bootloader. It can be booted from an external USB device or
a regular hard disk.
An attacker could use tools like these in a number of ways,
depending on his level of access to the system and the countermeasures employed by hardware and software. The simplest attack is to reboot the machine and configure the BIOS
to boot the memory extraction tool. A warm boot, invoked
with the operating system’s restart procedure, will normally
ensure that refresh is not interrupted and the memory has
no chance to decay, though software will have an opportunity to wipe sensitive data. A cold boot, initiated using the
system’s restart switch or by briefly removing power, may
result in a small amount of decay, depending on the memory’s
retention time, but denies software any chance to scrub
memory before shutting down.
Even if an attacker cannot force a target system to boot
memory extraction tools, or if the target employs countermeasures that erase memory contents during boot, an
attacker with sufficient physical access can transfer the
memory modules to a computer he controls and use it to
extract their contents. Cooling the memory before powering it off slows the decay sufficiently to allow it to be transplanted with minimal data loss. As shown in Figure 5,
widely available “canned air” dusting spray can be used to
cool the chips to − 50°C and below. At these temperatures
data can be recovered with low error rates even after several
minutes.
4. ke Y ReconstRuction
The attacker’s task is more complicated when the memory
is partially decayed, since there may be errors in the cryptographic keys he extracts, but we find that attacks can
remain practical. We have developed algorithms for correcting errors in symmetric and private keys that can efficiently
reconstruct keys when as few as 27% of the bits are known,
depending on the type of key.
Our algorithms achieve significantly better performance
than brute force by considering information other than the
actual key. Most cryptographic software is optimized by storing data precomputed from the key, such as a key schedule
for block ciphers or an extended form of the private key for
RSA. This data contains much more structure than the key
itself, and we can use this structure to perform efficient error
correction.
These results imply a trade-off between efficiency and
security. All of the disk encryption systems we studied pre-compute key schedules and keep them in memory for as
long as the encrypted disk is mounted. While this practice
saves some computation for each disk access, we find that it
also facilitates attacks.
Our algorithms make use of the fact that most decay is
unidirectional. In our experiments, almost all bits decayed
to a predictable ground state with only a tiny fraction flipping in the opposite direction. In practice, the probability
of decaying to the ground state approaches 1 as time goes
on, while the probability of flipping in the opposite direction remains tiny—less than 0.1% in our tests. We further
assume that the ground state decay probability is known
to the attacker; it can be approximated by comparing the
fractions of zeros and ones in the extracted key data and
assuming that these were roughly equal before the data
decayed.
4. 1. Reconstructing Des keys
We begin with a relatively simple application of these
ideas: an error-correction technique for DES keys. Before
software can encrypt or decrypt data with DES, it must
expand the secret key K into a set of round keys that are used
internally by the cipher. The set of round keys is called the
key schedule; since it takes time to compute, programs typically cache it in memory as long as K is in use. The DES key
schedule consists of 16 round keys, each a permutation of
a 48-bit subset of bits from the original 56-bit key. Every bit
from the key is repeated in about 14 of the 16 round keys.
We begin with a partially decayed DES key schedule. For
each bit of the key, we consider the n bits extracted from
memory that were originally all identical copies of that
key bit. Since we know roughly the probability that each
bit decayed 0 → 1 or 1 → 0, we can calculate whether the
extracted bits were more likely to have resulted from the
decay of reptitions of 0 or repetitions of 1.
If 5% of the bits in the key schedule have decayed to the
ground state, the probability that this technique will get any
of the 56 bits of the key wrong is less than 10. Even if 25% of
− 8
figure 5: advanced cold-boot attack. in our most powerful attack, the attacker reduces the temperature of the memory chips while the
computer is still running, then physically moves them to another machine configured to read them without overwriting any data. Before
powering off the computer, the attacker can spray the chips with “canned air,” holding the container in an inverted position so that it discharges
cold liquid refrigerant instead of gas (left). this cools the chips to around − 50∞c (middle). at this temperature, the data will persist for several
minutes after power loss with minimal error, even if the memory modules are removed from the computer (right).
