RDPUser
Posts: 138
Joined: Tue Jan 30, 2018 12:18 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Tue Jan 15, 2019 8:31 am

It's a few lines of code BUILT IN TO THE SOC, i.e. hardwired in the silicon itself. So to put that in the current Pi would cost about $500k (the cost of a respin of the die).
Of course youre right. Sorry that I dind't mention
so that would be to be done for the Pi5
So you've already out it on your list or do I have to write somewhere? Because it is still a long time till there, perhaps it is even possible to encrypt the RAM fully as it is now upcoming for the x86 CPUs, just to keep in mind...
I'd suggest human right activists use file by file encryption, which doesn't involve a decryption key being stored in RAM.
The decryption key or at least password is stored for a shortly time in RAM. Lets suggest the human right acitivist uses 7zip. 7zip now must ensure that typed password and actual derived key are overwritten bevor. In addition all decrypted data must be zeroed out after writing to disc.
Then when the data is on disc he must encrypt it again, encryption program must do the same steps like above, then the user must securely erase the file from disc.
But the big problem is: A software like libre Office doesn't clear its RAM content after closing. So even when your encrytion software wipes out keys and passwords the attacker can read out the whole document after cold boot attack. So for me this cold boot attack is not overblown at all.

You dont't have to be a human right activist. There is data that has to stay private. For example my roommate wants to store on the PI who is at home. Now someone in the commune does something illegal. Police seized the PI and now they would know when I was at home. Thats my private data, police should not have any right to view my data because I didn't do anything.

User avatar
Burngate
Posts: 5930
Joined: Thu Sep 29, 2011 4:34 pm
Location: Berkshire UK Tralfamadore
Contact: Website

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Tue Jan 15, 2019 6:38 pm

RDPUser wrote:
Tue Jan 15, 2019 8:31 am
... For example my roommate wants to store on the PI who is at home. Now someone in the commune does something illegal. Police seized the PI and now they would know when I was at home. Thats my private data, police should not have any right to view my data because I didn't do anything.
If you don't want the police to know when you're home, why let your roommate gather that information?
And how do we know you didn't do anything? All we've got is your word for that.

But all this is so far out on the fringes of paranoia, and a waste of time anyway.
No need for any hi-tech cold-boot exploits.

If someone wants your data, all they need to do is fix a spy camera in your ceiling and watch you type.
If they want to know when you go out, they'll put a spy camera in the house across the street.

Tzarls
Posts: 224
Joined: Tue Feb 26, 2013 6:59 am

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 12:40 am

Ok, here's the solution you've been looking for, without having to redesign SOCs or spend millions. You just need to design a new case based on this guidelines:

The case should be closedd and cover the SD slot with some kind of lid.

When the lid is opened it activates some mechanism that moves some pieces inside the case, causing a short in the RPi's electronics, frying it and efectively preventing any kind of boot-based attack.

Closing the lid doesn't release the short. The only way to clear it is to use some kind of tool in some place of the case. Maybe something magnetic, so the case can still be totally sealed. That way you have a way to change SD cards.

Of course this can't be something commercial for obvious reasons.

Dies this make sense?

RDPUser
Posts: 138
Joined: Tue Jan 30, 2018 12:18 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 9:39 am

It would work, however you could accidentally destroy your PI.

What sounds great, and could work but not reliably: You can integrate a shake detector, a script is running and when detecting shake, dismount command for VeraCrypt Volume is issued, thus preventing getting the key for the volume. Then issue a reboot and have a modified boot routine on the SD-Card to overwrite the RAM in the first seconds. But attacker only needs to cut power short, then immediately switch SD-Card and power on again.

Nevertheless all the data open at that time is still in RAM and recoverable.

We should hope for Zeroing out / initializing RAM for the PI after the next PI. Pi Foundation would massively profit by this security feature because all the clones like BananiPi, OrangePi and so on don't have it and so this would be a unique selling point.

hippy
Posts: 5588
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 10:37 am

RDPUser wrote:
Wed Jan 16, 2019 9:39 am
Pi Foundation would massively profit by this security feature because all the clones like BananiPi, OrangePi and so on don't have it and so this would be a unique selling point.
It is pure speculation that the RPF would "massively profit" with no evidence to support it.

