Lest We Remember: Cold Boot Attacks on Encryption Keys

Just in case you haven't already read about this... Some researchers from Princeton have published a paper about methods which can be used to attack full-disk-encryption (FDE) schemes.

They have demonstrated that at least BitLocker (Windows Vista), FileVault (MacOS X) and dm-crypt (Linux) are vulnerable to this type of (partly hardware-based) attack scenarios. Quite likely lots of similar other solutions are vulnerable as well.

The main problem is that (contrary to popular belief) RAM does indeed retain its data for a non-trivial amount of time after power is cut (seconds, even minutes or hours if it's cooled down enough), so you can mount some new attacks such as:

  • Get physical access to laptop/computer, cut power to it (the hard way), reboot with a special live CD or USB thumb drive and some special software which dumps the RAM contents to an external disk (or sends it via network). As RAM contents are still there a few seconds after the power is cut, this works astonishingly well.
  • Get physical access to laptop/computer, open it, remove RAM DIMMs while the computer is running, insert them into your own prepared computer and read the RAM contents using some special software.

Yes, all attacks assume that the attacker has physical access to your PC/RAM, in which case you already have several other problems. Still, the new thing about this is that even full-disk-encryption doesn't help much in some cases. You probably shouldn't depend too much on it (but you shouldn't stop using disk encryption either, of course!).

Full paper: coldboot.pdf. There are also some demo videos and pictures.

More coverage at Boing Boing, Bruce Schneier's weblog, Freedom to Tinker, Slashdot, Heise (German), and many more...

Make sure to read the comments of the various articles for more scenarios and possible ideas for how to prevent such attacks. Some ideas include enabling the BIOS RAM checks (which might explicitly erase RAM contents on reboot; that doesn't help in all cases, though) or using coreboot (previously LinuxBIOS) to erase RAM contents at boot-up and/or shutdown.

It's a highly non-trivial issue, though, there's no easy and complete fix so far. The only sure way is to not have your laptop or PC stolen and to not give attackers physical access to your computers.

LinuxBIOS is now called coreboot

Public Service Announcement: The LinuxBIOS project, a Free Software project which intends to replace the proprietary BIOS found in most computers these days, has been renamed to coreboot.

The old name has become quite a misnomer in recent years; the name LinuxBIOS created the impression that it's a drop-in BIOS-replacement and that it's using Linux or is Linux-specific in any way. Neither is the case.

  • coreboot is not a BIOS in the sense that it provides the legacy BIOS callbacks / interrupt routines. Instead, coreboot is just a small hardware initialization firmware. It does some basic hardware init, then hands over control to one of many possible payloads. This can be a boot loader such as FILO (or GRUB2, which shall ultimately replace FILO) if you want to boot from disk, or Plan 9, or memtest86, or a Linux kernel, or OpenBIOS/OpenFirmware/SmartFirmware, or...
  • coreboot is not Linux or Linux-specific. Yes, it can indeed use Linux kernels as payload (i.e., you put the Linux kernel in your flash ROM chip together with coreboot) or boot a Linux kernel indirectly using FILO/GRUB2. But as mentioned above it can also be used (together with the fitting payload) to boot other OSes or systems such as Plan 9, Windows, FreeBSD, and others.

The initial author and project leader of LinuxBIOS/coreboot, Ron Minnich, explains in more detail why the renaming was done in his original announcement on the coreboot mailing list.

Sim City, Micropolis, Lincity, Lincity-NG

Lincity-NG screenshot

Hm, time for some nostalgia. The original Sim City game is now GPL'd under the new name Micropolis, and currently being packaged for Debian. There goes my 3.7 minutes of spare time per day...

If you're into such games, the Lincity clone has been around for some time now, too. And, as I found out yesterday, there's also Lincity-NG, which is a more recent clone with better (3D/isometric) graphics, sound, etc.

$ apt-get install lincity-ng

(run it as lincity-ng --sdl if you don't have 3D-accelerated drivers)

Have fun!

Checking the ink level of your printer with ink / libinklevel / qink

qink screenshot

Very nice tool I recently discovered: ink, a small tool using libinklevel, used to query the ink level of your printer (USB or parallel). In my case this is an Epson Stylus DX4200 (which works very nicely and out of the box btw).

Installation:

$ apt-get install ink

Usage:

$ ink -p usb
ink v0.4.1 © 2007 Markus Heinz

EPSON Stylus DX4200

Cyan:                          76%
Magenta:                       76%
Yellow:                        76%
Photoblack:                    72%

Graphical ink level display:

$ apt-get install qink

Another nice tool built upon libinklevel is called qink, which is a QT-based GUI which displays the same information graphically (see screenshot).

