2

As I understand from reading another question here, SRAM may be more dangerous than traditional volatile RAM in terms of storing passwords and other sensitive information. I know that when a computer is shut down, any data in the RAM (if it's regular volatile RAM) will be gone within seconds or minutes unless it is supercooled. But with SRAM, this is how I understand it: If all power is removed, the data will be gone with seconds (similar to volatile RAM), but simply shutting down the computer is not enough if the battery is still in. I am basing this on the answer from Jason Landstrom on this question: Can RAM retain data after removal?

So I have a few questions. With a desktop, is simply unplugging the power cord enough to wipe SRAM after a few seconds, and with a laptop, just removing the main battery for a few seconds? Or is the SRAM still getting power from some other source like CMOS batteries that stay on/charged even when the main power source is removed?

And what about a laptop with a non-removable battery? I know I could disassemble the laptop and pull out the battery, but what if I want to wipe SRAM on a regular basis in case my laptop is stolen, and not completely disassemble my laptop every time? Is there a better way of clearing SRAM?

If my computer does have SRAM, is there any way to ensure that my passphrases (my HDD/SDD FDE passphrase, or the passphrase for external LUKS-encrypted storage devices) are not ever saved to SRAM?

And lastly, how do I know if my computer even has SRAM rather than just traditional volatile RAM? Are there any terminal commands I can enter (Debian-based Linux) or any other means of discovering if my computer has SRAM?

And if I were to disassemble a computer, would the physical RAM device (module stick? not sure what it is called) look the same for both regular RAM and SRAM?

I am sorry if any of this is not worded properly or sounds dumb, I don't know too much about hardware or RAM.

I am not interested in answers like "common hackers/thieves won't possess the ability to read SRAM's cache". For the sake of argument let us just assume that the attacker has intelligence agency level capabilities.

Thank you!!

Albert
  • 39
  • 3
  • 1
    Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community Feb 26 '22 at 07:59
  • What SRAM are you talking about? To my knowledge SRAM is only used for special purposes like CMOS RAM but besides that I don't think there are other large SRAM in a typical PC - or do you have more details information on that topic where SRAM can be found? – Robert Feb 26 '22 at 20:43
  • Thanks for the reply. You may be right, and maybe I'm worrying about nothing. I don't really know more than what I asked in the OP, I'm basing my concern on what Jason Landstrom said here: https://security.stackexchange.com/questions/99906 "The issue can arise when older equipment is donated or placed in the trash with the SRAM and internal battery intact. If a person or group were determined enough they could potentially get that password or the hash (running the hash against a rainbow table)" As I understand, CMOS RAM is NvRAM. Jason differentiated between NvRAM and SRAM. – Albert Feb 26 '22 at 23:57
  • Also want to add that ComputerHope says that SRAM is used for cache and video card memory at this page: https://www.computerhope.com/jargon/s/sram.htm If a password or hash is cached, or if sensitive data is displayed on the monitor, I think cache or video card memory could both be threats if not wiped? – Albert Feb 26 '22 at 23:57

1 Answers1

7

To answer your question I'm going to need to lay some groundwork.

Both SRAM and DRAM are volatile memory technologies, meaning that when you power them off they lose state. SRAM stands for Static Random Access Memory, and DRAM stands for Dynamic Random Access Memory.

SRAMs are static memories. The word static in this context means that once you have established a particular state, it will not change until you purposefully alter it, as long as power is present. DRAMs are dynamic, meaning that they will not permanently hold their state, even if power is present.

SRAMs are constructed from two cross-coupled inverter circuits. An inverter outputs a logical 1 (high voltage) if its input is a logical 0 (low voltage), and vice versa. By placing two inverters in parallel, in opposite directions, they hold whatever state you have applied:

Circuit diagram showing the cross-coupled inverters

The input is used to pull the circuit into one state or the other. If you disconnect the input, the inverters keep holding the same state - if the left side is 0, then the top inverter sets the right side to 1, which causes the bottom inverter to set the left side to 0, and it remains in that equilibrium. The same happens in reverse if the left side is 1 and the right side is 0. The circuit will maintain its state until you "pull" it into a different state.

