RDPUser
Posts: 140
Joined: Tue Jan 30, 2018 12:18 pm

Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sat Jan 12, 2019 1:04 pm

Hallo,

you might heard of Cold boot attack https://en.wikipedia.org/wiki/Cold_boot_attack
In short: You reset PC and immediately after you boot and image of your own and read out RAM.
With raspberry PI you would pull out SD-Card, insert yours with dumping RAM content to SD, then shortly cut power and reboot. Data from RAM is now on your SD.
However if Raspberry PI would zero out RAM content (overwrite with 0) after power up, Cold boot attack would be efficently prevented. Of course there must be ensured if attacker tries to flash bootcode RAM is zeroed out as well before.
Performance loss is not noticeable only about 0,5 seconds on a Rasperry PI 3

Code: Select all

sysbench --test=memory run --memory-total-size=1G --num-threads=4 --memory-oper=write
sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 4

Doing memory operations speed test
Memory block size: 1K

Memory transfer size: 1024M

Memory operations type: write
Memory scope type: global
Threads started!
Done.

Operations performed: 1048576 (1898682.50 ops/sec)

1024.00 MB transferred (1854.18 MB/sec)


Test execution summary:
    total time:                          0.5523s
    total number of events:              1048576
    total time taken by event execution: 1.7221
    per-request statistics:
         min:                                  0.00ms
         avg:                                  0.00ms
         max:                                  1.22ms
         approx.  95 percentile:               0.00ms

Threads fairness:
    events (avg/stddev):           262144.0000/863.52
    execution time (avg/stddev):   0.4305/0.00
With that attack against cold boot protection you can use your Raspberry PI in untrusted environment much safer.

Is this zeroing out of RAM content already implemented? If not can you make it available?

Thanks for help.

User avatar
DougieLawson
Posts: 36173
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sat Jan 12, 2019 3:19 pm

If you pull power on a Raspberry all RAM will be reset. There is NO non-volatile RAM on a Raspberry. Your cold boot attack can't work on a ARM processor in a RPi. If someone has physical access then all security is void anyway as it's easy to steal the SDCard.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

RDPUser
Posts: 140
Joined: Tue Jan 30, 2018 12:18 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sat Jan 12, 2019 5:44 pm

Thanks for your fast answer.
Your cold boot attack can't work on a ARM processor in a RPi.
Can you explain a bit more why it can't work on ARM in a RPi?
Acording to https://en.wikipedia.org/wiki/Cold_boot ... encryption there must be uses special ARM processors to encrypt RAM and make cold boot attacks unavailable.
If someone has physical access then all security is void anyway as it's easy to steal the SDCard.
Thats where encryption steps in place. Just place your sensitive data inside a VeraCrypt volume and as long as the attacker can't read out memory via cold boot attack you're quite safe. Of course you have to take some security meassures like change password, limit only one new ssh connection per IP per second, allow only one failed password attemp per ssh and so on.

User avatar
DougieLawson
Posts: 36173
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sat Jan 12, 2019 5:58 pm

When the power is gone RAM is going to get reset on power up. I can't see any way you're going to get code running between power off and power up.

The ARM processor in your RPi isn't suseptible to code pipeline exploits because it doesn't have a code pipeline.

Encryption is a non-starter as there's nowhere to securely store the key.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

hippy
Posts: 5969
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sat Jan 12, 2019 7:01 pm

RDPUser wrote:
Sat Jan 12, 2019 1:04 pm
With raspberry PI you would pull out SD-Card, insert yours with dumping RAM content to SD, then shortly cut power and reboot. Data from RAM is now on your SD.
Why would an attacker go to such extremes when all they might need to do is insert a USB memory stick and run a program from that which dumps RAM to the memory stick ?

And they could probably pull the SD card and insert their own which did the same without killing power.

I can't see that the RAM on a Pi, or that used with most ARM chips, is any different to the RAM on any PC. All are equally non-volatile so it would seemingly be open to the same attacks if one wanted to go down that path.

So maybe, one way or another, a Pi could have its RAM contents exfiltrated.

But it seems such an esoteric threat that it seems hardly worth worrying over. If someone is that intent on stealing your Pi's RAM contents then you probably have bigger things to worry about.

And it doesn't seem there's any easy way to prevent it anyway.

Clearing RAM at start-up won't save you from such an attack, not unless that was built into the SoC's ROM bootcode. It is entirely possible to boot a program which would never allow execution to reach the code which zeroes RAM. And one could cut RAM chip select signals to avoid the zeroing and reconnect them after that completes.

And zeroing at shut-down won't work because an attacker could simply pull the power.

