Today’s Hack a Day post linked to this article on recovering encryption keys from RAM, so I thought I’d look into defences against this kind of attack.
There are simple ways to defeat this, and although not 100% reliable they are pretty effective.
You have to consider what sort of situation this attack is likely to be used in. The attacker would have to get to the machine while it is powered on, but be unable to access it due to software security (passwords etc). So, they reboot the system and try to recover the encryption keys from RAM, or remove the RAM from your computer (possibly after freezing it) and install it in their own machine.
Why would you need to put the RAM in another machine if you could just hit the reset button? Well, the reset button might be disconnected, or the BIOS might be set up to do a full memory check which would overwrite every byte in RAM. The only way to be sure to avoid the BIOS wiping RAM would be to power the machine off, reset the BIOS and power it back on. Note that in laptops, even resetting the BIOS (which is typically very difficult as it involved opening the laptop up) often does not clear the power-on password.
A note about UK law here. The RIP Act means that the police can force you to hand over passwords. Luckily Truecrypt features plausible deniability, but it might be hard to argue that you didn’t know the power-on password for your laptop. That’s the biggest problem with that law – instead of the police having to prove you are guilty, you have to prove you are innocent. So, it’s probably not a good idea to rely on the power-on password.
So, the attacker wants to freeze the RAM and put it into their own machine for reading. It’s going to be hard to freeze it, transport it to the new machine and install it without data loss, but for arguments sake let’s say it’s possible. Certainly, the CITP paper seems to think it is.
Most machines have a case open switch, which could be used to trigger a memory wiping program. Assuming the program was intelligent things like encryption keys could be erased in nanoseconds, and the entire RAM in a few seconds. The attacker would have to power off before opening the case, increasing the time before they can freeze the RAM and thus increasing data loss. The power button itself could also be used as a trigger, in case the attacker is stupid enough to press it instead of pulling the plug.
Anyone worried about being raided should probably set up a panic switch, or at least be ready to hit the reset button to allow the BIOS to clear the RAM. Truecrypt should ideally be configured to dismount any encrypted volumes when the machine is sleeping or the screensaver is engaged, although that’s not always practical (e.g. with boot volume encryption).
The ideal solution would be a PCI-e card with a small amount of RAM for encryption keys, a microprocessor and battery/capacitor. As soon as power goes off, the uproc would securely erase the RAM. Maxim make ICs that do just that, all we need is an implementation. It’s a shame USB can’t be used, or any cheap uproc would do, but USB devices cannot be mapped to memory address space.
Of course, even this wouldn’t prevent any open documents, cached directory listings etc from being recovered.
A program to wipe the physical RAM on shut-down of Windows would be ideal, but not trivial to write since it would need a complex driver to access RAM and figure out which bits can be cleared (because you don’t want to crash the OS). A simpler but less effective method would be a program that simply requests allocation of non-paged RAM (i.e. physical RAM) repeatedly until allocation fails (and presumably RAM is filled up) – similar to how Eraser‘s free disk space wipe works.
Really, this kind of attack, assuming you are reasonably well prepared for it, is not particularly effective. For anyone worried about law enforcement, setting the BIOS to do a full memory test and setting a BIOS password is probably enough to prevent it in most cases. An improvement would be to make sure your BIOS does a full memory test by default (i.e. after being reset). Some mobos do that, if yours doesn’t a BIOS editor might fix that.