In practice, when building SRAMs out of transistors on silicon, we usually use a topology called a 6T SRAM cell:

Circuit diagram of a 6T SRAM cell

This is called a 6T cell because it uses 6 transistors. You can play with a simulation of a 6T cell here. Click on the inputs (left side) to change their values.

The word select (WL) line enables access to a cell. When WL is low, all other inputs are ignored. If you set WL to high, the data that is stored in the cell will appear on Data Out. If, while WL is high, you strobe the write signal, the value that is present on Data In will be written to the cell. When WL goes low again, the cell still remembers its value. You can wait as long as you want and the value won't go away. However, if you disconnect the power (switch in the middle) the cell instantly loses its state. There is no data remanence with an SRAM cell - disconnect the power and the data is gone.

DRAMs work very differently. In a DRAM, you use just a single transistor. I went deep into the gory details of DRAM construction here if you want to know more about it, but I'll present a simplified version here:

DRAM cell schematic diagram

Simulation link.

This simplified version is missing all the logic for enables and column/row selection that you'd find in a real DRAM, but it's enough for this demonstration.

A DRAM works by keeping the cell's value in a capacitor. If the capacitor is charged, that represents a 1. If the capacitor is discharged, that represents a 0. If you set the data in, then strobe the write signal, the value is stored in the cell. In this simplified circuit, the value immediately appears on the output.

However, unlike with the SRAM, if you try setting a 1, then wait, you'll find that the data out eventually drops to 0. This is because of leakage. Capacitors aren't perfect, so they slowly leak charge out of them over time. If left alone, the states of the DRAM cells will degrade.

We solve the leakage problem by "refreshing" the cells. There are two key types of DRAM refresh operation: opportunistic, and manual. An opportunistic refresh is performed every time a cell is read. When a DRAM chip is asked to read a page of data, it activates the necessary DRAM cell and reads its value to a small internal SRAM buffer. This SRAM buffer is used to keep a temporary copy of the current data being read. The data is put onto the data bus so that the CPU can read it. The data is then also written back from the SRAM buffer to the DRAM cell, to recharge the capacitor back up to full if the data is a 1, thus undoing any leakage that occurred in the meantime. However, many pages of memory will not be read very frequently. DRAM memory controllers have a built in set of logic to constantly keep track of every page it hasn't touched in a while and send occasional refresh commands for them. The refresh command is just like a read, except the data is just read from the cell to the buffer and written back, internally on the DRAM chip, rather than being transmitted back to the CPU.

Here's a simple example of a buffer (the triangle component on the top right) being used as part of a cell refresh scheme:

Circuit diagram for DRAM cell with refresh logic

Simulation link

In practice the buffer would be an SRAM that is written to, then written back, but the circuit above shows how the concept works. When a refresh occurs, the data that is in the cell is read as a 1 or 0 (rather than the exact voltage of the capacitor) and that value is then written back to the cell. In the case of a 1, that recharges the capacitor back to full.

So, why do we use one or the other?

SRAMs are much simpler to use - they typically have an address bus that selects the particular set of cells to be read/written, a data bus that the CPU can put data on for a write, and that the SRAM can put data on for a read, and strobe signals for read and write operations. They can be used by low-speed microcontrollers and CPUs because they're static and don't need refreshing. Many SRAMs are asynchronous, which means the read/write operations occur whenever the read/write signals are strobed.

DRAMs are far more complicated to use. They, too, have an address bus and a data bus. However, they also have a more complex access scheme that uses columns and rows, requiring pages to be opened and closed. Many DRAMs are synchronous (referred to as SDRAM), meaning that they use a clock signal to synchronise all of the signals coming in and out of the memory IC. SDRAMs often use a command bus rather than individual read and write strobe signals. The device that controls the DRAM must constantly keep on top of refreshing the pages that have not been recently read. This makes them only suitable for fast processors and FPGAs.