My view is that few people care that it doesn't have this feature so adding it would be a development cost for almost zero gain. I believe there are other things the RPF could spend their money on which would be more beneficial and deliver better returns.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 23071
Joined: Sat Jul 30, 2011 7:41 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 11:37 am

I suspect the added sales would take the digits up both hands and possibly one foot.

Simply not high enough demand to do it. There is no 'massive profit' here.

Lets say we change the bootloader in the SoC to zero RAM on startup. However, we make a mistake that get through simulation, and it stops the chip from booting up. Not likely but not impossible.

Goodbye £500k.

It's why changes to bootrom code are only done when we REALLY REALLLY need to do them.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
"My grief counseller just died, luckily, he was so good, I didn't care."

incognitum
Posts: 299
Joined: Tue Oct 30, 2018 3:34 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 1:19 pm

jamesh wrote:
Mon Jan 14, 2019 9:56 pm
I'd suggest human right activists use file by file encryption
File encryption certainly has it uses when you want to send files to someone else, and want to protect it in transit.
But the protection it offers against someone gaining access to your storage is inadequate, because it is very easy to overlook things that compromise your security.

1) Suppose someone is writing an article in Libreoffice
2) After he is done, he saves it, encypts it with 7zip/gnupg/etc.
3) He securely overwrites the original document with "wipe". Which overwrites the document with zeroes, ones and random data.
4) He turns off the system. So nothing is in RAM either.

What did he overlook?

well, try opening any document in Libreoffice yourself, and look closely in /tmp

Code: Select all

$ ls /tmp
dhcpcd-pi      lu1183z3xk41.tmp                                               ssh-3oXtSk6lQykk  
systemd-private-a4ea8aba21f74efc98bbd83f74f0b2e5-systemd-timesyncd.service-eeeWxa
hsperfdata_pi  OSL_PIPE_1000_SingleOfficeIPC_4917865a218918af6e8e08efe9c38a4  ssh-BnBKQEDIV8YJ

$ ls /tmp/lu1183z3xk41.tmp
lu1183z3xk43.tmp

$ file /tmp/lu1183z3xk41.tmp/lu1183z3xk43.tmp
lu1183z3xk43.tmp: OpenDocument Text
LibreOffice creates a temporary copy of every your document you open.
When you close it, it deletes the temporary copy, but not in a secure manner.
File is only marked deleted in the file system, but contents is still on storage until the space is needed for other files.
Running any forensic disk analysis program can recover the contents in seconds.

Sure there do are solutions against that as well, like putting /tmp in tmpfs (ramdisk).
Which do would work in the case of Libreoffice, but then again may not work when using some other software that tends to store temporary files in home folder instead. So that is not a real solution either.
Moral of the story is that whole disk encryption is the only reasonable secure encryption option.


As for the suggestion that anyone caught with an encrypted file system is in trouble anyway.
There are plenty of countries that are civilized enough, that say a journalist working for an international newspaper would not suffer physical consequences for having an encrypted file system. But if the sources that have leaked information to the journalist could be identified they may not be so privileged.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 23071
Joined: Sat Jul 30, 2011 7:41 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 1:42 pm

incognitum wrote:
Wed Jan 16, 2019 1:19 pm
jamesh wrote:
Mon Jan 14, 2019 9:56 pm
I'd suggest human right activists use file by file encryption
File encryption certainly has it uses when you want to send files to someone else, and want to protect it in transit.
But the protection it offers against someone gaining access to your storage is inadequate, because it is very easy to overlook things that compromise your security.

1) Suppose someone is writing an article in Libreoffice
2) After he is done, he saves it, encypts it with 7zip/gnupg/etc.
3) He securely overwrites the original document with "wipe". Which overwrites the document with zeroes, ones and random data.
4) He turns off the system. So nothing is in RAM either.