And none of that works if they find a way to get RAM contents without powering-down or powering-up.

I think the bottom line is, if you are worried about your Pi's RAM contents being stolen, then it is probably not the device for you.

RDPUser
Posts: 140
Joined: Tue Jan 30, 2018 12:18 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sat Jan 12, 2019 10:36 pm

When the power is gone RAM is going to get reset on power up.
Thanks. That I wanted to know. Zero out and rest on power up is equal. On normal PCs and attacker can clear CMOS and so this option is not save there. Can you provide a documentation link to read about that reset on boot?
Why would an attacker go to such extremes when all they might need to do is insert a USB memory stick and run a program from that which dumps RAM to the memory stick ?
How could an attacker do that without loggin in? And even when logged in he needs root-rights.
And they could probably pull the SD card and insert their own which did the same without killing power.
Code from his own card won't be executed without login. He has to reboot and then there is the RAM reset.
Clearing RAM at start-up won't save you from such an attack, not unless that was built into the SoC's ROM bootcode.
Thats exactly what I wanted to know. And if its currently not built into the bootcode I asked to build it into the code.
I think the bottom line is, if you are worried about your Pi's RAM contents being stolen, then it is probably not the device for you.
As currently it is with all x86 PCs. But if the Raspberry-PI is secure against cold boot attacks, you can build a cheap NAS based on it and you never need to worry that police find your downloaded movies.

BeauSlim
Posts: 49
Joined: Mon Jul 31, 2017 10:02 am

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 12:00 am

I think the bottom line is that if you are worried about any physical attack, the raspberry pi is the wrong platform in general. It has none of the features from ARM's Trust Zone and other tech that would help with this. See https://www.arm.com/products/silicon-ip-security.

I assume that the Raspberry Pi Foundation intentionally chose an SOC and board design that omits security features in order to avoid any complications importing crypto tech to certain countries. They want the Pi available to everyone, everywhere.

hippy
Posts: 5969
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 12:28 am

RDPUser wrote:
Sat Jan 12, 2019 10:36 pm
But if the Raspberry-PI is secure against cold boot attacks, you can build a cheap NAS based on it and you never need to worry that police find your downloaded movies.
No one should be worried about the police finding their downloaded movies unless they have been illegally downloaded.

User avatar
rpdom
Posts: 15227
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 2:54 am

BeauSlim wrote:
Sun Jan 13, 2019 12:00 am
I assume that the Raspberry Pi Foundation intentionally chose an SOC and board design that omits security features in order to avoid any complications importing crypto tech to certain countries. They want the Pi available to everyone, everywhere.
No. They intentionally chose a SoC that would do the job it was supposed to do - run the OS and provide a platform that people could learn to program on at an affordable price. No secret agendas here.

W. H. Heydt
Posts: 10904
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 6:18 am

More to the point...when you pull the power to swap SD cards, you will lose everything in the *Dynamic* Random Access Memory. DRAM has to refreshed periodically or it "forgets" everything, and without power, that happens very quickly.

RDPUser
Posts: 140
Joined: Tue Jan 30, 2018 12:18 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 9:25 am

I assume that the Raspberry Pi Foundation intentionally chose an SOC and board design that omits security features in order to avoid any complications importing crypto tech to certain countries. They want the Pi available to everyone, everywhere.
Initializing RAM with Zeros before boot won't conflict with crypto laws in any country.
More to the point...when you pull the power to swap SD cards, you will lose everything in the *Dynamic* Random Access Memory. DRAM has to refreshed periodically or it "forgets" everything, and without power, that happens very quickly.
Please read the already in the first post mentioned Wikipedia article about cold boot attack https://en.wikipedia.org/wiki/Cold_boot_attack
RAM loses its content much less quickly than expected.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 23708
Joined: Sat Jul 30, 2011 7:41 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 9:40 am

Has anyone ever tried reading ram after a cold boot or whatever, to see if there is anything in it?
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
"My grief counseller just died, luckily, he was so good, I didn't care."

incognitum
Posts: 353
Joined: Tue Oct 30, 2018 3:34 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 2:08 pm

hippy wrote:
Sat Jan 12, 2019 7:01 pm
Why would an attacker go to such extremes when all they might need to do is insert a USB memory stick and run a program from that which dumps RAM to the memory stick ?
Because security conscious people typically configure their desktop to lock after X minutes of inactivity, and you then need a password to unlock and run programs...
W. H. Heydt wrote:
Sun Jan 13, 2019 6:18 am
More to the point...when you pull the power to swap SD cards, you will lose everything in the *Dynamic* Random Access Memory.
1) it doesn't lose contents instantly.
2) can't you just short the "RUN" contacts on the board to get it to reboot?
jamesh wrote:
Sun Jan 13, 2019 9:40 am
Has anyone ever tried reading ram after a cold boot or whatever, to see if there is anything in it?
Not for the purpose of recovering encryption keys or anything fancy.
But if you ever done any Android development, and had a kernel panic, you may have noticed that you are able to get details about the previous crash on the next boot, while that is normally not the case on normal Linux.
The mechanism used for that also uses the property that RAM contents tends to persists across reboots.

