that key schedules are contiguous regions of memory in the
byte order used in the AES specification; this can be adjusted
for particular cipher implementations. A threshold parameter controls how many bit errors will be tolerated.
As described in Section 6, we successfully used keyfind to recover keys from closed-source disk encryption
programs without having to reverse engineer their key data
structures. In other tests, we even found key schedules that
were partially overwritten after the memory where they were
stored was reallocated.
This approach can be applied to many other ciphers,
including DES. To locate RSA keys, we can search for known
key data or for characteristics of the standard data structure
used for storing RSA private keys; we successfully located
the SSL private keys in memory extracted from a computer
running Apache 2. 2. 3 with mod_ssl. For details, see the full
version of this paper.
6. attacking encRYPteD Disks
We have applied the tools developed in this paper to defeat
several popular on-the-fly disk encryption systems, and we
suspect that many similar products are also vulnerable. Our
results suggest that disk encryption, while valuable, is not
necessarily a sufficient defense against physical data theft.
6. 1. BitLocker
BitLocker is a disk encryption feature included with some versions of Windows Vista and Windows 7. It operates as a filter
driver that resides between the file system and the disk driver,
encrypting and decrypting individual sectors on demand.
As described in a paper by Niels Ferguson of Microsoft, 8 the
BitLocker encryption algorithm encrypts data on the disk
using a pair of AES keys, which, we discovered, reside in RAM
in scheduled form for as long as the disk is mounted.
We created a fully automated demonstration attack
tool called BitUnlocker. It consists of an external USB hard
disk containing a Linux distribution, a custom SYSLINUX-based bootloader, and a custom driver that allows BitLocker
volumes to be mounted under Linux. To use it against a running Windows system, one cuts power momentarily to reset
the machine, then connects the USB disk and boots from the
external drive. BitUnlocker automatically dumps the memory
image to the external disk, runs keyfind to locate candidate
keys, tries all combinations of the candidates, and, if the correct keys are found, mounts the BitLocker encrypted volume.
Once the encrypted volume has been mounted, one can browse
it using the Linux distribution just like any other volume.
We tested this attack on a modern laptop with 2GB of RAM.
We rebooted it by removing the battery and cutting power
for less than a second; although we did not use any cooling,
BitUnlocker successfully recovered the keys with no errors and
decrypted the disk. The entire automated process took around
25 min, and optimizations could greatly reduce this time.
6. 2. fileVault
Apple’s FileVault disk encryption software ships with recent versions of Mac OS X. A user-supplied password decrypts a header
that contains both an AES key used to encrypt stored data and a
second key used to compute IVs (initialization vectors).
We used our EFI memory extraction program on an
Intel-based Macintosh system running Mac OS X 10. 4 with
a FileVault volume mounted. Our keyfind program automatically identified the FileVault AES encryption key, which
did not contain any bit errors in our tests.
As for the IV key, it is present in RAM while the disk is
mounted, and if none of its bits decay, an attacker can identify it by attempting decryption using all appropriately sized
substrings of memory. FileVault encrypts each disk block in
CBC (cipher-block chaining) mode, so even if the attacker
cannot recover the IV key, he can decrypt 4080 bytes of each
4096 byte disk block (all except the first cipher block) using
only the AES key. The AES and IV keys together allow full
decryption of the volume using programs like vilefault.
6. 3. truecrypt, dm-crypt, and Loop-aes
We tested three popular open-source disk encryption
systems, TrueCrypt, dm-crypt, and Loop-AES, and found
that they too are vulnerable to attacks like the ones we have
described. In all three cases, once we had extracted a memory image with our tools, we were able to use keyfind to
locate the encryption keys, which we then used to decrypt
and mount the disks.
Memory remanence attacks are difficult to prevent because
cryptographic keys in active use must be stored somewhere.
Potential countermeasures focus on discarding or obscuring encryption keys before an adversary might gain physical
access, preventing memory extraction software from executing on the machine, physically protecting the DRAM chips,
and making the contents of memory decay more readily.
7. 1. suspending a system safely
Simply locking the screen of a computer (i.e., keeping the
system running but requiring entry of a password before
the system will interact with the user) does not protect the
contents of memory. Suspending a laptop’s state to RAM
(sleeping) is also ineffective, even if the machine enters a
screen-locked state on awakening, since an adversary could
simply awaken the laptop, power-cycle it, and then extract
its memory state. Suspending to disk (hibernating) may also
be ineffective unless an externally held secret key is required
to decrypt the disk when the system is awakened.
With most disk encryption systems, users can protect
themselves by powering off the machine completely when
it is not in use then guarding the machine for a minute or
so until the contents of memory have decayed sufficiently.
Though effective, this countermeasure is inconvenient, since
the user will have to wait through the lengthy boot process
before accessing the machine again.
Suspending can be made safe by requiring a password or
other external secret to reawaken the machine and encrypting the contents of memory under a key derived from the
password. If encrypting all of the memory is too expensive,
the system could encrypt only those pages or regions containing important keys. An attacker might still try to guess
the password and check his guesses by attempting decryption (an offline password-guessing attack), so systems