What did he overlook?

well, try opening any document in Libreoffice yourself, and look closely in /tmp

Code: Select all

$ ls /tmp
dhcpcd-pi      lu1183z3xk41.tmp                                               ssh-3oXtSk6lQykk  
systemd-private-a4ea8aba21f74efc98bbd83f74f0b2e5-systemd-timesyncd.service-eeeWxa
hsperfdata_pi  OSL_PIPE_1000_SingleOfficeIPC_4917865a218918af6e8e08efe9c38a4  ssh-BnBKQEDIV8YJ

$ ls /tmp/lu1183z3xk41.tmp
lu1183z3xk43.tmp

$ file /tmp/lu1183z3xk41.tmp/lu1183z3xk43.tmp
lu1183z3xk43.tmp: OpenDocument Text
LibreOffice creates a temporary copy of every your document you open.
When you close it, it deletes the temporary copy, but not in a secure manner.
File is only marked deleted in the file system, but contents is still on storage until the space is needed for other files.
Running any forensic disk analysis program can recover the contents in seconds.

Sure there do are solutions against that as well, like putting /tmp in tmpfs (ramdisk).
Which do would work in the case of Libreoffice, but then again may not work when using some other software that tends to store temporary files in home folder instead. So that is not a real solution either.
Moral of the story is that whole disk encryption is the only reasonable secure encryption option.


As for the suggestion that anyone caught with an encrypted file system is in trouble anyway.
There are plenty of countries that are civilized enough, that say a journalist working for an international newspaper would not suffer physical consequences for having an encrypted file system. But if the sources that have leaked information to the journalist could be identified they may not be so privileged.
Which has nothing to do with us or a cold boot attack....if people are not savvy enough to use secure software as well as secure encryption, I an not sure there is anything we can do about it. Apart from educate of course, but one would hope that if people are working in environments where they need to keep things very private, they would have educated themselves as to the requirements.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
"My grief counseller just died, luckily, he was so good, I didn't care."

hippy
Posts: 5588
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 2:02 pm

jamesh wrote:
Wed Jan 16, 2019 11:37 am
Lets say we change the bootloader in the SoC to zero RAM on startup. However, we make a mistake that get through simulation, and it stops the chip from booting up. Not likely but not impossible.

Goodbye £500k.

It's why changes to bootrom code are only done when we REALLY REALLLY need to do them.
The solution there would be to not have on-chip ROM but Flash. Of course that would add its own issues and wouldn't help with this attack vector, would actually mean any internal bootcode efforts to avoid it would be sunk. But for the one off cost of moving to Flash it would mean future upgrades or bug fixes to internal bootcode would become free bar creating that code.

If Pi's already had Flash rather than ROM, RPT could probably have added boot from USB and networking booting to all Pi variants right back to the original A's and B's. The bugs and issues which there have been in internal bootcode and might be in future could be resolved without needing a silicon respin and the huge related costs.

User avatar
rpdom
Posts: 14728
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 2:26 pm

hippy wrote:
Wed Jan 16, 2019 2:02 pm
If Pi's already had Flash rather than ROM, RPT could probably have added boot from USB and networking booting to all Pi variants right back to the original A's and B's. The bugs and issues which there have been in internal bootcode and might be in future could be resolved without needing a silicon respin and the huge related costs.
That would negate one of the good points of the Pi. It is unbrickable. Just imaging lots of people accidentally updating the bootrom in flash and getting it wrong. At the moment all you can corrupt is the card, and then you just rewrite that or use a new one. (I'm not talking about frying the hardware, obviously).

hippy
Posts: 5588
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 3:58 pm

rpdom wrote:
Wed Jan 16, 2019 2:26 pm
That would negate one of the good points of the Pi. It is unbrickable.
Having flash doesn't necessarily render a SoC brickable.

Most things which get 'bricked' are recoverable in some way. It is true that the means to do that is often not readily available, requires JTAG access, specialised hardware and tools, require connections which may not always be easily accessible, and in the worst cases may require the SoC to be unsoldered.

But that's because the developers have not designed the SoC or board to be easily unbricked.

A SoC can use a mix of minimal Flash and ROM ( or write-protected area of Flash or OTP ) to ensure there's always some means to re-load the Flash from SD Card or to run what's in Flash.

jdb
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 2030
Joined: Thu Jul 11, 2013 2:37 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 4:43 pm

jamesh wrote:
Wed Jan 16, 2019 11:37 am
I suspect the added sales would take the digits up both hands and possibly one foot.

Simply not high enough demand to do it. There is no 'massive profit' here.

Lets say we change the bootloader in the SoC to zero RAM on startup. However, we make a mistake that get through simulation, and it stops the chip from booting up. Not likely but not impossible.

