Protecting BitLocker from Cold Attacks (and other threats)

siblog — Tue, 26 Feb 2008 03:08:00 GMT

Hi. My name is Douglas MacIver and I specialize in security assurance at Microsoft as a member of the BitLocker Test Team. My responsibilities on the team are to perform BitLocker penetration testing and risk analysis.

As you may have seen in the press, last week researchers at Princeton University published a paper and video on how to attack disk encryption using a characteristic of memory called “DRAM remanence”. The research and presentation are impressive (I especially like the key reconstruction techniques). But after reading it, you may come away wondering “What can I do immediately to protect myself?” Our customers have been asking us this same question. In this post, I’m going to answer that question, providing tips on what you can do today to help protect your system against this class of attack.

As the researchers state in their paper, dynamic random access memory (DRAM) remanence issues have been known about since the 1970’s. At Microsoft, we considered this class of attack and other platform realities while designing, implementing, and documenting BitLocker. We have also worked to inform our customers of these risks and mitigations in many forums, including my Hack in the Box presentation in September, 2006.

Along with discussions in public forums, we have also documented platform risks in the Data Encryption Toolkit (DET). The risk analysis provided in the DET is intended to help customers balance security with usability, and with the cost of implementation and management. This is no small point. We believe customers are best suited to make decisions about the tradeoffs of security, usability, and cost. (Russ Humphries discussed these tradeoffs in the context of DRAM remanence in his blog entry.)

With that in mind, here are some practical countermeasures that Windows Vista BitLocker users can use today to make their systems more resistant to platform threats. Some of these approaches may apply to other products, but my expertise and responsibilities are with BitLocker, so these tips understandably focus on Microsoft’s BitLocker Drive Encryption.

Use BitLocker Advanced Modes with Hibernation

Note: This is the primary and most effective way to protect your system from DRAM remanence and other platform attacks.

Platform attacks that access encryption keys in DRAM obviously rely on those keys to be present in DRAM. As with all practical disk encryption approaches, these encryption keys must exist in system memory in order to provide the performance that makes disk encryption usable.

When BitLocker is configured in its advanced modes, encryption keys are not loaded into system memory until after the authorized user has provided credentials like a PIN, dongle, or both. An attacker without these credentials will not be able to boot the system to a state where confidential information – including encryption keys – are in DRAM.

There are some caveats though; one is a very practical threat, the other less so. If an attacker gains access to the system after the authorized user has authenticated with their BitLocker credentials, but before its owner turns it off or hibernates, the encryption keys are in DRAM and an attacker could use one of the Princeton researchers’ ‘DRAM remanence’ attacks or other platform attacks such as direct memory access (DMA) to gain access to those keys.

This is why it’s important when using BitLocker’s advanced modes to use ‘hibernation’ rather than ‘sleep’. To provide high-performance for sleep transitions, BitLocker does not encrypt RAM contents nor does it require BitLocker re-authentication when waking up from sleep. With hibernation, a system is effectively ‘off’, and keys will not be resident in physical memory (I’ll get to the second caveat that discusses this shortly). On resume from hibernation, BitLocker will require the credentials I discussed earlier, and without those credentials, encryption keys will not be loaded into DRAM.

During design and implementation, the BitLocker team worked with other teams within Microsoft to enable complete control of system-suspend settings by local and domain administrators through group policy. Instructions on how to configure this and other BitLocker settings can be found in the design and deployment guides available in BitLocker's online documentation.

Now let me address the second caveat, which is less of a practical threat. As described in the Princeton researchers’ paper and elsewhere, DRAM may retain state under normal temperatures for several seconds or a few minutes. If an attacker gains access to a laptop within this window, they may be able to access information located in DRAM. Again, the risk of an attacker exploiting this is low relative to other platform threats.

Again, this is the primary and most effective way to protect your system from DRAM remanence and other platform attacks.

