Expert analysis: methods and countermeasures for cold start memory image attacks

Among the many computer security threats, the Cold Boot memory image Attack (Cold Boot Attack) should not be known to everyone. When reading this title, some readers may not believe that they can also obtain confidential data, such as some passwords, from the computer memory during the cold start process.

In everyone's impression, the memory used by a general computer will be cleared after the computer is powered off due to its power loss mechanism. Then how can we get confidential information?

However, some security experts found that when the computer power off, the information in the memory (RAM) will not be automatically erased immediately, but will be maintained for many seconds. In this way, we can use this "new memory Vulnerability" to shut down a computer when it is running, sleep, or suspended, and then obtain information images in the memory through cold boot, in this way, the password information is saved during memory running.

In this way, the information in the memory is no longer as safe as previously described in the cold-start memory image attack, but becomes very dangerous. If attackers can directly access computers, they can use this method to crack all disk and file encryption technologies.

This is because the encryption keys are stored in RAM on several major operating systems, such as windows, mac, and even linux. If an attacker is familiar with this cold start attack and only locks the screen when you exit the computer screen, or temporarily suspends the notebook, as long as the attacker can stand alone on these computers for several minutes, he has enough time to press the computer's power to restart it, then collect the content in RAM, and finally analyze and obtain the encryption key.

I. Methods for cold-start memory image attacks

When attackers access computers, they need to use the following methods to launch a cold boot memory image attack:

1. The first thing to do is to make a full image of the information in the memory.

This work is a bit like using ghost to create an image for the operating system partition. However, due to the mechanism of the memory itself, when copying the complete image for the information in the memory, although more careful operations. For example, if you start to a safe rescue mode by installing a system disk, you can also obtain some information in the memory, however, this security mode will still clear a lot of original information in the memory, so that it is impossible to get really important information.

To make a full image of the information in the memory, you can do this in two ways:

(1) Use a USB drive or USB flash drive to start the disk, and then automatically execute the memory image copy tool installed on the USB initiator to completely dump the information in the memory to the USB disk.

Then, attackers can connect the USB to other computers and use related tools to dump the RAM files on the USB disk to a file.

(2) The second method is to run the memory image copy tool through the PXE network remote startup. Because the memory image copy tool is very small, remote execution through the PXE network can completely dump the information in the memory to the PXE Server within dozens of seconds.

However, although this method does not require attackers to directly access the computer, the attacked computer network must support PXE startup and the PXE Server has been configured. From the two conditions, it is more difficult to remotely dump memory information in this way than in the first method. Unless the attacked network already meets this condition.

2. When the information in the memory has been fully transferred to an image file, the next step is much simpler. You only need to use the memory image information search tool, you can find the desired information from the existing memory image file. Currently, there are not many memory image information search tools, and most of them can only do some simple search tools, mainly for password and other information. For example, a toolkit named bios_memimage contains two such tools. The aeskeyfind tool is used to search for the AES password, and the rsakeyfind tool is used to search for the RSA password.
Ii. Download and create a cold boot memory image attack tool

A specific tool is required to complete the analysis task of memory image files. Before that, a dedicated tool is required for copying images that generate memory information.

Currently, there are few memory information Imaging tools and they can only be run in linux-related releases. If you want to test whether the attack method described in this article can be completed normally, you need to go to citp.princeton.edu/memory first.

/Code to download the latest version of the bios_memimage original code compressed package. However, if you use the EFI boot system to obtain the memory image, you need to download the efi_netboot source code package. Then, you can decompress and apply these source code packages. In this article, xuanyuan meixiang uses the bios_memimage source package.

Before using them, you can view the relevant documents in the bios_memimage source code package to learn how to create and apply these source codes.

Note that this tool supports all 32-bit or 64-bit hardware environments. However, a 32-bit tool cannot be used in a 64-bit environment because it cannot query the memory space of all 64-bit environments. Therefore, you need to download the correct version based on your hardware environment.

When creating a memory image tool, for example, in a 32-bit hardware environment, you can extract the downloaded bios_memimage source code package, open a character terminal, and go to the bios_memimage directory, then enter the make command for compilation. After compilation, install it through make install. If you want to use it in a 64-bit environment, go to the bios_memimage directory and run the make-f Makefile.64 command to compile it.