Goodbye £500k.

It's why changes to bootrom code are only done when we REALLY REALLLY need to do them.
To further pour water on the "bootrom zeroes SDRAM" argument: the bootrom is incapable of setting up the SDRAM. Different chip manufacturers have different bus timings and each of these need to be stored in a table somewhere. In addition, once you start the SDRAM running then you need routines to manage the controller's PVT (process/voltage/temperature) drift - again needing storage.

The software-provided second stage bootloader exists for a reason - it can be made large enough to do all necessary setup for all SDRAM chips that can be used on a Pi AND can be altered for future chips.
Rockets are loud.
https://astro-pi.org

RDPUser
Posts: 138
Joined: Tue Jan 30, 2018 12:18 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 5:07 pm

To further pour water on the "bootrom zeroes SDRAM" argument: the bootrom is incapable of setting up the SDRAM. Different chip manufacturers have different bus timings and each of these need to be stored in a table somewhere. In addition, once you start the SDRAM running then you need routines to manage the controller's PVT (process/voltage/temperature) drift - again needing storage.
So if I did get this right, it is technically impossible to zero out the RAM in bootrom with current hardware platform?

Can you keep in mind and note somewhere this security issue for future RPi generations? Perhaps it is possible then or a full RAM encryption.
The software-provided second stage bootloader exists for a reason - it can be made large enough to do all necessary setup for all SDRAM chips that can be used on a Pi AND can be altered for future chips.
Can you implement zero out in this second bootloader? Then RPi could be secured with little hardware: Glue SD-Card, shake detector. Upon shake, RPi reboots. If attacker cuts power and tries to switch SD cards he hasn't enough time because its glued. Till he manages RAM hast lost its data or RPi is booting and zeroing out RAM.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 23071
Joined: Sat Jul 30, 2011 7:41 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 6:04 pm

RDPUser wrote:
Wed Jan 16, 2019 5:07 pm
To further pour water on the "bootrom zeroes SDRAM" argument: the bootrom is incapable of setting up the SDRAM. Different chip manufacturers have different bus timings and each of these need to be stored in a table somewhere. In addition, once you start the SDRAM running then you need routines to manage the controller's PVT (process/voltage/temperature) drift - again needing storage.
So if I did get this right, it is technically impossible to zero out the RAM in bootrom with current hardware platform?

Can you keep in mind and note somewhere this security issue for future RPi generations? Perhaps it is possible then or a full RAM encryption.
The software-provided second stage bootloader exists for a reason - it can be made large enough to do all necessary setup for all SDRAM chips that can be used on a Pi AND can be altered for future chips.
Can you implement zero out in this second bootloader? Then RPi could be secured with little hardware: Glue SD-Card, shake detector. Upon shake, RPi reboots. If attacker cuts power and tries to switch SD cards he hasn't enough time because its glued. Till he manages RAM hast lost its data or RPi is booting and zeroing out RAM.
Technically impossible on the current, AND future Pi's since the bootloader cannot be programmed in advance with all the possible SDRAM chips that might be used.

Ads for the second stage bootloader, it seems unlikely we will spend much dev time on this. There simply is not enough demand, and its so easy to circumvent it's not going to increase security overmuch. If someone is doing any work on the 2nd stage, we might add it as an option, but not in the near future, and not for the current range.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
"My grief counseller just died, luckily, he was so good, I didn't care."

RDPUser
Posts: 138
Joined: Tue Jan 30, 2018 12:18 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 7:13 pm

and its so easy to circumvent it's not going to increase security overmuch.
Can you tell me how easy it is to circument when you have glued the SD-Card and a shake sensor. Shakesensor leads to key erase after noticing shake. This little peace of hardware will cost in total much below 5 $. I'll build a solution and post here as soon RAM is cleared upon reboot.
Attaker's only way is to cut power to prevent the shake sensor from working. From now on time works against him. If he powers on RAM is overwritten, if he keeps power lost, data on RAM decays. He won't manage it to switch that glued SD-Card within seconds.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 23071
Joined: Sat Jul 30, 2011 7:41 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 8:51 pm

RDPUser wrote:
Wed Jan 16, 2019 7:13 pm
and its so easy to circumvent it's not going to increase security overmuch.
Can you tell me how easy it is to circument when you have glued the SD-Card and a shake sensor. Shakesensor leads to key erase after noticing shake. This little peace of hardware will cost in total much below 5 $. I'll build a solution and post here as soon RAM is cleared upon reboot.
Attaker's only way is to cut power to prevent the shake sensor from working. From now on time works against him. If he powers on RAM is overwritten, if he keeps power lost, data on RAM decays. He won't manage it to switch that glued SD-Card within seconds.
If the SD card is glued in then you canonot insert a different SD card to actually take advantage of any RAM persistence.