Use TCG compliant systems with firmware that implement “Platform Reset Attack Mitigations”

When designing BitLocker, Microsoft worked with the Trusted Computing Group (TCG) on specifications that require platform firmware (e.g. BIOS) to overwrite physical memory to mitigate attacks exploiting DRAM remanence. In the “TCG Platform Reset Attack Mitigation Specification”, the TCG describes firmware interface requirements that BitLocker leverages to help protect against these attacks. BitLocker users should make sure that their platforms are fully compliant with TCG specifications. Please refer to Windows Vista Logo information.

Note: This is not an absolute mitigation for all platform threats. Firmware-based overwrite does effectively limit the options available to the attacker though.

Limit boot device options

Another way to mitigate some of the DRAM remanence threats is to limit the boot device options in the firmware’s (e.g. BIOS) options configuration. Doing so will limit an attacker’s options for ‘warm’ rebooting a system and loading software of their choice while keeping DRAM contents intact.

This implies that the firmware options are themselves protected by, for example, firmware passwords. There are publicly documented threats against firmware security, but remember, in the context of DRAM remanence, the attacker is attempting to keep the DRAM charged, so some traditional attacks against firmware may ultimately not help them.

Note: This is not a complete mitigation, but it is a simple way to increase the effort that is needed to exploit DRAM remanence.

Limit Windows shutdown options

And yet another method to reduce an attacker’s options is to make it more difficult for an unauthorized user to perform a ‘warm’ reboot by disabling the ability to shut down the system without having to log on. This behavior can be controlled in Windows Group Policy. See the “Shutdown: Allow system to be shut down without have to log on” setting in Windows security policy.

Note: This is not a complete mitigation, but it is a simple way to increase the effort that is needed to exploit DRAM remanence.

Disable 1394 and PCI host controllers

Another class of physical memory attacks that Microsoft has been warning customers about is DMA attacks. These attacks use DMA (direct memory access) across 1394 and PCI buses to directly access the contents of system memory without software or CPU interaction. In these attacks, an attacker using another device – for example a laptop – connects to the victim platform by plugging into an external hardware port. In the 1394 case, this is as simple as using a 1394 cable along with another ‘attack’ laptop. Once the cable is plugged in, the attacker then runs software on the ‘attacking’ laptop that accesses physical memory contents on the ‘victim’ laptop using DMA.

I’m surprised that the Princeton researchers did not treat DMA attacks as equally serious as the DRAM remanence problem they focused on. As documented in Microsoft’s Data Encryption Toolkit, DMA attacks present a slightly higher risk to customers, since attackers can mount the attack quickly and with less intrusiveness --- and potentially avoid detection.

One way to mitigate these DMA threats is to disable the 1394 and PCI host controllers. This can be done by using the Windows Device Manager.

Be aware of your surroundings

If you use PINs or passwords with your disk encryption product, be aware that highly-motivated attackers may use various ‘environmental’ methods to capture your credentials. Shoulder surfing, cameras, and microphones that capture key strokes are examples. To mitigate these risks, I use my laptop lid to shield visual capture, and I type lightly. Changing your password or PIN on a regular basis helps, especially after you think you’ve been in a ‘hostile’ environment.

Since I spend so much of my time playing the role of an attacker and obsessing about worst-case scenarios, I have a tendency (like others in my field) to be, well, paranoid. I fight this paranoia by finding practical ways to mitigate the risks so that I – and more importantly you – can continue to use the modern computing gadgets that make us productive and help make life fun.

The Princeton University paper did a good job of raising the public awareness of DRAM remanence risks. For that I am thankful. But since fear has accompanied this increased awareness, I hope that you will find the countermeasures included in this post and in the other sources that I list, practical and reassuring. The world is scary sometimes, but we have to resist allowing our fears to overcome our ability to be rational about the risks, or to blind us to available mitigations.

Regards,

Douglas MacIver
BitLocker Test Team

Links included in this post:

Microsoft’s Data Encryption Toolkit

BitLocker Drive Encryption Documentation

Windows Vista Logo Information

Princeton University Research on Data Remanence

Russ Humphries' Blog Post

System Integrity Team Blog : BitLocker

Protecting BitLocker from Cold Attacks (and other threats)