Sunday, March 09, 2008

cold boot attack good for more than just full disk encryption

while walking to the bus stop on my way to work one day last week i was thinking about the idea of measure vs. countermeasure (as i sometimes do) and an interesting juxtaposition of concepts popped into my head: non-persistence in malware and the so-called cold boot attack... bonus points if you already know where this is going...

you may recall that i ate some crow way back when i was describing how active stealth could be countered by outside-the-box analysis and then a certain stealthkit that shall not be named came along that used non-persistence to get around that problem... thanks to the work of ed felten and co. it appears i ate the crow a little too soon... non-persistence as a countermeasure depends on the very same assumptions about the volatility of RAM that many encryption implementations depend on - that RAM is volatile enough that it's contents are as good as gone once the system loses power... we now know not only that this assumption is false (there are those who will point out that that much was actually known for quite some time) but also that it's relatively straightforward to exploit...

that means it's technically possible to boot to a dedicated OS on a known-clean medium, dump the contents of memory and detect so-called non-persistent stealth malware using known-malware scanning (for known malware, obviously) or using cross-view diff with a second memory dump taken while the compromised system was still active (for unknown malware)...

this isn't the only countermeasure for non-persistent virtualized stealthkits, but it's a neat one none the less and it shows once again that for every measure there is a countermeasure...

0 comments: