Cold boot attack
Encyclopedia
In cryptography
, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack
in which an attacker with physical access to a computer is able to retrieve encryption keys
from a running operating system
after using a cold reboot to restart the machine from a completely "off" state. The attack relies on the data remanence
property of DRAM
and SRAM
to retrieve memory contents which remain readable in the seconds to minutes after power has been removed.
is then immediately booted
(e.g. from a USB flash drive
), and the contents of pre-boot memory
dumped to a file. Alternatively, the memory modules
are removed from the original system and quickly placed in another machine under the attacker's control, which is then booted to access the memory. Further analysis can then be performed against the information that was retrieved from memory to find the sensitive keys
contained in it (automated tools are now available to perform this task).
The attack has been demonstrated to be effective against full disk encryption
schemes of various vendors and operating system
s, even where a Trusted Platform Module
(TPM) secure cryptoprocessor
is used. This is because the problem is fundamentally a hardware
(insecure memory) and not a software issue. While the focus of current research is on disk encryption, any sensitive data held in memory are vulnerable to the attack.
The time window for an attack can be extended to hours by cooling the memory modules. Furthermore, as the bit
s disappear in memory over time, they can be reconstructed, as they fade away in a predictable manner. In the case of disk encryption applications that can be configured to allow the operating system to boot without a pre-boot
PIN
being entered or a hardware key being present (e.g. BitLocker in a simple configuration that uses a TPM
without a two-factor authentication
PIN or USB key), the time frame for the attack is not limited at all:
This is not the only attack that allows encryption keys to be read from memory—for example, a DMA attack
allows physical memory to be accessed via a 1394
DMA
channel. Microsoft recommends changes to the default Windows configuration to prevent this if it is a concern.
Therefore, ensuring that all encrypted disks are dismounted (secured) when the computer is in a position where it may be stolen may eliminate this risk, and also represents best practice.
Two-factor authentication
, such as a pre-boot PIN
and/or a removable USB device containing a startup key together with a TPM, can be used to work around this vulnerability in the default Bitlocker implementation. In this mode, a PIN or startup key is required when turning the machine on or when waking from hibernation mode (a power off mode). The result is that once the computer has been turned off for a few minutes, the data in RAM will no longer be accessible without a secret key; the attack can only be completed if the device is obtained while still powered on. No additional protection is offered during sleep mode (a low power mode) as the key typically remains in memory with full disk encryption products and does not have to be re-entered when the machine is resumed.
a computer will usually discard the encryption keys from memory. Therefore, ensuring that the computer is shut down whenever it is in a position where it may be stolen can mitigate this risk.
In order to protect against cold boot attacks against systems using a hibernate feature
(ACPI state S4), the encryption system must either dismount all encrypted disks when entering hibernation, or the hibernation file or partition would need to be encrypted as part of the disk encryption system.
By contrast sleep mode
(ACPI states S1, S2 and S3) is generally unsafe, as encryption keys will remain in the computer's memory, allowing the computer to read encrypted data after waking up or after reading back the memory contents. Configuring an operating system
to shut down or hibernate when unused, instead of using sleep mode, can help mitigate this risk.
to overwrite memory during POST
if the operating system was not shut down cleanly.
However, this measure can still be circumvented by removing the memory module from the system and reading it back on another system under the attacker's control that does not support these measures (as demonstrated in the original paper).
may make it slightly less easy to boot another operating system, many BIOSes will prompt the user for the boot device after pressing a specific key during boot. Limiting the boot device options will not prevent the memory module from being removed from the system and read back on an alternative system either. In addition, most chipsets allow the BIOS settings to be reset if the mainboard is physically accessible, allowing the default boot settings to be restored even if they are protected with a password.
