Cold boot attack

The cold-start attack (English " cold boot attack" ) called in cryptology a side channel attack in which an attacker reads with physical access to the target computer contents of memory after the system has shut down.

It is based on the data remanence in common RAM modules in which charge under certain conditions (or already due solely to manufacturing tolerances ) slowly dissipates not within milliseconds, but gradually over seconds to minutes, and the data contents of the memory cells possibly after some minutes can still be successfully read out completely. Depending on the PC such residues can be found to minutes without electricity after several seconds. Cooling the memory modules extends the Remanenzzeit drastically. After a treatment of the modules with cooling spray to keep the information for many minutes.

When presented at the USENIX conference in July 2008 attack, researchers succeeded Princeton University, directly or forensic data read after a cold start. For the attack of the target computer is restarted cold with a minimal operating system. Because of this mini system consumes very little memory, it can be as much of the memory untouched, making it still contains exactly what was before the restart in memory.

From the data read then the cryptographic key can be extracted to the encrypted data that was just accessed the moment of crash. This could be, for example, the key of full-disk encryption systems.

Countermeasures

As a best practice to reduce the chances of attack to overwrite the key when you remove the disk is valid (for example, when halting the system), so that the data at least then are safe. The Trusted Computing Group recommends as a countermeasure in the " TCG Platform Reset Attack Mitigation Specification" that the BIOS contents of memory at power-on self -test empties when an unclean termination of the operating system has been detected. This, however, prevents most, that a compliant computer is used by you for reading.

One way to fix the underlying problem is, and the like vorzuhalten key only in the processor cache. This is embedded in a full chip, which it is not easy to remove and which performs initialization, upon turning that destroys the memory contents. It is important to ensure that the cache contents are not as usual, synchronized with the main memory ( "no fill" mode). In practice, the method slows down the processor to unavailability.

Another approach is to hold up a key only in the processor's registers. For Linux operating systems on x86 - 64 systems, and Android on ARM an implementation of this approach is available as part of the kernel in the form of a patch, for other x86-64 operating systems (eg Microsoft Windows) as a hypervisor. On a 64- bit processor with AES instruction set, the performance degradation, according to the developers are negligible.