lest we forget: cold-boot attacks on scrambled ddr3 memory · lest we forget: cold-boot attacks on...

25
1/25 Introduction Experiments Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling Universität Erlangen-Nürnberg March 30th 2016 Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Upload: phamtuyen

Post on 16-Sep-2018

222 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

1/25

IntroductionExperiments

Lest We Forget: Cold-Boot Attacks onScrambled DDR3 Memory

Bauer, Gruhn, Freiling

Universität Erlangen-Nürnberg

March 30th 2016

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 2: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

2/25

IntroductionExperiments

Random Access MemoryCaveats

Preface

I “Lest we Remember”: Halderman et al. 2009, alludes to IsaacAsimov’s short story; protagonist achieves perfect memory byuse of a drug

I “Lest we Forget”: alludes to Rudyard Kipling’s poem“Recessional”; warns not to forget quickly

I The point we’re trying to make: cold boot attacks are still workingeven with modern memory technologies

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 3: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

3/25

IntroductionExperiments

Random Access MemoryCaveats

Forensic Memory Acquisition

I RAM contains lots of evidence of forensic interest (e.g. TLSsession keys, FDE keys, evidence of resident rootkits, etc)

I A snapshot of RAM can be captured either in software (on arunning system) or in hardware (on the same or a differentsystem)

I Both approaches have their distincive use-cases in which they’reapplicable, both have up- and downsides

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 4: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

4/25

IntroductionExperiments

Random Access MemoryCaveats

Forensic Memory Acquisition

I Cold boot attack: Hard reset of the system and booting into aminimal, memory-dumping OS or transplanting the memory ICinto a different PC

I Gruhn/Müller 2013, On the Practicability of Cold Boot Attacks:"However, we also point out that we could not reproduce coldboot attacks against modern DDR3 chips."

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 5: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

5/25

IntroductionExperiments

Random Access MemoryCaveats

What is RAM?

I RAM refers to memory whichI has low latency (typ. 5-20 ns range)I provides great bandwith (typ. 10-50 GB/s)I is usually volatile

I There are a lot of different technologiesI We focus on SDRAM that is widely used in computers today:

DDR3I DDR3 uses capacitor-based bit storage

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 6: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

6/25

IntroductionExperiments

Random Access MemoryCaveats

DDR2 vs. DDR3

I DDR2 and DDR3 are very similar technologiesI Roughly speaking, DDR3 provides greater throughput at the

cost of higher latencyI This is achieved by doubling the minimum burst length of a

memory transactionI With increasing speed, managing the required

charging/dischaging of cells becomes increasingly difficult

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 7: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

7/25

IntroductionExperiments

Random Access MemoryCaveats

DDR3 approach

I The MCH (component in the CPU that talks directly to RAM) wastherefore improved by Intel starting with DDR3 generations

I Basic idea: XOR the datastream with a PRNG pattern (that’scalled scrambling or whitening)

I → storage bitstream in which statistically half of the bits are setand half are cleared

I i.e. always the average case, mitigating the dIdt peaks

I Hamming-weight of data in memory is statistically zero-sum (i.e.free of bit bias)

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 8: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

8/25

IntroductionExperiments

Random Access MemoryCaveats

The R in RAM

I To be able to still randomly access memory, the scrambler unitneeds to be able to seek to parts of the PRNG stream

I Intel approach: Use LFSRs, parametrize the LFSRs with a seedvalue that easily allows jumping to an arbitrary location

I → No performance penalty by scramblerI Rough explanation in the Intel patent on that subject

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 9: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

9/25

IntroductionExperiments

Random Access MemoryCaveats

SchematicallyMemory Controller Hub (within CPU)

DDR3Memory Chip

data

address

seed

LFSR

write

address

LFSR

data

read

scrambler

descrambler

memory bus

writerequest

readrequest

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 10: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

10/25

IntroductionExperiments

Random Access MemoryCaveats

Implications

I If you use a DDR3 system to capture RAM content, you’ll onlyever see scrambled images

I In fact, those images will have been scrambled twice (once bythe scrambler and then again by the descrambler)

I One of our approaches therefore looked at differential images

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 11: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

11/25

IntroductionExperiments

Random Access MemoryCaveats

Towards descrambling

I The Intel patent is vague and encompasses a lot of differenttechnologies

I Which one is actually used is not described (i.e. how manyparallel LFSRs, which bitlength, which bit order, etc.)