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack
Side channel attack
In cryptography, a side channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms...
in which an attacker with physical access to a computer is able to retrieve encryption keys
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
from a running operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
after using a cold reboot to restart the machine from a completely "off" state. The attack relies on the data remanence
Data remanence
Data remanence is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written...
property of DRAM
Dynamic random access memory
Dynamic random-access memory is a type of random-access memory that stores each bit of data in a separate capacitor within an integrated circuit. The capacitor can be either charged or discharged; these two states are taken to represent the two values of a bit, conventionally called 0 and 1...
and SRAM
Static random access memory
Static random-access memory is a type of semiconductor memory where the word static indicates that, unlike dynamic RAM , it does not need to be periodically refreshed, as SRAM uses bistable latching circuitry to store each bit...
to retrieve memory contents which remain readable in the seconds to minutes after power has been removed.
Description
To execute the attack, the machine is cold-booted. Cold-booted refers to when the power is cycled “off” and then “on” without letting the computer shut down cleanly, or, if available, the “reset” button on the computer is pressed. A light-weight operating systemOperating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
is then immediately booted
Booting
In computing, booting is a process that begins when a user turns on a computer system and prepares the computer to perform its normal operations. On modern computers, this typically involves loading and starting an operating system. The boot sequence is the initial set of operations that the...
(e.g. from a USB flash drive
USB flash drive
A flash drive is a data storage device that consists of flash memory with an integrated Universal Serial Bus interface. flash drives are typically removable and rewritable, and physically much smaller than a floppy disk. Most weigh less than 30 g...
), and the contents of pre-boot memory
Random-access memory
Random access memory is a form of computer data storage. Today, it takes the form of integrated circuits that allow stored data to be accessed in any order with a worst case performance of constant time. Strictly speaking, modern types of DRAM are therefore not random access, as data is read in...
dumped to a file. Alternatively, the memory modules
DIMM
A DIMM or dual in-line memory module, comprises a series of dynamic random-access memory integrated circuits. These modules are mounted on a printed circuit board and designed for use in personal computers, workstations and servers...
are removed from the original system and quickly placed in another machine under the attacker's control, which is then booted to access the memory. Further analysis can then be performed against the information that was retrieved from memory to find the sensitive keys
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
contained in it (automated tools are now available to perform this task).
The attack has been demonstrated to be effective against full disk encryption
Full disk encryption
Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage. The term "full disk encryption" is often used to signify that everything on a disk is encrypted, including the...
schemes of various vendors and operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s, even where a Trusted Platform Module
Trusted Platform Module
In computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...
(TPM) secure cryptoprocessor
Secure cryptoprocessor
A secure cryptoprocessor is a dedicated computer on a chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance....
is used. This is because the problem is fundamentally a hardware
Hardware
Hardware is a general term for equipment such as keys, locks, hinges, latches, handles, wire, chains, plumbing supplies, tools, utensils, cutlery and machine parts. Household hardware is typically sold in hardware stores....
(insecure memory) and not a software issue. While the focus of current research is on disk encryption, any sensitive data held in memory are vulnerable to the attack.
The time window for an attack can be extended to hours by cooling the memory modules. Furthermore, as the bit
Bit
A bit is the basic unit of information in computing and telecommunications; it is the amount of information stored by a digital device or other physical system that exists in one of two possible distinct states...
s disappear in memory over time, they can be reconstructed, as they fade away in a predictable manner. In the case of disk encryption applications that can be configured to allow the operating system to boot without a pre-boot
Booting
In computing, booting is a process that begins when a user turns on a computer system and prepares the computer to perform its normal operations. On modern computers, this typically involves loading and starting an operating system. The boot sequence is the initial set of operations that the...
PIN
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
being entered or a hardware key being present (e.g. BitLocker in a simple configuration that uses a TPM
Trusted Platform Module
In computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...
without a two-factor authentication
Two-factor authentication
Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
PIN or USB key), the time frame for the attack is not limited at all:
This is not the only attack that allows encryption keys to be read from memory—for example, a DMA attack
DMA attack
In cryptography, a DMA attack is a type of side channel attack whereby cryptographic keys can be stolen by an attacker who has physical access to an operating system.-Description:...
allows physical memory to be accessed via a 1394
IEEE 1394 interface
The IEEE 1394 interface is a serial bus interface standard for high-speed communications and isochronous real-time data transfer, frequently used by personal computers, as well as in digital audio, digital video, automotive, and aeronautics applications. The interface is also known by the brand...
