Coldstart attacks, which are used to extract sensitive data such as encryption keys and password from system memory, have gained new blood from researchers from F-Secure. First documented in 2008, it's cold boot attacks depending on the ability of RAM to remember values even across system launches. In response, the systems were modified to wipe their memory early in the boot-up process ̵
The RAM on any commodity PC is called more specifically Dynamic RAM (DRAM). The "dynamic" here is in contrast to the second type of RAM (used for caches in the processor), static RAM (SRAM). SRAM retains its stored values as long as the chip is turned on; When the value is saved, it stays in the way that a new value is stored or the power is removed. It does not change, thus "static". Each bit of SRAM typically needs six or eight transistors; It's very fast, but the high-transistor counter makes it heavy, and that's why it's only used for small caches.
DRAM, on the other hand, has a much smaller size per bit, and uses only one transistor paired with a capacitor. These capacitors lose their stored charge over time; When depleted, DRAM no longer retains the value it should remember. To handle this, DRAM is updated several times per second to fill up the capacitors and rewrite the values stored. This rewrite is what makes DRAM "dynamic". It is not just the power that must be maintained for DRAM; The update must also take place.
But the refreshing is the double edge. Memory is usually updated every 64 milliseconds, with individual DRAM cells designed to maintain the value for at least as long under normal operating conditions. But beyond normal operating conditions, the situation changes. At high temperatures, memory must be updated more often. Cool the DRAM down and it needs to be updated less often. Cool it enough and it may take many seconds between updates.
This discovery forms the basis for the investigation and discovery of the Cold Star Attack in 2008: Memory from an offer system is cooled to -50 ° C, and then the machine is run abruptly without ending the operating system. This frozen memory can be inserted into another machine equipped with software to read the memory, or the computer can be restarted to another operating system that similarly reads the frozen memory and stores it on disk.
The industry's response to this attack was to make the system wipe memory early in the boot process. This does not help if someone wants to move the chips to another machine, but in systems with soldered memory, it must be protected against rebooting in another operating system and dumping memory that way: when different operating systems are loaded, the memory has already been deleted, something that can not be emptied.
But unfortunately nothing in the PC world is simple. Naively, one can think that this could be achieved by just wiping the machine's firmware or processor automatically each time the system was initialized. For no obvious reason, it is not the solution that the PC industry chose.
Instead, the solution is a little more complicated: the operating system would set a special value ("memory override request", MOR) in firmware's non-volatile storage that will specify whether or not the memory dryer should occur. At startup, the firmware indicates the value indicating that a drought should take place next startup. However, the operating system can remove the value to suppress the drought if it has guaranteed that it has already exceeded sensitive values in RAM. This skips the next boot. The firmware program then resets the value and the process continues.
In this way, if the operating system terminates without performing a clean shutdown (which is done in a cold boot attack), MOR will still indicate that a drought is required. So, boot in the alternative operating system will always force the memory to be overwritten first.
The new attack utilizes this design in a way that seems quite obvious: overwrite MOR to suppress the memory dryer, then perform a cold boot attack as normal. The system starts up, sees that it should not clear memory, then reloads the attacker's operating system and allows memory to be dumped, including all the encryption keys and other secrets contained in.
F-Secure researchers say that the attack is effective against typical laptop laptops. In response, Microsoft has updated its BitLocker configuration recommendations to require a BitLocker PIN to start and disable system suspension (allowing hibernation only, which deletes encryption keys from memory anyway). Apple says that its systems equipped with the T2 security chip are unaffected because they do not store secrets in the main memory at all. Beyond that, researchers say that there is no obvious solution to the problem.
The original description does not seem blind to this problem. It says that the value used to determine if a memory drowning should occur should be protected by privacy so as to prevent attackers from tampering with it and suppressing the headline. The success of the attacks suggests that this privacy protection either does not occur or is insufficient to protect against attackers anyway.
Why the memory dryer is designed in this way is not immediately clear and the specification does not give much lighting. The entire memory-drying process is only meant to be enabled when you turn on a machine from the S4 or S5 power states (S4 is "soft off", with everything turned off except for the front panel power button, the S5 is "hard" off "not even front panel power button in operation). It seems fair to always perform the memory pressure: there should be no pain in doing so.
The only time you do not want a memory is when you restore from S3 suspend status. At S3- Suspension, DRAM content is updated, but the CPU and most other system components are shut down. This provides the combination of fast power-up boot. However, the specification states that the firm will not ever perform memory dryers when leaving the S3 suspension state, so in this scenario, it should not be something that the MOR value is.