lest we forget: cold-boot attacks on scrambled ddr3 memory ?· lest we forget: cold-boot attacks...

Download Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory ?· Lest We Forget: Cold-Boot Attacks on…

Post on 16-Sep-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 1/25

    IntroductionExperiments

    Lest We Forget: Cold-Boot Attacks onScrambled DDR3 Memory

    Bauer, Gruhn, Freiling

    Universitt Erlangen-Nrnberg

    March 30th 2016

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 2/25

    IntroductionExperiments

    Random Access MemoryCaveats

    Preface

    I Lest we Remember: Halderman et al. 2009, alludes to IsaacAsimovs short story; protagonist achieves perfect memory byuse of a drug

    I Lest we Forget: alludes to Rudyard Kiplings poemRecessional; warns not to forget quickly

    I The point were trying to make: cold boot attacks are still workingeven with modern memory technologies

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 3/25

    IntroductionExperiments

    Random Access MemoryCaveats

    Forensic Memory Acquisition

    I RAM contains lots of evidence of forensic interest (e.g. TLSsession keys, FDE keys, evidence of resident rootkits, etc)

    I A snapshot of RAM can be captured either in software (on arunning system) or in hardware (on the same or a differentsystem)

    I Both approaches have their distincive use-cases in which theyreapplicable, both have up- and downsides

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 4/25

    IntroductionExperiments

    Random Access MemoryCaveats

    Forensic Memory Acquisition

    I Cold boot attack: Hard reset of the system and booting into aminimal, memory-dumping OS or transplanting the memory ICinto a different PC

    I Gruhn/Mller 2013, On the Practicability of Cold Boot Attacks:"However, we also point out that we could not reproduce coldboot attacks against modern DDR3 chips."

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 5/25

    IntroductionExperiments

    Random Access MemoryCaveats

    What is RAM?

    I RAM refers to memory whichI has low latency (typ. 5-20 ns range)I provides great bandwith (typ. 10-50 GB/s)I is usually volatile

    I There are a lot of different technologiesI We focus on SDRAM that is widely used in computers today:

    DDR3I DDR3 uses capacitor-based bit storage

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 6/25

    IntroductionExperiments

    Random Access MemoryCaveats

    DDR2 vs. DDR3

    I DDR2 and DDR3 are very similar technologiesI Roughly speaking, DDR3 provides greater throughput at the

    cost of higher latencyI This is achieved by doubling the minimum burst length of a

    memory transactionI With increasing speed, managing the required

    charging/dischaging of cells becomes increasingly difficult

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 7/25

    IntroductionExperiments

    Random Access MemoryCaveats

    DDR3 approach

    I The MCH (component in the CPU that talks directly to RAM) wastherefore improved by Intel starting with DDR3 generations

    I Basic idea: XOR the datastream with a PRNG pattern (thatscalled scrambling or whitening)

    I storage bitstream in which statistically half of the bits are setand half are cleared

    I i.e. always the average case, mitigating the dIdt peaksI Hamming-weight of data in memory is statistically zero-sum (i.e.

    free of bit bias)

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 8/25

    IntroductionExperiments

    Random Access MemoryCaveats

    The R in RAM

    I To be able to still randomly access memory, the scrambler unitneeds to be able to seek to parts of the PRNG stream

    I Intel approach: Use LFSRs, parametrize the LFSRs with a seedvalue that easily allows jumping to an arbitrary location

    I No performance penalty by scramblerI Rough explanation in the Intel patent on that subject

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 9/25

    IntroductionExperiments

    Random Access MemoryCaveats

    SchematicallyMemory Controller Hub (within CPU)

    DDR3Memory Chip

    data

    address

    seed

    LFSR

    write

    address

    LFSR

    data

    read

    scrambler

    descrambler

    memory bus

    writerequest

    readrequest

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 10/25

    IntroductionExperiments

    Random Access MemoryCaveats

    Implications

    I If you use a DDR3 system to capture RAM content, youll onlyever see scrambled images

    I In fact, those images will have been scrambled twice (once bythe scrambler and then again by the descrambler)

    I One of our approaches therefore looked at differential images

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 11/25

    IntroductionExperiments

    Random Access MemoryCaveats

    Towards descrambling

    I The Intel patent is vague and encompasses a lot of differenttechnologies

    I Which one is actually used is not described (i.e. how manyparallel LFSRs, which bitlength, which bit order, etc.)

    I Docs are unavailable (to us), only few lines ofreverse-engineered CoreBoot code available

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 12/25

    IntroductionExperiments

    Random Access MemoryCaveats

    Reprogramming the scrambler

    I The BIOS is usually stored on Flash, (approx. 100ns to read asingle byte at 80 MHz)

    I Therefore, RAM initialization happens very early during bootI In fact, its one of the first things the BIOS does so it can relocate

    itself from Flash to DRAMI We have good reason to believe that reprogramming the

    scrambler with an active RAM channel is disallowed by hardware(as it should be)

    I This makes probing within the system and hacking code difficult

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 13/25

    IntroductionExperiments

    Mona Lisa MemdumpConclusions

    Looking at dumped ground-state memory

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 14/25

    IntroductionExperiments

    Mona Lisa MemdumpConclusions

    Ground state problem

    I The ground pattern of a memory chip is undefinedI It tends to correlate, however, with its physical construction (i.e.

    if cells are biased against Vcc or GND)I It is therefore difficult to extract the stream cipher key crumbs

    (because the plaintext varies)

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 15/25

    IntroductionExperiments

    Mona Lisa MemdumpConclusions

    Placing Mona Lisa in that spot

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 16/25

    IntroductionExperiments

    Mona Lisa MemdumpConclusions

    Use freeze spray

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 17/25

    IntroductionExperiments

    Mona Lisa MemdumpConclusions

    First cold-boot Lisa memdump (-30C)

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 18/25

    IntroductionExperiments

    Mona Lisa MemdumpConclusions

    Mona Lisa memdump

    I Its clearly visible that the information survived the reboot (i.e. noclearing of the memory was performed during initialization)

    I And we additionly know the plaintextI But if we didnt, we could first try to descramble it with a

    related-key approach

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 19/25

    IntroductionExperiments

    Mona Lisa MemdumpConclusions

    Using related-key descrambling

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 20/25

    IntroductionExperiments

    Mona Lisa MemdumpConclusions

    Systematic approach

    I XORing the memdump with the original image gives us anapproximation of the PRNG steam

    I We partition this PRNG stream in chunks of different length(spoiler: 64 bytes)

    I And try to group them together in groups which have many bitsmatching (because of acquisition errors)

    I Then do majority voting on the key bits (most in agreement likelyto be correct)

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 21/25

    IntroductionExperiments

    Mona Lisa MemdumpConclusions

    Systematic approach

    I This allows us to extract the two 64-bytes keys (one for eachmemory channel)

    I With deinterleaving (which we also describe in the paper) theimage can now successfully be descrambled

    I By utilizing the LFSR construction and congruencies which wenoticed within the keysteam, we reduce that known plaintextfrom 128 bytes to just 50 bytes

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 22/25

    IntroductionExperiments

    Mona Lisa MemdumpConclusions

    Final result

    Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

  • 23/25

    IntroductionExperiments

    Mona Lisa MemdumpConclusions

    Overt observations

    I The obvious observation is that we can descramble transplantedmemory using the described method and with 50 bytes of knownplaintext

    I A side note should be that capturing DDR3 snapshots is muchmore difficult than with DDR2 memory (much higher bit decay)

    I It was more difficult than we imagined to get accur