Defending against Cold Boot attacks using COTS devices

In this thesis we investigate the usage of commercial-off-the-shelf devices to accelerate and improve the security of software-based memory encryption solutions. Memory encryption represents a valuable asset against cold boot attacks, a class of threats in which a strong attacker, with physical access to a running system, could retrieve the whole memory contents and potentially access the secrets used by cryptographic algorithms, such as the encryption keys. Software-based cryptography relies on hardware enforced protection domains, configured by the operating system, to ensure that secrets remains private and not accessible to other actors in the system. For instance, the hardware could implement memory protection facilities which guarantee that applications running on different address spaces do not access or interfere with other applications’ memory. The underlying assumptions are that, if the operating system is bug-free, the only way to overcome its protections consists in stopping its execution, for example by performing a machine reset. Since a machine reset would cause the loss of all the memory contents, secrets eventually stored in it could no longer be available to potential attackers. Unfortunately, this latter assumption does not hold in practice. System memory consists of several DRAM chips which are implemented as small capacitors, which could retain the charge, and thus the information, for seconds or even minutes after a reboot or a power off. In cold boot attacks, a malicious actor with physical access to a locked machine, could reset the system and boot a minimal, custom operating system designed to read all memory contents and dump them, for example on a removable USB drive, for later analysis. Consider now Full Disk Encryption schemes, where data on disk are kept encrypted while at rest. At system boot, the user is asked for a passphrase, from which a key is derived and used to encrypt or decrypt data at runtime, as necessary. Commonly, such key is kept cached in system memory since asking for the passphrase to the user at every access is unpractical. An attacker having access to a memory dump may retrieve such key and later on to access disk contents. i Memory encryption represents an effective mitigation against cold boot attacks. While in the recent past some hardware vendors have integrated circuits to support a form of memory encryption in their CPUs, the resulting products are not commonly available or, when they are, rather expensive. Software memory encryption solutions on the other hand allows for back-compatibility and are applicable to a wider range of existing systems. Moreover, the flexibility and convenience of a software solution allows researchers to easily adapt to more recent advances in cryptographic research field, enabling fast prototyping at minor costs. However, software memory encryption solutions must face three fundamental challenges: i) transparency: to support existing software applications avoiding the cost of software changes, ii) security and key secrecy: to avoid tampering or leaks of the memory encryption key in RAM, which is considered untrusted, iii) performance: software-based cryptographic primitives are usually slower than their hardware counterparts, thus their impact on the performances of protected applications is not negligible. In this thesis we introduce two novel software memory encryption solutions, MemShield and K-MemShield, which uses a discrete GPU both as key store and co-processor to securely accelerate cryptographic operations, without requiring changes to the existing applications. Memory encryption appears to be atomic with respect of system memory, and is performed at page granularity: a page in memory could only appear encrypted or in clear. Accesses to the encrypted pages are intercepted in software and the unencrypted version are transparently provided to the applications. Only a constant number of pages are kept in clear: after a threshold is reached, least recently used pages are encrypted again. All cryptographic operations are performed by a GPU. Both the key and the intermediate states of the cipher are kept securely in GPU registers, whose contents are lost if a system reboot is triggered. This guarantees that a cold boot attack could not expose either the key or the encrypted data. The MemShield prototype was designed and implemented as a privileged GNU/Linux user space daemon, and does not require changes to the operating system kernel. Detection of memory accesses is performed in user space by employing the userfaultfd Linux framework. K-MemShield instead was implemented as a Linux kernel patch to further improve the performance and the security guarantees offered by the previous solution. Notably, GPU hardware vendors support programming their own devices only using proprietary tools and libraries in user space. We designed K-MemShield in order to not require fragile reverse engineered code dependencies or a persistent daemon in user space acting as a proxy to communicate with the proprietary GPU from kernel mode, notably increasing the security of our solution.