7

I've looked at the documentation and it mentions that upon shutdown the data residing in the ram is overwritten, however it doesn't go into any detail on how it does this.

Documentation link: https://tails.boum.org/doc/advanced_topics/cold_boot_attacks/index.en.html

Is there any foreseeable way that this could be bypassed or even recovered following a cold boot attack?

Also could something else interfere with the shutdown whilst the user is on the OS. For example some malware that's executed that would bypass the data in RAM being overwritten.

Dane
  • 233
  • 1
  • 8
  • I am sure that you can attack *any* OS with a cold boot attack: simply pull the power plug after the RAM has been cooled down (a reset might even work, too). – marstato Apr 06 '16 at 13:29
  • 2
    From my understanding - if you are using newer DDR3 RAM (so not your grandpa's computer) then at shutdown within a few miliseconds any data would be "forgotten". Even without that RAM wiper which is part of TailsOS you should be safe. Only way to beat the above would be to spray the RAM with liquid air to freeze it before pulling plug or shutting down. – k1308517 Apr 06 '16 at 14:43
  • Even in DDR3, memory persists for much longer than a few milliseconds. It lasts a few seconds, and will last minutes or more when cooled. Of course, it's pretty hard to grab a computer, open it up, remove all the memory modules, transplant them into a working motherboard and power it on in the space of just a few seconds. – forest Apr 07 '16 at 06:44

2 Answers2

7

Could malware interfere with the wiping process?

If there is malware present on the system, then yes, it will be able to interfere with the memory wiping process. If a malicious process spawns many copies of itself in memory, it can prevent the processes which initiate memory wiping from executing, essentially causing the computer to hang. This is an extremely simple attack called a fork bomb, which fills up the system process table and prevents new processes from forming. Even unplugging the USB stick will not kick the computer out of this frozen state, and only holding down the power button can power it off. The malware does not need root privileges either. It can do this as a regular user. This is not a very likely threat though, because it would have to be tightly coordinated with a physical raid against you, which is unlikely. It would be much easier to prevent you from pulling out the USB stick than it would be to get malware on the system. This is not an intrinsic limitation in Linux, however, and Tails could be configured in the future to resist such denial of service attacks from non-root users quite well by using PAM. Malware which has root permissions will still be able to do practically whatever it wants, though.

Is there any way to recover wiped memory?

In theory, yes, but not because the memory can be recovered after it is wiped. On some systems, the wiping fails. This is usually not a big deal because it only saves you a few extra seconds of time. On very old computers, it can save a minute at most. If the wiping fails and your computer has DDR3 or DDR4 memory, just make sure it stays off for 5 seconds or so and the memory will fade naturally. If you have older DDR2 memory, wait a few minutes just to be sure.

If you are asking whether or not a cold boot attack after a successful erasure of memory can recover previous contents, then I would say absolutely not. Not with 21st century technology, at least.

Cold boot attacks against VRAM

There is however a different problem regarding recovering memory, and that is video memory, or VRAM. VRAM in most video cards is usually either true DDR3, or GDDR4/GDDR5. GDDR4 and GDDR5 are based on DDR3, but optimized for higher bandwidth and thus graphical tasks. Because they are based on DDR3, similar cold boot techniques against them likely apply. Tails currently cannot wipe video memory on shutdown. Cold boot attacks against video memory are possible, and they allow for reconstructing framebuffers from while the system was powered on, along with calculations the GPU was making at the time. If your system uses integrated graphics (i.e. the GPU is contained entirely in the CPU, and not a discrete graphics card), then cold boot attacks against video memory on Tails become much harder. This is mostly problematic for people with discrete GPUs. There are a few possible solutions to this, other than simply waiting the few seconds for the memory to naturally fade, but Tails has not yet implemented it. I'm actually working on a few of them in my free time and may contribute them to Tails. Other people are as well, so this is not unknown and it won't necessarily be an issue forever.

But what is the actual risk?

Honestly, I would not worry about the possibility of memory wiping failing or being defeated on Tails. Modern RAM (DDR3 and DDR4) needs to be cooled down to more than -30 degrees Celsius in order to retain any information for more than a couple of seconds. The Tails memory wiping feature is there primarily for older computers using DDR2 (or god forbid, ancient DDR) memory, where if you power off the machine and walk away, someone can walk up to it 3 minutes later and recover a significant portion of the information on it (even that is a worst case scenario. Most DDR2 memory fades in under a minute). With modern memory, they would have to be right there, freezer spray in hand, with the computer ripped open and equipment next to them, as you shut the system down for them to have any chance at recovering memory. And that would be even if you didn't wipe RAM!

As long as you have DDR3 or DDR4 memory, and you are able to shut down your system several seconds before "they" get their hands on it, then you are completely safe. Cold boot attacks are a risk if either you have 1) DDR2 or DDR memory, or 2) your computer is taken from you while it is still on, and your adversary has ample time to prepare and freeze the memory sticks while the system is still running.

All technical details aside, how should you defend yourself?

If an adversary is about to gain physical access to your computer, you must power it off, there is no way around that. If they take the computer and you are not able to get it to shut down, they will be able to do whatever they want with it. But if you manage to yank the USB stick out before that happens, then you are completely safe (from the threat of cold boot attacks).

forest
  • 64,616
  • 20
  • 206
  • 257
1

Please don't mess up the software-targeted attacks and hardware-targeted attacks. Coldboot is a second one : no software is able to protect itself against it, because it's based on a hardware behaviour. The only thing you can do with relocating in-memory-stored privae data constantly and wiping out a memory used for a previous storage, but it will not save you, it will only make it harder to extract from a memory dump.

Alexey Vesnin
  • 1,565
  • 1
  • 8
  • 11