The problem with SRAMs is that they don't scale very well. Each cell is large, requiring 6 transistors in a 6T cell topology. There is another topology called 4T, which replaces two of the transistors with resistors to make the cell smaller, but that comes with a significant power consumption tradeoff. This means that you can't build very large SRAMs, at least not cost effectively. They typically top out at around 128Mbit or so in size, and become quite expensive at that size if you want them to be fast too.

DRAMs are more complicated, but each cell can be made very small. This allows them to scale to much larger sizes. Modern DRAM chips can store a gigabyte or more of data. While SRAM cells are technically faster, the larger number of DRAM cells that can be packed into an area allows the memory bus width (i.e. number of bits read/written per access) to be much larger, thus leading to far greater memory bandwidth overall.

Computers (PCs, Macs, phones, etc.) don't use SRAMs for their main memory, and haven't really since the 80s. The early IBM PCs used asynchronous DRAM, and used a dedicated external microchip (Intel 8203) to handle DRAM refresh operations. Later we moved to synchronous DRAMs, i.e. SDRAMs, which were commonly used in early Intel Pentium systems.

You're probably most familiar with RAM that looks like this:

SDRAM stick

Above is an SDRAM stick. Each chip is an SDRAM IC, and the computer has a memory controller that talks to all of those chips over the memory bus.

A later iteration of the SDRAM technology was to have the data bus transmit on both the rising and falling edges of the clock signal, for twice the data rate. This was called Double Data Rate, or DDR. This standard has continued until today, with DDR2, DDR3, DDR4, and DDR5 SDRAMs being near-universal standards.

DDR SDRAM stick

That brings you up to speed with the tech. Main system memory, where all your programs keep their working data, is a DRAM. SRAM is not used for that purpose.

That's not to say that there aren't SRAMs anywhere inside a modern computer - to the contrary, there are probably hundreds of millions of SRAM cells throughout the devices in a modern computer - but they're not what you'd consider "RAM". It's important not to think of these memory technologies as discrete chips or computer parts, but as actual pieces of electronic technology that can be used in the silicon of processors, memories, and other ICs.

Now, let's talk about security.

The primary security concern with DRAMs is a cold-boot attack. If you freeze a DRAM chip, the leakage current of the capacitors in the DRAM cells drops considerably. This can give you time to unplug the memory module from the computer and plug it into a specialised system for reading the contents, before the contents of the memory cells inside the DRAM decay. This attack is a concern because modern computers use DRAM as their main memory, and those DRAM chips are on a removable module.

The same attack does not hold for SRAMs. First, the cooling part is pointless - SRAMs lose their data the instant they lose power. There's no capacitor to reduce the leakage current of. But, you might say, we can just keep the power connected to the SRAM! And then it won't lose any data because it's static! Well, yes, technically, but that's where we get to problem two: what SRAM? There's no removable SRAM memory stick on a modern computer. The SRAMs that exist are memories and buffers inside the silicon of the CPU, the PCH, the Ethernet PHY, the GPU, the SuperIO, the USB controller, the VRM controller, and other ICs on the motherboard. They don't store the program memory. They're single-purpose buffers used for managing internal state. The blocks of SRAM in the CPU (e.g. buffers and caches) will potentially contain sensitive data while the CPU is working on it, but how're you going to access them? If you've got the capability to decap a running x86_64 processor and tap the ten-or-fewer nanometer wide transistors to get at this data, you could've just bought a commercial memory forensics solution that uses a DDRx interposer to read the main system memory.

The battery on the motherboard is used to keep the realtime clock running. In the ye olden days, it also used to power the "CMOS", which is a misnomer and actually a little discrete SRAM chip. That chip contained the BIOS settings. They used a non-volatile memory with a battery backup because it meant that you could always zero out the whole thing by pulling the battery, allowing you to reset the settings to default even if they'd become corrupted and the system wouldn't boot. These days it's common to use an EEPROM instead, which is non-volatile, and have a supervisory circuit that can zero it out. It doesn't contain any information about the programs that are running on your computer, though. It's specifically just for BIOS settings. The bus on it is low speed, so it doesn't matter whether it's an EEPROM or an SRAM - you can just solder wires onto its pins and sniff the data as it's read/written at any time.

