Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory ?· Lest We Forget: Cold-Boot Attacks on…

Download Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory ?· Lest We Forget: Cold-Boot Attacks on…

Post on 16-Sep-2018

212 views

Category:

Documents

0 download

TRANSCRIPT

<ul><li><p>1/25</p><p>IntroductionExperiments</p><p>Lest We Forget: Cold-Boot Attacks onScrambled DDR3 Memory</p><p>Bauer, Gruhn, Freiling</p><p>Universitt Erlangen-Nrnberg</p><p>March 30th 2016</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>2/25</p><p>IntroductionExperiments</p><p>Random Access MemoryCaveats</p><p>Preface</p><p>I Lest we Remember: Halderman et al. 2009, alludes to IsaacAsimovs short story; protagonist achieves perfect memory byuse of a drug</p><p>I Lest we Forget: alludes to Rudyard Kiplings poemRecessional; warns not to forget quickly</p><p>I The point were trying to make: cold boot attacks are still workingeven with modern memory technologies</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>3/25</p><p>IntroductionExperiments</p><p>Random Access MemoryCaveats</p><p>Forensic Memory Acquisition</p><p>I RAM contains lots of evidence of forensic interest (e.g. TLSsession keys, FDE keys, evidence of resident rootkits, etc)</p><p>I A snapshot of RAM can be captured either in software (on arunning system) or in hardware (on the same or a differentsystem)</p><p>I Both approaches have their distincive use-cases in which theyreapplicable, both have up- and downsides</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>4/25</p><p>IntroductionExperiments</p><p>Random Access MemoryCaveats</p><p>Forensic Memory Acquisition</p><p>I Cold boot attack: Hard reset of the system and booting into aminimal, memory-dumping OS or transplanting the memory ICinto a different PC</p><p>I Gruhn/Mller 2013, On the Practicability of Cold Boot Attacks:"However, we also point out that we could not reproduce coldboot attacks against modern DDR3 chips."</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>5/25</p><p>IntroductionExperiments</p><p>Random Access MemoryCaveats</p><p>What is RAM?</p><p>I RAM refers to memory whichI has low latency (typ. 5-20 ns range)I provides great bandwith (typ. 10-50 GB/s)I is usually volatile</p><p>I There are a lot of different technologiesI We focus on SDRAM that is widely used in computers today:</p><p>DDR3I DDR3 uses capacitor-based bit storage</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>6/25</p><p>IntroductionExperiments</p><p>Random Access MemoryCaveats</p><p>DDR2 vs. DDR3</p><p>I DDR2 and DDR3 are very similar technologiesI Roughly speaking, DDR3 provides greater throughput at the</p><p>cost of higher latencyI This is achieved by doubling the minimum burst length of a</p><p>memory transactionI With increasing speed, managing the required</p><p>charging/dischaging of cells becomes increasingly difficult</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>7/25</p><p>IntroductionExperiments</p><p>Random Access MemoryCaveats</p><p>DDR3 approach</p><p>I The MCH (component in the CPU that talks directly to RAM) wastherefore improved by Intel starting with DDR3 generations</p><p>I Basic idea: XOR the datastream with a PRNG pattern (thatscalled scrambling or whitening)</p><p>I storage bitstream in which statistically half of the bits are setand half are cleared</p><p>I i.e. always the average case, mitigating the dIdt peaksI Hamming-weight of data in memory is statistically zero-sum (i.e.</p><p>free of bit bias)</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>8/25</p><p>IntroductionExperiments</p><p>Random Access MemoryCaveats</p><p>The R in RAM</p><p>I To be able to still randomly access memory, the scrambler unitneeds to be able to seek to parts of the PRNG stream</p><p>I Intel approach: Use LFSRs, parametrize the LFSRs with a seedvalue that easily allows jumping to an arbitrary location</p><p>I No performance penalty by scramblerI Rough explanation in the Intel patent on that subject</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>9/25</p><p>IntroductionExperiments</p><p>Random Access MemoryCaveats</p><p>SchematicallyMemory Controller Hub (within CPU)</p><p>DDR3Memory Chip</p><p>data</p><p>address</p><p>seed</p><p>LFSR</p><p>write</p><p>address</p><p>LFSR</p><p>data</p><p>read</p><p>scrambler</p><p>descrambler</p><p>memory bus</p><p>writerequest</p><p>readrequest</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>10/25</p><p>IntroductionExperiments</p><p>Random Access MemoryCaveats</p><p>Implications</p><p>I If you use a DDR3 system to capture RAM content, youll onlyever see scrambled images</p><p>I In fact, those images will have been scrambled twice (once bythe scrambler and then again by the descrambler)</p><p>I One of our approaches therefore looked at differential images</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>11/25</p><p>IntroductionExperiments</p><p>Random Access MemoryCaveats</p><p>Towards descrambling</p><p>I The Intel patent is vague and encompasses a lot of differenttechnologies</p><p>I Which one is actually used is not described (i.e. how manyparallel LFSRs, which bitlength, which bit order, etc.)