HiassofT
Posts: 218
Joined: Fri Jun 30, 2017 10:07 pm
Location: Salzburg, Austria
Contact: Website

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 3:05 pm

jamesh wrote:
Sun Jan 13, 2019 9:40 am
Has anyone ever tried reading ram after a cold boot or whatever, to see if there is anything in it?
Not on the RPi or any semi-modern system / DRAM chip.

But it's a very long known fact that DRAM can hold it's contents much longer than expected.

The OS ROM of the Atari 8-bit XL/XE computers check for 3 magic bytes in RAM to determine if it's a cold boot (powerup) or (processor) reset. The 64kbit DRAMs used back then where specced to need a full refresh every 2-4ms so one would expect the caps in the DRAM cells would have discharged almost immediately after cutting power. Reality though was that, depending on the DRAMs used, people need to wait between 1 and 5 seconds (!) until the bits of the magic bytes really discharged and the Atari would boot properly (if the 3 bytes were still there but other important RAM bits had discharrged it'd just lock up).

Of course these numbers can't be translated 1:1 to modern Gbit DRAM chips with way smaller structures but other than that the basic design of a DRAM is still the same - and you need to wait until the caps have discharged due to internal leakage before the content is really "gone".

If you have access to a hardware reset (like the RUN header on RPi) things might even be easier. Depending on whether the reset stops DRAM refresh or not, or on how long refresh is stopped, memory contents might be fully intact at boot time.

so long,

Hias

User avatar
rpdom
Posts: 15227
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 3:09 pm

incognitum wrote:
Sun Jan 13, 2019 2:08 pm
But if you ever done any Android development, and had a kernel panic, you may have noticed that you are able to get details about the previous crash on the next boot, while that is normally not the case on normal Linux.
The mechanism used for that also uses the property that RAM contents tends to persists across reboots.
Android devices don't tend to do a full power cycle, just a reboot.

We are talking about a full power cycle here, and not Android.

incognitum
Posts: 353
Joined: Tue Oct 30, 2018 3:34 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 3:30 pm

rpdom wrote:
Sun Jan 13, 2019 3:09 pm
We are talking about a full power cycle here
That's not what the TS wrote:
In short: You reset PC
==
and not Android.
I see that it made upstream Linux as well: https://www.kernel.org/doc/html/v4.19/a ... moops.html
Perhaps something RPF/T could consider enabling, as it makes it easier for users to report panics.

edit: and yes, others have reported success with that on the Pi: viewtopic.php?t=199047
It even worked when I rebooted by quickly unplugging the power, ram didn't loose it's contents!
Last edited by incognitum on Sun Jan 13, 2019 4:52 pm, edited 2 times in total.

User avatar
rpdom
Posts: 15227
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 4:01 pm

incognitum wrote:
Sun Jan 13, 2019 3:30 pm
rpdom wrote:
Sun Jan 13, 2019 3:09 pm
We are talking about a full power cycle here
That's not what the TS wrote:
Really?
then shortly cut power and reboot.
Emphasis is mine.

hippy
Posts: 5969
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 4:11 pm

W. H. Heydt wrote:
Sun Jan 13, 2019 6:18 am
More to the point...when you pull the power to swap SD cards, you will lose everything in the *Dynamic* Random Access Memory. DRAM has to refreshed periodically or it "forgets" everything, and without power, that happens very quickly.
jamesh wrote:
Sun Jan 13, 2019 9:40 am
Has anyone ever tried reading ram after a cold boot or whatever, to see if there is anything in it?
Yes. People have tried that and have found that DRAM contents do not disappear as quickly as may have been imagined.