Other SRAM blocks inside other ICs have the same issue as with the CPU. They're on the silicon, not separate physical chips, so you can't really get at them.

So yeah, that's about it. SRAMs aren't used for system memory, so the attack you describe doesn't really exist.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Thank you for the detailed answer! It sounds like I may be worrying about nothing, but just to be sure, a few followups: "The blocks of SRAM in the CPU (e.g. buffers and caches) will potentially contain sensitive data while the CPU is working on it, but how're you going to access them?" Will this sensitive data be wiped immediately as soon as the computer is shut down (even if battery is not removed)? And if not, couldn't someone with intelligence agency level capability access it? (continued in next comment) – Albert Mar 06 '22 at 03:35
  • And is it fair to say that Jason Landstrom's concern of a hash/password being recovered from SRAM is an invalid/unwarranted concern? (details at security.stackexchange.com/questions/99906) Lastly: ComputerHope SRAM page says SRAM is used for cache and video card memory. Will that not contain sensitive data? Thanks again for all the help! – Albert Mar 06 '22 at 03:36
  • "Will this sensitive data be wiped immediately as soon as the computer is shut down (even if battery is not removed)?" - yes. It will probably be removed even before then because the operating system's shutdown procedure will be loading all sorts of general data into memory that will displace any sensitive contents in the cache. But even if it didn't, that data is gone the instant the CPU powers off. – Polynomial Mar 06 '22 at 03:41
  • 1
    A great, detailed answer and no single upvote? Take mine! – ThoriumBR Mar 06 '22 at 03:42
  • "And is it fair to say that Jason Landstrom's concern of a hash/password being recovered from SRAM is an invalid/unwarranted concern?" - That person is confusing NVRAM with SRAM. NVRAM is a completely different technology and no desktop computers use it. NVRAM is a server technology used for non-volatile backup of RAM contents in the event of an emergency shutdown (e.g. UPS power failure). – Polynomial Mar 06 '22 at 03:42
  • "ComputerHope SRAM page says SRAM is used for cache and video card memory. Will that not contain sensitive data? " - The cache part is technically true, but those caches are on the CPU and you'd need to decap it and microprobe the silicon as I mentioned in the answer, which is hopelessly difficult and expensive. There are far easier attacks if you want to go down the live memory extraction route. Their claim about GPU memory is nonsense. GPUs use GDDR, which is a wide-bus multi-port variant of DDR SDRAM. – Polynomial Mar 06 '22 at 03:44
  • The "CMOS RAM" solution was likely selected since you required a battery anyway for maintaining the clock, and SRAM was cheaper and easier to implement than an EEPROM. – Zac67 Mar 06 '22 at 06:51
  • Thanks again! Hopefully final followup: You mention decapping to read the cache on CPU's SRAM, as well as DDRx interposer and live memory extraction. Assuming an attacker with unlimited resources(intel agency): Would they need access to the computer while it's running (or a way to tamper with it in advance),or is any of this a threat if an attacker takes the computer for forensic analysis after shutdown?Since you said sensitive data is wiped on shutdown,am I right to say that decapping CPU's SRAM or using a DDRx interposer are non-issues after shutdown,even if attacker has unlimited resources? – Albert Mar 08 '22 at 00:07
  • Yes, it'd need to be running. – Polynomial Mar 08 '22 at 01:33
  • So it sounds like even if the attacker is intelligence agency or equivilent, there is nothing to worry about (as far as SRAM concerns go) as long as they don't get the computer til it's powered off.. safe to say that is accurate? I really appreciate all the detailed info you've been giving me so thanks again – Albert Mar 11 '22 at 00:24
  • Even if they get it while it's running, there's no reason for them to go after SRAM contents inside of some chip when they could use a DMA attack (e.g. pcileech), coldboot attack, or memory-sniffing / memory interposer solution instead, which is far easier and much more likely to get them useful results. – Polynomial Mar 11 '22 at 01:15
  • Thank you!!! :) – Albert Mar 11 '22 at 03:07