A list of printers supported by libinklevel is available.

Recent LinuxBIOS progress

LinuxBIOS ROM Chip Logo

Since the "World's First Motherboard Using LinuxBIOS Released" hype at the beginning of this year (which was incorrect btw; it was not the first supported desktop board, there were many others before), LinuxBIOS hasn't been in the news very much. That doesn't mean that there was no progress, however. We've been working hard behind the scenes to improve the LinuxBIOS code, add support for new chipsets and boards, and advance the upcoming next-generation LinuxBIOSv3 version which will brings lots of great improvements in various areas.

Here's a random collection of stuff that happened in the last few months.

New chipsets:

  • AMD K8 / NVIDIA MCP55, contributed by Yinghai Lu of AMD
  • VIA VT82C686A/B southbridge, contributed by Corey Osgood
  • AMD Geode LX / CS5536, contributed by Marc Jones and Jordan Crouse of AMD
  • Intel 810 northbridge, contributed by Corey Osgood
  • AMD K8 / VIA K8T890 / VT8237R, contributed by Rudolf Marek / Corey Osgood
  • AMD K8 / SiS761GX / SiS966(L), contributed by Morgan Tsai of SiS

New mainboards:

  • Sun Ultra40, contributed by Ronald G. Minnich (LinuxBIOS project founder)
  • K9SD Master-S2R (MS-9185), contributed by Bingxun Shi of MSI
  • K9SD Master Series (MS-9282), contributed by Bingxun Shi of MSI
  • GIGABYTE GA-M57SLI-S4, contributed by Yinghai Lu of AMD
  • NVIDIA l1_2pvv, contributed by Yinghai Lu of AMD
  • Supermicro H8DMR, contributed by Yinghai Lu of AMD
  • Tyan S2912, contributed by Yinghai Lu of AMD
  • Tyan S1846, contributed by myself
  • AMD Norwich (AMD Geode LX reference platform), contributed by Marc Jones and Jordan Crouse of AMD
  • IGEL Winnet III thin client, contributed by myself
  • ASUS A8N-E, contributed by Phillip Degler
  • IEI JUKI-511P, contributed by Nikolay Petukhov
  • IEI ROCKY-512, contributed by Nikolay Petukhov
  • AMD DB800 (a.k.a. Salsa), contributed by Marc Jones and Jordan Crouse of AMD
  • ASUS MEW-VM, contributed by Corey Osgood
  • Artec Group DBE61, contributed by Marc Jones and Jordan Crouse of AMD
  • PC Engines ALIX.1C, contributed by Ronald G. Minnich
  • MSI MS-6178, contributed by myself
  • MSI MS-7260 (K9N Neo), contributed by myself
  • IGEL-316 thin client, contributed by Jürgen Beisert
  • AXUS TC320 thin client, contributed by Jürgen Beisert
  • GIGABYTE GA-2761GXDK (Churchill), contributed by Morgan Tsai of SiS
  • And a bunch of older Intel 440BX based boards, contributed by myself with some help by testers via IRC: ASUS P2B/P2B-F/P3B-F, A-Trend ATC-6220, AZZA PT-6IBD, Biostar M6TBA, Compaq Deskpro EN SFF P600, GIGABYTE GA-6BXC
  • ASUS A8V-E SE, contributed by Rudolf Marek

Note that not all of these may be 100% supported, some may still be work in progress with some TODO items left... Check the LinuxBIOS wiki or ask on the mailing list for details.

The future

Most work will probably go into LinuxBIOSv3 in the future, in order to make it suitable for productive use.
Of course, work on new chipsets and boards will continue, too. For example the VIA CN700 chipset (plus Jetway J7F2WE board using it) is being worked on right now, probably also several others I don't know about.

Call for board testers

If you're interesting in trying out LinuxBIOS, please check the list of supported motherboards. If your board is not listed there, but the chipset is already supported we can probably add support for your board relatively easy with some testing help from you.

Please contact us on IRC or preferrably on the mailing list if you want to help get your board supported!

An (incomplete) list of good candidate boards for future support is available in the wiki.

Thanks!

We're very grateful for the many contributors who have helped us with testing and fixing existing code, or who even contributed code for new chipsets and motherboards. Thanks a lot!

Many thanks especially to all hardware vendors who have been supporting us or even actively contributed by submitting code for their chipsets or boards (recently or in the past), including AMD, SiS, VIA, MSI, Tyan, Artec Group, and many others. Your efforts are very appreciated. Thanks!

Syndicate content