That's what the Wikipedia article describes, and there has been research done and papers written on the subject which is why we know there is such an attack vector and that it can potentially be used as a forensic tool. One for example -

https://www.usenix.org/event/sec08/tech ... derman.pdf
Contrary to popular assumption, DRAMs used in most modern computers retain their contents for several seconds after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images.
It has been known since the 1970s that DRAM cell contents survive to some extent even at room temperature and that retention times can be increased by cooling. In a 1978 experiment [29], a DRAM showed no data loss for a full week without refresh when cooled with liquid nitrogen.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 23708
Joined: Sat Jul 30, 2011 7:41 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 5:37 pm

hippy wrote:
Sun Jan 13, 2019 4:11 pm
W. H. Heydt wrote:
Sun Jan 13, 2019 6:18 am
More to the point...when you pull the power to swap SD cards, you will lose everything in the *Dynamic* Random Access Memory. DRAM has to refreshed periodically or it "forgets" everything, and without power, that happens very quickly.
jamesh wrote:
Sun Jan 13, 2019 9:40 am
Has anyone ever tried reading ram after a cold boot or whatever, to see if there is anything in it?
Yes. People have tried that and have found that DRAM contents do not disappear as quickly as may have been imagined.

That's what the Wikipedia article describes, and there has been research done and papers written on the subject which is why we know there is such an attack vector and that it can potentially be used as a forensic tool. One for example -

https://www.usenix.org/event/sec08/tech ... derman.pdf
Contrary to popular assumption, DRAMs used in most modern computers retain their contents for several seconds after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images.
It has been known since the 1970s that DRAM cell contents survive to some extent even at room temperature and that retention times can be increased by cooling. In a 1978 experiment [29], a DRAM showed no data loss for a full week without refresh when cooled with liquid nitrogen.
Sorry, I should have been more specific and stated "on a Raspberry Pi".
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
"My grief counseller just died, luckily, he was so good, I didn't care."

incognitum
Posts: 353
Joined: Tue Oct 30, 2018 3:34 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 6:00 pm

jamesh wrote:
Sun Jan 13, 2019 5:37 pm
Sorry, I should have been more specific and stated "on a Raspberry Pi".
As I mentioned, notro did, and that even worked when cutting power:
It even worked when I rebooted by quickly unplugging the power, ram didn't loose it's contents!
Of course, writing crash logs to a predefined address in RAM, rebooting, and reading it back is simpler than dumping entire RAM and searching for useful information in that haystack, but the concept is the same.

W. H. Heydt
Posts: 10904
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Sun Jan 13, 2019 10:26 pm

W. H. Heydt wrote:
Sun Jan 13, 2019 6:18 am
More to the point...when you pull the power to swap SD cards, you will lose everything in the *Dynamic* Random Access Memory.
1) it doesn't lose contents instantly.
2) can't you just short the "RUN" contacts on the board to get it to reboot?
[/quote]
Takes time to swap the SD card so a forced reboot with the pins alone wouldn't work. It would reboot with the same SD card instead of the one you want to read the DRAM onto.

incognitum
Posts: 353
Joined: Tue Oct 30, 2018 3:34 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Mon Jan 14, 2019 12:31 am

W. H. Heydt wrote:
Sun Jan 13, 2019 10:26 pm
Takes time to swap the SD card so a forced reboot with the pins alone wouldn't work. It would reboot with the same SD card instead of the one you want to read the DRAM onto.
Not following you here.

You hotswap the SD card before shorting RUN.
Rebooting that way will equate an unclean shutdown anyway, so yanking the SD card is not going to give you more loss than you will have anyway.

hippy
Posts: 5969
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Mon Jan 14, 2019 3:04 am

incognitum wrote:
Mon Jan 14, 2019 12:31 am
You hotswap the SD card before shorting RUN.
Or short RUN, swap the SD Card, remove the short on RUN.

The Pi will stop dead when RUN is shorted, and stay dead, until it reboots when that is removed.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 23708
Joined: Sat Jul 30, 2011 7:41 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Mon Jan 14, 2019 9:48 am

Can anyone actually explain why this is a valid security issue? In order to do any of the above, you need physical access to the device, in which case all bets are off anyway.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
"My grief counseller just died, luckily, he was so good, I didn't care."

RDPUser
Posts: 140
Joined: Tue Jan 30, 2018 12:18 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Mon Jan 14, 2019 10:29 am

Can anyone actually explain why this is a valid security issue? In order to do any of the above, you need physical access to the device, in which case all bets are off anyway.
Yeah, you need physical access and zeroing RAM at boottime would prevent this attack reading out the memory. I mean when we say we don't need this feature because when you have physical access all bets are off anyway, then you also don't need a screensaver/lockscreen. User has physical access anyway so all bets would be off anyway.
EDIT: Protecting against cold boot attacks is only a few lines of codes, the performance impact is very low, but the security gain is massive. So the ROI is extremly high and thus it should be implemented.

Return to “Advanced users”