</p><p>I Docs are unavailable (to us), only few lines ofreverse-engineered CoreBoot code available</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>12/25</p><p>IntroductionExperiments</p><p>Random Access MemoryCaveats</p><p>Reprogramming the scrambler</p><p>I The BIOS is usually stored on Flash, (approx. 100ns to read asingle byte at 80 MHz)</p><p>I Therefore, RAM initialization happens very early during bootI In fact, its one of the first things the BIOS does so it can relocate</p><p>itself from Flash to DRAMI We have good reason to believe that reprogramming the</p><p>scrambler with an active RAM channel is disallowed by hardware(as it should be)</p><p>I This makes probing within the system and hacking code difficult</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>13/25</p><p>IntroductionExperiments</p><p>Mona Lisa MemdumpConclusions</p><p>Looking at dumped ground-state memory</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>14/25</p><p>IntroductionExperiments</p><p>Mona Lisa MemdumpConclusions</p><p>Ground state problem</p><p>I The ground pattern of a memory chip is undefinedI It tends to correlate, however, with its physical construction (i.e.</p><p>if cells are biased against Vcc or GND)I It is therefore difficult to extract the stream cipher key crumbs</p><p>(because the plaintext varies)</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>15/25</p><p>IntroductionExperiments</p><p>Mona Lisa MemdumpConclusions</p><p>Placing Mona Lisa in that spot</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>16/25</p><p>IntroductionExperiments</p><p>Mona Lisa MemdumpConclusions</p><p>Use freeze spray</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>17/25</p><p>IntroductionExperiments</p><p>Mona Lisa MemdumpConclusions</p><p>First cold-boot Lisa memdump (-30C)</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>18/25</p><p>IntroductionExperiments</p><p>Mona Lisa MemdumpConclusions</p><p>Mona Lisa memdump</p><p>I Its clearly visible that the information survived the reboot (i.e. noclearing of the memory was performed during initialization)</p><p>I And we additionly know the plaintextI But if we didnt, we could first try to descramble it with a</p><p>related-key approach</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>19/25</p><p>IntroductionExperiments</p><p>Mona Lisa MemdumpConclusions</p><p>Using related-key descrambling</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>20/25</p><p>IntroductionExperiments</p><p>Mona Lisa MemdumpConclusions</p><p>Systematic approach</p><p>I XORing the memdump with the original image gives us anapproximation of the PRNG steam</p><p>I We partition this PRNG stream in chunks of different length(spoiler: 64 bytes)</p><p>I And try to group them together in groups which have many bitsmatching (because of acquisition errors)</p><p>I Then do majority voting on the key bits (most in agreement likelyto be correct)</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>21/25</p><p>IntroductionExperiments</p><p>Mona Lisa MemdumpConclusions</p><p>Systematic approach</p><p>I This allows us to extract the two 64-bytes keys (one for eachmemory channel)</p><p>I With deinterleaving (which we also describe in the paper) theimage can now successfully be descrambled</p><p>I By utilizing the LFSR construction and congruencies which wenoticed within the keysteam, we reduce that known plaintextfrom 128 bytes to just 50 bytes</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>22/25</p><p>IntroductionExperiments</p><p>Mona Lisa MemdumpConclusions</p><p>Final result</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>23/25</p><p>IntroductionExperiments</p><p>Mona Lisa MemdumpConclusions</p><p>Overt observations</p><p>I The obvious observation is that we can descramble transplantedmemory using the described method and with 50 bytes of knownplaintext</p><p>I A side note should be that capturing DDR3 snapshots is muchmore difficult than with DDR2 memory (much higher bit decay)</p><p>I It was more difficult than we imagined to get accurate results</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>24/25</p><p>IntroductionExperiments</p><p>Mona Lisa MemdumpConclusions</p><p>Covert observation</p><p>I Thinking out loud: Intel implemented this to mitigate thedetrimental effects of dIdt peaks</p><p>I If you know the scrambler stream, however, it is still perfectlypossible to force such peaks</p><p>I Fill a buffer with the keystream, invert it repeatedly.I Could this possibly lead to memory corruption attacks like</p><p>rowhammer introduced? Not sure, but surely tempting.</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p></li><li><p>25/25</p><p>IntroductionExperiments</p><p>Mona Lisa MemdumpConclusions</p><p>Are there any...</p><p>...questions?</p><p>Bauer, Gruhn, Freiling Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory</p><p>IntroductionRandom Access MemoryCaveats</p><p>ExperimentsMona Lisa MemdumpConclusions</p></li></ul>