provide key material to access the volume). MacIver apparently has not published on this subject.
Researchers have known since the 1970s that DRAM cell
contents survive to some extent even at room temperature
and that retention times can be increased by cooling. 13 In
2002, Skorobogatov17 found significant retention times with
static RAMs at room temperature. Our results for DRAMs
show even longer retention in some cases.
Some past work focuses on “burn-in” effects that
occur when data is stored in RAM for an extended period.
Gutmann9, 10 attributes burn-in to physical changes in memory cells, and he suggests that keys be relocated periodically
as a defense. Our findings concern a different phenomenon.
The remanence effects we studied occur even when data is
stored only momentarily, and they result not from physical
changes but from the electrical capacitance of DRAM cells.
A number of methods exist for obtaining memory
images from live systems. Unlike existing techniques, our
attacks do not require access to specialized hardware or a
privileged account on the target system, and they are resistant to operating system countermeasures.
Contrary to common belief, DRAMs hold their values for
surprisingly long intervals without power or refresh. We
show that this fact enables attackers to extract cryptographic
keys and other sensitive information from memory despite
the operating system’s efforts to secure memory contents.
The attacks we describe are practical—for example, we have
used them to defeat several popular disk encryption systems. These results imply that disk encryption on laptops,
while beneficial, does not guarantee protection.
In recent work Chan et al. 4 demonstrate a dangerous extension to our attacks. They show how to cold-reboot a running
computer, surgically alter its memory, and then restore the
machine to its previous running state. This allows the attacker
to defeat a wide variety of security mechanisms—including
disk encryption, screen locks, and antivirus software—by tampering with data in memory before reanimating the machine.
This attack can potentially compromise data beyond the local
disk; for example, it can be executed quickly enough to bypass
a locked screen before any active VPN connections time out.
Though it appears that this attack would be technically challenging to execute, it illustrates that memory’s vulnerability to physical attacks presents serious threats that security
researchers are only beginning to understand.
There seems to be no easy remedy for memory remanence attacks. Ultimately, it might become necessary to treat
DRAM as untrusted and to avoid storing sensitive data there,
but this will not be feasible until architectures are changed
to give running software a safe place to keep secrets.
We thank Andrew Appel, Jesse Burns, Grey David, Laura
Felten, Christian Fromme, Dan Good, Peter Gutmann,
Benjamin Mako Hill, David Hulton, Brie Ilenda, Scott Karlin,
David Molnar, Tim Newsham, Chris Palmer, Audrey Penven,
David Robinson, Kragen Sitaker, N.J.A. Sloane, Gregory
Sutter, Sam Taylor, Ralf-Philipp Weinmann, and Bill Zeller
for their helpful contributions. This work was supported in
part by a National Science Foundation Graduate Research
Fellowship and by the Department of Homeland Security
Scholarship and Fellowship Program; it does not necessarily
reflect the views of NSF or DHS.
1. arbaugh, W., Farber, d., smith, J.
a secure and reliable bootstrap
architecture. In Proceedings of the
IEEE Symposium on Security and
Privacy (May 1997), 65–71.
2. boyen, X. Halting password
puzzles: Hard-to-break encryption
from human-memorable keys. In
Proceedings of the 16th USENIX
Security Symposium (august 2008).
3. Canetti, r., dodis, y., Halevi, s.,
Kushilevitz, e., sahai, a. exposure-resilient functions and all-or-nothing
transforms. In EUROCRYPT 2000,
volume 1807/2000 (2000), 453–469.
4. Chan, e. M., Carlyle, J. C., david, F.M.,
Farivar, r., Campbell, r.H. bootjacker:
Compromising computers using
forced restarts. In Proceedings of the
15th ACM Conference on Computer
and Communications Security
(october 2008), 555–564.
5. Chow, J., Pfaff, b., garfinkel, t.,
rosenblum, M. shredding your
garbage: reducing data lifetime
through secure deallocation. In
Proceedings of the 14th USENIX
Security Symposium (august 2005),
6. dwoskin, J., lee, r.b. Hardware-rooted
trust for secure key management and
transient trust. In Proceedings of the
14th ACM Conference on Computer
and Communications Security
(october 2007), 389–400.
7. dyer, J.g., lindemann, M., Perez, r.,
sailer, r., van doorn, l., smith, s. W.,
Weingart, s. building the IbM 4758
secure coprocessor. Computer 34
(oct. 2001), 57–66.
8. Ferguson, n. aes-CbC + elephant
diffuser: a disk encryption algorithm
for Windows Vista, (august 2006).
9. gutmann, P. secure deletion of
data from magnetic and solid-state
memory. In Proceedings of the 6th
USENIX Security Symposium (July
10. gutmann, P. data remanence
in semiconductor devices. In
Proceedings of the 10th USENIX
Security Symposium (august 2001),
11. Heninger, n., shacham, H. Improved
rsa private key reconstruction for
cold boot attacks. Cryptology ePrint
archive, report 2008/510, december
12. lie, d., thekkath, C.a., Mitchell, M.,
lincoln, P., boneh, d., Mitchell, J.,
Horowitz, M. architectural support for
copy and tamper resistant software.
In Symposium on Architectural
Support for Programming Languages
and Operating Systems (2000).
13. link, W., May, H. eigenschaften von
bei tiefen temperaturen. Archiv für
Elektronik und Übertragungstechnik
33 (June 1979), 229–235.
14. MacIver, d. Penetration testing
Windows Vista bitlocker drive
encryption. Presentation, Hack In the
box (september 2006).
15. Pettersson, t. Cryptographic key
recovery from linux memory dumps.
Presentation, Chaos Communication
Camp (august 2007).
16. shamir, a., van someren, n. Playing
“hide and seek” with stored keys.
LNCS 1648 (1999), 118–124.
17. skorobogatov, s. low-temperature
data remanence in static raM.
university of Cambridge Computer
laborary technical report 536, June
18. Weinmann, r.-P., appelbaum, J.
unlocking FileVault. Presentation,
23rd Chaos Communication
Congress, december 2006.
J. Alex Halderman
university of Michigan.
Seth D. Schoen
electronic Frontier Foundation.
Wind river systems.
Joseph A. Calandrino
Ariel J. Feldman
the tor Project.
Edward W. Felten
© 2009 aCM 0001-0782/09/0500 $5.00