Cold Boot Attacks are Still Hot: Security Analysis of Memory Scramblers in Modern Processors

2017 IEEE International Symposium on High Performance Computer Architecture (HPCA) Pub Date : 2017-02-01 DOI:10.1109/HPCA.2017.10

Salessawi Ferede Yitbarek, Misiker Tadesse Aga, R. Das, T. Austin

{"title":"Cold Boot Attacks are Still Hot: Security Analysis of Memory Scramblers in Modern Processors","authors":"Salessawi Ferede Yitbarek, Misiker Tadesse Aga, R. Das, T. Austin","doi":"10.1109/HPCA.2017.10","DOIUrl":null,"url":null,"abstract":"Previous work has demonstrated that systems with unencrypted DRAM interfaces are susceptible to cold boot attacks – where the DRAM in a system is frozen to give it sufficient retention time and is then re-read after reboot, or is transferred to an attacker's machine for extracting sensitive data. This method has been shown to be an effective attack vector for extracting disk encryption keys out of locked devices. However, most modern systems incorporate some form of data scrambling into their DRAM interfaces making cold boot attacks challenging. While first added as a measure to improve signal integrity and reduce power supply noise, these scram-blers today serve the added purpose of obscuring the DRAM contents. It has previously been shown that scrambled DDR3 systems do not provide meaningful protection against cold boot attacks. In this paper, we investigate the enhancements that have been introduced in DDR4 memory scramblers in the 6th generation Intel Core (Skylake) processors. We then present an attack that demonstrates these enhanced DDR4 scramblers still do not provide sufficient protection against cold boot attacks. We detail a proof-of-concept attack that extracts memory resident AES keys, including disk encryption keys. The limitations of memory scramblers we point out in this paper motivate the need for strong yet low-overhead full-memory encryption schemes. Existing schemes such as Intel's SGX can effectively prevent such attacks, but have overheads that may not be acceptable for performance-sensitive applications. However, it is possible to deploy a memory encryption scheme that has zero performance overhead by forgoing integrity checking and replay attack protections afforded by Intel SGX. To that end, we present analyses that confirm modern stream ciphers such as ChaCha8 are sufficiently fast that it is now possible to completely overlap keystream generation with DRAM row buffer access latency, thereby enabling the creation of strongly encrypted DRAMs with zero exposed latency. Adopting such low-overhead measures in future generation of products can effectively shut down cold boot attacks in systems where the overhead of existing memory encryption schemes is unacceptable. Furthermore, the emergence of non-volatile DIMMs that fit into DDR4 buses is going to exacerbate the risk of cold boot attacks. Hence, strong full memory encryption is going to be even more crucial on such systems.","PeriodicalId":118950,"journal":{"name":"2017 IEEE International Symposium on High Performance Computer Architecture (HPCA)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"54","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE International Symposium on High Performance Computer Architecture (HPCA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/HPCA.2017.10","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 54

Abstract

Previous work has demonstrated that systems with unencrypted DRAM interfaces are susceptible to cold boot attacks – where the DRAM in a system is frozen to give it sufficient retention time and is then re-read after reboot, or is transferred to an attacker's machine for extracting sensitive data. This method has been shown to be an effective attack vector for extracting disk encryption keys out of locked devices. However, most modern systems incorporate some form of data scrambling into their DRAM interfaces making cold boot attacks challenging. While first added as a measure to improve signal integrity and reduce power supply noise, these scram-blers today serve the added purpose of obscuring the DRAM contents. It has previously been shown that scrambled DDR3 systems do not provide meaningful protection against cold boot attacks. In this paper, we investigate the enhancements that have been introduced in DDR4 memory scramblers in the 6th generation Intel Core (Skylake) processors. We then present an attack that demonstrates these enhanced DDR4 scramblers still do not provide sufficient protection against cold boot attacks. We detail a proof-of-concept attack that extracts memory resident AES keys, including disk encryption keys. The limitations of memory scramblers we point out in this paper motivate the need for strong yet low-overhead full-memory encryption schemes. Existing schemes such as Intel's SGX can effectively prevent such attacks, but have overheads that may not be acceptable for performance-sensitive applications. However, it is possible to deploy a memory encryption scheme that has zero performance overhead by forgoing integrity checking and replay attack protections afforded by Intel SGX. To that end, we present analyses that confirm modern stream ciphers such as ChaCha8 are sufficiently fast that it is now possible to completely overlap keystream generation with DRAM row buffer access latency, thereby enabling the creation of strongly encrypted DRAMs with zero exposed latency. Adopting such low-overhead measures in future generation of products can effectively shut down cold boot attacks in systems where the overhead of existing memory encryption schemes is unacceptable. Furthermore, the emergence of non-volatile DIMMs that fit into DDR4 buses is going to exacerbate the risk of cold boot attacks. Hence, strong full memory encryption is going to be even more crucial on such systems.

查看原文本刊更多论文

冷启动攻击仍然很热:现代处理器中内存扰频器的安全性分析

以前的工作已经证明，具有未加密的DRAM接口的系统容易受到冷启动攻击——系统中的DRAM被冻结以给予足够的保留时间，然后在重新启动后重新读取，或者被转移到攻击者的机器上以提取敏感数据。这种方法已被证明是一种有效的攻击向量提取磁盘加密密钥锁定设备。然而，大多数现代系统在其DRAM接口中加入了某种形式的数据扰置，这使得冷启动攻击具有挑战性。虽然最初是作为提高信号完整性和降低电源噪声的措施而添加的，但这些扰频器现在用于掩盖DRAM内容的附加目的。先前已经证明，加密的DDR3系统不能提供有意义的保护，防止冷启动攻击。在本文中，我们研究了在第6代英特尔酷睿(Skylake)处理器中引入的DDR4内存扰频器的增强功能。然后，我们提出了一个攻击，证明这些增强的DDR4扰频器仍然不能提供足够的保护来抵御冷启动攻击。我们详细介绍了一种概念验证攻击，它可以提取内存驻留AES密钥，包括磁盘加密密钥。本文指出的内存扰频器的局限性激发了对强而低开销的全内存加密方案的需求。现有的方案(如英特尔的SGX)可以有效地防止此类攻击，但对于性能敏感的应用程序来说，其开销可能无法接受。然而，通过放弃Intel SGX提供的完整性检查和重放攻击保护，可以部署零性能开销的内存加密方案。为此，我们提出的分析证实了现代流密码(如ChaCha8)足够快，现在可以完全重叠密钥流生成与DRAM行缓冲区访问延迟，从而能够创建具有零暴露延迟的强加密DRAM。在下一代产品中采用这种低开销措施，可以有效地关闭系统中的冷启动攻击，在这些系统中，现有内存加密方案的开销是不可接受的。此外，适合DDR4总线的非易失性dimm的出现将加剧冷启动攻击的风险。因此，在这样的系统上，强大的全内存加密将变得更加重要。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 IEEE International Symposium on High Performance Computer Architecture (HPCA)

自引率

0.00%

发文量