It is widely assumed that a computer’s memory is erased immediately when it loses power. Reality is not so simple: most ordinary computer memory (DRAM) chips lose their contents gradually over a period of seconds to minutes, even if the chips are removed from a motherboard; and data can be recovered after minutes or hours without power if the chips are kept at a low temperature.
In our research paper, we present security attacks that exploit DRAM remanance (the tendency of DRAM to retain data even after power loss) to recover cryptographic keys held in memory. These attacks are nondestructive; they require, at most, momentary physical access to the target machine; and they do not involve exotic hardware or cooling techniques. They pose a particular threat to laptop users who rely on disk encryption products, since an adversary who steals a laptop while an encrypted disk is mounted could employ our attacks to access the contents, even if the computer is screen-locked or suspended.
We demonstrate this risk by defeating several popular disk encryption systems, including BitLocker (which ships with Windows Vista), FileVault (which ships with MacOS), and dm-crypt (which is used with Linux), and we expect many similar products are also vulnerable.
We report experiments we conducted to characterize DRAM remanence in a variety of memory technologies. Contrary to the expectation that DRAM loses its state quickly unless it is powered and regularly refreshed, we found that most DRAM modules retain much of their state without refresh, and even without power, for periods lasting seconds to minutes. At normal operating temperatures, we generally observed a low rate of data decay for several seconds, followed by a period of rapid decay. Newer memory technologies, which use higher circuit densities, appeared to decay more quickly than older ones. In most cases, we found that almost all bits decayed to predictable “ground states” rather than to random values.
We also confirmed that decay rates vary dramatically with temperature. We obtained surface temperatures of approximately -50°C with a simple cooling technique: discharging inverted cans of “canned air” keyboard duster directly onto the chips. At these temperatures, we typically found that fewer than 1% of bits decayed even after 10 minutes without power. To test the limits of this effect, we submerged DRAM modules in liquid nitrogen (-196°C) and saw decay of only 0.17% after 60 minutes out of the computer.
We present several attacks that exploit DRAM remanence to acquire memory images from which keys and other sensitive data can be extracted. Our attacks come in three variants, of increasing resistance to countermeasures. The simplest is to reboot the machine and launch a custom operating system kernel with a small memory footprint that gives the adversary access to the retained memory. A more advanced attack cuts power to the machine, then restores power and boots a custom kernel; this deprives the operating system of any opportunity to scrub memory before shutting down. An even stronger attack cuts the power and then transplants the DRAM modules to a second PC prepared by the attacker, which extracts their state. This attack additionally deprives the original BIOS and PC hardware of any chance to clear the memory on boot. We have implemented imaging kernels for use with network booting or a USB drive.
When attacks that involve cutting power result in memory corruption, the attacker will need to correct any bit errors in the recovered keys. If the error rate is low enough, straightforward brute-force searching will suffice, but brute force is not feasible when errors are more common. We describe novel error correction algorithms that can recover the correct keys even with relatively high bit-error rates. Rather than attacking the key directly, our methods focus on values derived from it, such as key schedules, that have a higher degree of redundancy. For performance reasons, many applications precompute these values and keep them in memory for as long as the key itself. We have devised recovery techniques for AES, DES, and RSA keys, and we expect that similar approaches will be possible for other cryptosystems. We have correctly recovered keys from several popular disk encryption products.
Standard doctrine says that software should overwrite all copies of a key when it has finished using it, but there are important cases where this is impractical because the same key is used repeatedly. Two examples are an encrypted disk, where the root key must remain available to enable file access, and an SSL Web server, where an RSA private key must be kept available for establishing new sessions (if hardware offloading is not used). We present fully automatic techniques for extracting such keys from memory images, even in the presence of bit errors. We demonstrate the effectiveness of these tools by attacking several widely used disk encryption products, including BitLocker (which ships with Windows Vista), FileVault (which ships with MacOS), dm-crypt (which is often used with Linux), and TrueCrypt.
It may be difficult to prevent all the attacks that we describe even with significant changes to the way encryption products are designed and used, but in practice there are a number of safeguards that can provide partial resistance. We suggest a variety of mitigation strategies ranging from methods that average users can apply today to long-term software and hardware changes. Each remedy has limitations and trade-offs. We conclude that there is no simple fix for DRAM remanence vulnerabilities.