Princeton Cold Boot Memory Attack

Ok, I know, I know. I owe you guys a proper update after being “absent” from blogging for quite some time. So, here is my take on the recently released Princeton Memory Vulnerability that seems to be gathering so much attention with the press and creating a sort of panic in the encryption community.

—

I have been watching the Princeton Cold Boot Memory Attack issue for the past 2 weeks. Over at the FDE mailing list, people from the encryption community even called it “scary”.

For those who want to read the paper for themselves, you can find it here. For those who aren’t patient enough, here is a brief overview of the paper.

We all know, of course, that the DRAM loses its contents when the power is of. However, the question as of how long it would take for the DRAM to “forget” was never much paid attention to. This is probably because (and I quote) “[m]ost experts assume that a computer’s memory is erased almost immediately when it loses power, or that
whatever data remains is difficult to retrieve without specialized equipment.” And the Princeton paper released earlier this month showed that these assumption are incorrect.

Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount successful attacks on popular disk encryption systems using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay.

Moreover, the paper presented a “suite of attacks that exploit DRAM remanence effects to recover cryptographic keys held in memory.” They showed these vulnerability by defeating file encryptions systems like Microsoft’s BitLocker(Windows Vista), Apple’s FileVault (Mac OS X) and TrueCrypt (open-source disk encryption product for Windows, Mac OS, and Linux platforms).

…[C]onfirmed that decay rates vary dramatically with temperature… obtained surface temperatures of approximately -50 *C with a simple cooling technique: discharging inverted cans of “canned air” duster spray directly onto the chips. At these temperatures, …fewer than 1% of bits decayed even after 10 minutes without power. To test the limits of this effect, …DRAM modules [submerged] in liquid nitrogen (ca. -196 *C)…[has] only 0.17% [decay] after 60 minutes out of the computer.

It seems that the semicon physics community has long been aware of the remanence effect in DRAM, in a 1978 experiment it was even found that there can be no data loss for a full week without refresh when cooled with liquid nitrogen.

More recently, the same team demonstrated an attack native to OS X. They showed the ease of breaking Keychain and accessing the contents of a a Macintosh computer using only iPod and network booting. Read the rest of this entry »

Microsoft better at patching XP than Vista?

From ComputerWorld:

June 22, 2007 (IDG News Service) — A Microsoft Corp. security executive released data Thursday showing that, six months after shipping Windows Vista, his company has left more publicly disclosed Vista bugs unpatched than it did with Windows XP.

In total, Microsoft has patched 12 out of 27 disclosed Vista vulnerabilities in the six months after it first shipped last November. During XP’s first six months, Microsoft’s security team patched 36 out of 39 known bugs.

The data was published by Jeff Jones, a Microsoft security strategy director, who said that overall, Vista was doing better than XP. “Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to its predecessor product, Windows XP,” he wrote.

Jones didn’t address the larger number of unpatched vulnerabilities, but he did note most of the unpatched Vista bugs were not critical. Microsoft had left only one high-severity Vista vulnerability unpatched during the period. At the end of XP’s first six months, there were two high-severity bugs that were unpatched.

Microsoft patched 23 high-severity XP bugs during its first six months, compared with only one high-severity Vista flaw.

Jones argued that Vista had a lower number of vulnerabilities than competitive operating system products such as Red Hat Enterprise Linux and Mac OS X.

It is not quite surprising to hear that Microsoft does poorly when it comes to patching Vista since they’re still patching XP, which have more users than Vista. It is, however, bothering to know that a high-severity Vista vulnerability remains unpatch. This just goes to shows how little priority MS gives to its Vista users.

While I agree that Microsoft did a good job in implementing the security for Vista, I think we will see how well (or how poorly) they did once it becomes as popular as XP therefore attracting more hackers. Hardware are getting cheaper by the day and we might see Vista replacing XP soon. Then, we’ll see what happens.

How to Remove TAGA LIPA ARE!

I’ve been bugged by a lot of people asking me to help them remove the TAGA LIPA ARE! ‘virus’ in IE. So, I’m posting the directions here.

First thing is to get familiar with the ‘virus’. The ‘virus’ file is FS6519.dll.vbs. It’s a VB Script that does nothing except make a copy of itself in all your drives and change the title of Internet Explorer to “TAGA LIPA ARE!”.

First, configure your folders to show system, OS and hidden files and file extensions. Remove/Delete

C:\Windows\FS6519.dll.vbs

I would suggest using the Shift + Del here.

Second, open

regedit

in the run command. Remove the registry entry

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current Version/Run/FS6519.dll

Then Remove all copies of the file

FS6519.dll.vbs

and

autorun.ini

from all your drives. Again, I suggest using Shift + Del here.

To restore the name of IE to Internet Explorer, change the value of

HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Main/Window Title

from “TAGA LIPA ARE!” to “Internet Explorer” by double clicking the registry entry. And that’s it, the ‘virus’ is gone.

It’s really harmless and if you ask me, it looks something that an attention-seeking-twelve-year-old-with-a-compiler would do. And you, on the other hand, should know better next time.