I Docs are unavailable (to us), only few lines ofreverse-engineered CoreBoot code available

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 12: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

12/25

IntroductionExperiments

Random Access MemoryCaveats

Reprogramming the scrambler

I The BIOS is usually stored on Flash, (approx. 100ns to read asingle byte at 80 MHz)

I Therefore, RAM initialization happens very early during bootI In fact, it’s one of the first things the BIOS does so it can relocate

itself from Flash to DRAMI We have good reason to believe that reprogramming the

scrambler with an active RAM channel is disallowed by hardware(as it should be)

I This makes probing within the system and hacking code difficult

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 13: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

13/25

IntroductionExperiments

Mona Lisa MemdumpConclusions

Looking at dumped ground-state memory

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 14: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

14/25

IntroductionExperiments

Mona Lisa MemdumpConclusions

Ground state problem

I The ground pattern of a memory chip is undefinedI It tends to correlate, however, with its physical construction (i.e.

if cells are biased against Vcc or GND)I It is therefore difficult to extract the stream cipher key crumbs

(because the plaintext varies)

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 15: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

15/25

IntroductionExperiments

Mona Lisa MemdumpConclusions

Placing Mona Lisa in that spot

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 16: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

16/25

IntroductionExperiments

Mona Lisa MemdumpConclusions

Use freeze spray

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 17: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

17/25

IntroductionExperiments

Mona Lisa MemdumpConclusions

First cold-boot Lisa memdump (-30◦C)

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 18: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

18/25

IntroductionExperiments

Mona Lisa MemdumpConclusions

Mona Lisa memdump

I It’s clearly visible that the information survived the reboot (i.e. noclearing of the memory was performed during initialization)

I And we additionly know the plaintextI But if we didn’t, we could first try to descramble it with a

related-key approach

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 19: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

19/25

IntroductionExperiments

Mona Lisa MemdumpConclusions

Using related-key descrambling

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 20: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

20/25

IntroductionExperiments

Mona Lisa MemdumpConclusions

Systematic approach

I XORing the memdump with the original image gives us anapproximation of the PRNG steam

I We partition this PRNG stream in chunks of different length(spoiler: 64 bytes)

I And try to group them together in groups which have many bitsmatching (because of acquisition errors)

I Then do majority voting on the key bits (most in agreement likelyto be correct)

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 21: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

21/25

IntroductionExperiments

Mona Lisa MemdumpConclusions

Systematic approach

I This allows us to extract the two 64-bytes keys (one for eachmemory channel)

I With deinterleaving (which we also describe in the paper) theimage can now successfully be descrambled

I By utilizing the LFSR construction and congruencies which wenoticed within the keysteam, we reduce that known plaintextfrom 128 bytes to just 50 bytes

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 22: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

22/25

IntroductionExperiments

Mona Lisa MemdumpConclusions

Final result

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 23: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

23/25

IntroductionExperiments

Mona Lisa MemdumpConclusions

Overt observations

I The obvious observation is that we can descramble transplantedmemory using the described method and with 50 bytes of knownplaintext

I A side note should be that capturing DDR3 snapshots is muchmore difficult than with DDR2 memory (much higher bit decay)

I It was more difficult than we imagined to get accurate results

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 24: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

24/25

IntroductionExperiments

Mona Lisa MemdumpConclusions

Covert observation

I Thinking out loud: Intel implemented this to mitigate thedetrimental effects of dI

dt peaksI If you know the scrambler stream, however, it is still perfectly

possible to force such peaksI Fill a buffer with the keystream, invert it repeatedly.I Could this possibly lead to memory corruption attacks like

rowhammer introduced? Not sure, but surely tempting.

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Page 25: Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory · Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory Bauer, Gruhn, Freiling ... Mona Lisa Memdump Conclusions First

25/25

IntroductionExperiments

Mona Lisa MemdumpConclusions

Are there any...

...questions?

Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory