Communications - May 2009

servers are vulnerable, since they normally keep in memory private keys needed to establish SSL sessions. DRM systems may also face potential compromise; they sometimes rely on software to prevent users from accessing keys stored in memory, but attacks like the ones we have developed could be used to bypass these controls.

It may be difficult to prevent all the attacks that we describe even with significant changes to the way encryption products are designed and used, but in practice there are a number of safeguards that can provide partial resistance. We suggest a variety of mitigation strategies ranging from methods that average users can employ today to long-term software and hardware changes. However, each remedy has limitations and trade-offs, and we conclude that there is no simple fix for DRAM remanence vulnerabilities.

Certain segments of the computer security and hardware communities have been conscious of DRAM remanence for some time, but strikingly little about it has been published. As a result, many who design, deploy, or rely on secure systems are unaware of these phenomena or the ease with which they can be exploited. To our knowledge, ours is the first comprehensive study of their security consequences.

2. chaRacteRiZing Remanence

A DRAM cell is essentially a capacitor that encodes a single bit when it is charged or discharged. ¹⁰Over time, charge leaks out, and eventually the cell will lose its state, or, more precisely, it will decay to its ground state, either zero or one depending on how the cell is wired. To forestall this decay, each cell must be refreshed, meaning that the capacitor must be recharged to hold its value—this is what makes DRAM “dynamic.” Manufacturers specify a maximum refresh interval—the time allowed before a cell is recharged—that is typically on the order of a few milliseconds. These times are chosen conservatively to ensure extremely high reliability for normal computer operations where even infrequent bit errors can cause problems, but, in practice, a failure to refresh any individual DRAM cell within this time has only a tiny probability of actually destroying the cell’s contents.

To characterize DRAM decay, we performed experiments on a selection of recent computers, listed in Figure 1. We filled representative memory regions with a pseudoran-dom test pattern, and read back the data after suspending refreshes for varying periods of time by cutting power to the machine. We measured the error rate for each sample as

figure 1: test systems. We experimented with six systems (designated a–f) that encompass a range of recent DRam architectures and circuit densities.

a B C D E F

Density 128mB 512mB 256mB 512mB 512mB 512mB

type SDRam DDR DDR DDR2 DDR2 DDR2

system Dell Dimension 4100 Toshiba Portégé R100 Dell Inspiron 5100 IBm Thinkpad T43p IBm Thinkpad x60 lenovo 3000 n100

Year 1999 2001 2003 2006 2007 2007

the number of bit errors (the Hamming distance from the pattern we had written) divided by the total number of bits. Fully decayed memory would have an error rate of approximately 50%, since half the bits would match by chance.

2. 1. Decay at operating temperature

Our first tests measured the decay rate of each machine’s memory under normal operating temperature, which ranged from 25. 5°C to 44. 1°C. We found that the decay curves from different machines had similar shapes, with an initial period of slow decay, followed by an intermediate period of rapid decay, and then a final period of slow decay, as shown in Figure 2.

The dimensions of the decay curves varied considerably between machines, with the fastest exhibiting complete data loss in approximately 2. 5 s and the slowest taking over a minute. Newer machines tended to exhibit a shorter time to total decay, possibly because newer chips have higher density circuits with smaller cells that hold less charge, but even the shortest times were long enough to enable some of our attacks. While some attacks will become more difficult if this trend continues, manufacturers may attempt to increase retention times to improve reliability or lower power consumption.

We observed that the DRAMs decayed in highly nonuniform patterns. While these varied from chip to chip, they were very stable across trials. The most prominent pattern is a gradual decay to the ground state as charge leaks out of the memory cells. In the decay illustrated in Figure 3, blocks of cells alternate between a ground state of zero and a ground state of one, resulting in the horizontal bars. The fainter vertical bands in the figure are due to manufacturing variations that cause cells in some parts of the chip to leak charge slightly faster than those in others.

figure 2: measuring decay. We measured memory decay after various intervals without power. the memories were running at normal operating temperature, without any special cooling. curves for machines a and c would be off the scale to the right, with rapid decay at around 30 and 15 s, respectively.