It's all very well coming up with even more esoteric and weird ways of doing this, but tbh, why would anyone bother. If you are that concerned about security, just use something that has better security.

I wouldn't hold your breath for any zeroing on boot, could be a long wait. Simply not worth our time. Really.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
"My grief counseller just died, luckily, he was so good, I didn't care."

RDPUser
Posts: 138
Joined: Tue Jan 30, 2018 12:18 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 9:42 pm

Code: Select all

If the SD card is glued in then you canonot insert a different SD card to actually take advantage of any RAM persistence.
There are measures to remove the glue, so a second level of security is needed.
If you are that concerned about security, just use something that has better security.
What can you recommend that is comparable to RPi in size, capabilities, reasonable price and especially stability?

User avatar
davidcoton
Posts: 3940
Joined: Mon Sep 01, 2014 2:37 pm
Location: Cambridge, UK

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 9:52 pm

RDPUser wrote:
Wed Jan 16, 2019 9:42 pm

What can you recommend that is comparable to RPi in size, capabilities, reasonable price and especially stability?
Nothing, because:
  1. This is a Pi forum, run bu RPF/T, so discussion of rival products is discouraged.
  2. Security costs money (haven't you got that message yet?) and therefore products at the Pi's price point are not secure.
Signature retired

HiassofT
Posts: 201
Joined: Fri Jun 30, 2017 10:07 pm
Location: Salzburg, Austria
Contact: Website

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 10:03 pm

RDPUser wrote:
Wed Jan 16, 2019 9:42 pm
There are measures to remove the glue, so a second level of security is needed.
If you can remove the glue and swap the SD card then doing it in bootcode.bin is too late.

If you prevent people swapping the SD card or get access to the RPi itself then you can just clear RAM during the normal Linux boot sequence, eg in a systemd unit.

so long,

Hias

User avatar
Greg Erskine
Posts: 114
Joined: Sat Sep 15, 2012 4:20 am

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 10:04 pm

RDPUser wrote:
Wed Jan 16, 2019 9:42 pm
If you are that concerned about security, just use something that has better security.
What can you recommend that is comparable to RPi in size, capabilities, reasonable price and especially stability?
It's a tradeoff. I think you need to make these decisions yourself.
* Raspberry Pi is a trademark of the Raspberry Pi Foundation

Tzarls
Posts: 224
Joined: Tue Feb 26, 2013 6:59 am

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 10:48 pm

Another idea, this time with some hardware hacking:

Could you just modify the power adapter in such a way that when it is connected to the load (the RPi) it slowly charges some kind of device (a capacitor?) and only after that it powers its main device (the RPi)? By delaying the reboot process the RAM would have enough time to clear its contents at least in "normal" conditions and for the unsuspecting "cold-booter". The power supply should also discharge its capacitor (or whatever is being used) very quickly, so unplugging and plugging very quickly will still trigger the delay.

Add your glued SD card to the mixture and you can increase the time between shutting down and rebooting.

TBH, I, like many other, also believe that if what you need is a secure device you sholud be using something designed specifically for the task, if such a thing exists.

jdb
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 2030
Joined: Thu Jul 11, 2013 2:37 pm

Re: Raspberry PI cold boot attack protected / Zero out RAM after boot?

Wed Jan 16, 2019 11:09 pm

I think this thread is done. If you're wanting a "secure" device then there are many out there on sale that tout various security features - writing 0s to SDRAM on boot is certainly to be among them.

The Pi is most definitely NOT a secure hardware device in the common sense of the word. Users wanting software security must consider physical security first, or all bets are off.

Thread locked.
Rockets are loud.
https://astro-pi.org

Return to “Advanced users”