DMA
Direct memory access
Direct memory access is a feature of modern computers that allows certain hardware subsystems within the computer to access system memory independently of the central processing unit ....
channel. Microsoft recommends changes to the default Windows configuration to prevent this if it is a concern.
Dismounting encrypted disks
Most disk encryption systems overwrite their cached encryption keys as encrypted disks are dismounted.Therefore, ensuring that all encrypted disks are dismounted (secured) when the computer is in a position where it may be stolen may eliminate this risk, and also represents best practice.
Advanced encryption modes
The default configuration for Bitlocker uses a TPM without a boot PIN or external key—in this configuration, the disk encryption key is retrieved from the TPM transparently during the operating system startup sequence without any user interaction. Consequently, the Cold Boot Attack can still be executed against a machine with this configuration, even where it is turned off and seemingly safely secured with its keys in the TPM only, as the machine can simply be turned on before starting the attack.Two-factor authentication
Two-factor authentication
Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
, such as a pre-boot PIN
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
and/or a removable USB device containing a startup key together with a TPM, can be used to work around this vulnerability in the default Bitlocker implementation. In this mode, a PIN or startup key is required when turning the machine on or when waking from hibernation mode (a power off mode). The result is that once the computer has been turned off for a few minutes, the data in RAM will no longer be accessible without a secret key; the attack can only be completed if the device is obtained while still powered on. No additional protection is offered during sleep mode (a low power mode) as the key typically remains in memory with full disk encryption products and does not have to be re-entered when the machine is resumed.
Power management
Shutting downShutdown (computing)
To shut down or power off a computer is to remove power from a computer's main components in a controlled way. After a computer is shut down, main components such as CPUs, RAM modules and hard disk drives are powered down, although some internal components, such as an internal clock, may retain...
a computer will usually discard the encryption keys from memory. Therefore, ensuring that the computer is shut down whenever it is in a position where it may be stolen can mitigate this risk.
In order to protect against cold boot attacks against systems using a hibernate feature
Hibernate (OS feature)
Hibernation in computing is powering down a computer while retaining its state.Upon hibernation, the computer saves the contents of its random access memory to a hard disk or other non-volatile storage...
(ACPI state S4), the encryption system must either dismount all encrypted disks when entering hibernation, or the hibernation file or partition would need to be encrypted as part of the disk encryption system.
By contrast sleep mode
Sleep mode
Sleep mode refers to a low power mode for electronic devices such as computers, televisions, and remote controlled devices. These modes save significant electrical consumption compared to leaving a device fully on and idle, but allow the user to avoid having to reset programming codes or wait for a...
(ACPI states S1, S2 and S3) is generally unsafe, as encryption keys will remain in the computer's memory, allowing the computer to read encrypted data after waking up or after reading back the memory contents. Configuring an operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
to shut down or hibernate when unused, instead of using sleep mode, can help mitigate this risk.
TCG-compliant systems
Another mitigation method is to use hardware and an operating system that both conform to the "TCG Platform Reset Attack Mitigation Specification", an industry response to this specific attack. The specification forces the BIOSBIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....
to overwrite memory during POST
Power-on self-test
Power-On Self-Test refers to routines run immediately after power is applied, by nearly all electronic devices. Perhaps the most widely-known usage pertains to computing devices...
if the operating system was not shut down cleanly.
However, this measure can still be circumvented by removing the memory module from the system and reading it back on another system under the attacker's control that does not support these measures (as demonstrated in the original paper).
Booting
Although limiting the boot device options in the BIOSBIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....
may make it slightly less easy to boot another operating system, many BIOSes will prompt the user for the boot device after pressing a specific key during boot. Limiting the boot device options will not prevent the memory module from being removed from the system and read back on an alternative system either. In addition, most chipsets allow the BIOS settings to be reset if the mainboard is physically accessible, allowing the default boot settings to be restored even if they are protected with a password.