If the _ stack_chk_fail error cannot be defined during compilation, this is caused by the new stack protection of. GCCs. You can edit the pxe/Makefile file in the bios_memimage directory to display the following line:

CFLAGS =-ffreestanding-OS-Wall-I ../include-march = i386

To:

CFLAGS =-ffreestanding-OS-Wall-I ../include-march = i386-fno-stack-protector

You can complete the compilation.
Iii. Cold boot memory image attacks based on USB disk boot

In the cold boot memory image attack, the use of USB and PXE tools is different. To use a USB tool, you need a USB storage device. You must have enough space to save the RAM image files you want to dump to the USB storage device.

In addition, to automatically execute the memory image tool after the USB disk is booted, you must write a boot image file named scraper. bin in the bios_memimage toolkit to the directory of the USB disk.

This can be done in the following ways:

Connect a USB disk to a Linux PC to learn how it is displayed in the system. For example, on my computer, it is/dev/sdb, and then on a terminal, use the dd tool to write the preceding boot image:

Sudo dd if = scraper. bin of =/dev/sdb

Note that the root permission is required to write the boot image file.

After the preceding command is executed, a portable USB disk capable of automatically executing the memory image tool is ready.
To do this, use the USB disk memory image tool to obtain the desired memory image from the computer:

Connect the USB memory image tool disk to the running PC, press the restart button on the chassis to restart the PC, and then enter the BIOS settings system to boot from the USB disk. Once the boot from the USB disk succeeds, the memory image tool in the USB disk will be started immediately and the content will be automatically dumped from the memory to the USB disk. When it completes, it automatically closes the computer or restarts the computing.

In this case, you can remove the USB disk from the computer and view it on another computer. You can also use the usbdump tool under the USB disk directory to dump the prepared memory image file from the USB disk to the local drive. For example, you need to dump the copied memory image to a memimage. img file, use root permission to enter a terminal, enter the directory where the USB disk is located, enter the following command to complete this work:

Sudo./usbdump/dev/sdb> memimage. img
Iv. PXE-based cold-start memory image attacks

To obtain the memory information image of the target computer through PXE, the PXE Server must be configured and the NIC of the target computer must be remotely started.

In addition, you must run the TFTP service on the PXE Server and copy the binary files in the PXE directory of the downloaded PXE memory image package to the TFTP directory of the PXE Server, modify the pxelinux configuration to point it to the file.

Then, one person needs to shut down the power of the target computer and remotely start the target computer in PXE mode at the fastest speed. When the target computer obtains a DHCP address and starts from the network, a status message is displayed.

In this case, because the PXE method is different from the USB disk method, the memory image tool does not automatically execute the following command in the pxedump directory:

./Pxedump directory Host IP address> memimage. img

It can be seen from the above that using PXE-based memory image attack is difficult to achieve by one person, which is unlikely to be frequently used by attackers. Therefore, we need to focus on memory image attacks based on USB disks.
5. Analyze memory image files

Once the memory image file is obtained from the target system, you need to find important information, such as the password that has been saved in the memory. In the first part of this article, the bios_memimage package mentioned by xuanyuan meixiang contains two tools used to scan memory image files: aeskeyfind and rsakeyfind. The following describes how to install and use them.

The installation of these two tools is very simple. You can enter a terminal, decompress the tool, run the make command to compile the tool, and then use make install to install the tool.

Similarly, the use of these two tools is very simple and detailed instructions are provided in the README file in the directory where the file is located. If you only need to perform a basic search, you only need to execute the binary file aeskeyfind or rsakeyfind, and then specify the directory where the memory image file is located. If a matching password is found, it will be displayed.

However, no other tool can use other information in the memory image file, but you can still use the strings and grep commands to search for various strings in the memory image, such:

Strings memimage. img | grep password
Vi. Countermeasures

When attackers can directly access the target computer, it is very effective to use the cold Boot Mode memory image attack, especially for laptops.

However, there are still many restrictions on such attacks. First, the target computer must be running or sleep or suspended before the attack. In addition, some computers use ECC memory, which clears the information in the memory very quickly after power failure, and there is no chance to execute relatively short memory image work.

Therefore, we need to prevent memory image attacks in cold Boot Mode, use ECC memory on important servers, physically prevent people from accessing computers, and disable the PXE Remote Boot function of computer NICs, it can achieve very good results.

However, these defense methods are difficult to prevent internal attacks. For example, if an employee has access to the target computer, it is easy to use the USB memory image tool to obtain important information from the memory of the server that has locked the screen, and then take the USB disk out of the enterprise. This is