 suspension state. In S3 suspend, the content of the DRAM is refreshed, but the CPU and most other system components are powered down. This allows a quick start combination with low power consumption. However, the specification says that the firmware should not already perform memory clears when you exit the S3 suspend state. In this scenario, the value of the MOR should not matter.
Source link
