Cold-boot attacks change the data leakage landscape

The long view of security strategies for your network.

As always, it’s a pleasure to collaborate with my current and present graduate students in bringing you thoughtful articles. Jürgen Pabel graduated from the MSIA program in 2004 in the first graduating class; he is an experienced network engineer and security consultant in Köln (Cologne), Germany and has become a valued friend and colleague.

Recently Jürgen and I collaborated on this column and the next; Jürgen wrote the first draft and then I provided additional material, edits and references. In what follows, “I” refers to Jürgen.

* * *

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

As always, it’s a pleasure to collaborate with my current and present graduate students in bringing you thoughtful articles. Jürgen Pabel graduated from the MSIA program in 2004 in the first graduating class; he is an experienced network engineer and security consultant in Köln (Cologne), Germany and has become a valued friend and colleague.

Recently Jürgen and I collaborated on this column and the next; Jürgen wrote the first draft and then I provided additional material, edits and references. In what follows, “I” refers to Jürgen.

* * *

Until 2008, the consensus had been that there would be no practical way to remove a RAM chip from a computer system without losing all contained data.

However, last July, J. Alex Halderman and a research team including Edward Felten at the Center for Information Technology at Princeton University published a paper about something quite amazing: most random-access memory (RAM) chips maintain their data for several seconds without any power, thus allowing a channel for data leakage from any computer to which an attacker has physical access.

The group has established an excellent Web site full of information about this “cold boot attack”; the site includes a five-minute video lecture about the attack, some frequently asked questions, a guide to the experimental methods, some source code, and a collection of additional videos and photographs. 

The time over which the data are remembered depends largely on the make of the RAM chips. However, cooling RAM chips down to -50°C (-58°F) prior to power loss causes a significant prolongation of the data retention time, usually to several minutes. Therefore, it is now feasible to extract all data stored in live memory from a powered-on computer system by removing the cooled RAM chips and placing them into another computer system for analysis.

Under certain circumstances, it is not even necessary to physically move the RAM chips to another computer system: if the system is configured to allow booting from external media (e.g., CD/DVD, USB flash drive or those ancient floppy disks that some readers remember) then it may be possible to simply reset the system and to boot into a software-analysis environment.

This approach would usually work because the basic input/output system (BIOS) on most computers is configured to skip over RAM integrity checks for performance reasons; the checks would otherwise write a test pattern to all memory cells and read them back to verify the functional integrity of the hardware chips in RAM.

It might seem odd for an adversary to specifically target data in RAM if they have physical access to the target computer system – they could just easily access any data by reading it from the disk drive. However, if the target system is protected by full-disk encryption, then the data on the disk drive are practically inaccessible unless the adversary extracts the disk’s cryptographic key from RAM.

Cold-boot attacks represent a new vulnerability. The most significant aspect of this vulnerability is that no effective countermeasure exists; Halderman et al. write, “Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.” Thus, other actions must be implemented in order to address the associated risk.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.