RDPUser
Posts: 152
Joined: Tue Jan 30, 2018 12:18 pm

[Tutorial] Hardening/Securing RPi against cold boot attacks

Mon Aug 05, 2019 9:44 am

Perhaps you remember, that we discussed there https://www.raspberrypi.org/forums/view ... p?t=231085 whether Raspberry-PI is cold boot protected. There was a link to this thread https://www.raspberrypi.org/forums/view ... p?t=199047 where it was proof that RAM content remains even after a short power outage.

To circumvent this I’ve created a little script that uses initramfs and sdmem to wipe the RAM out as early as possible. It would be even better if it would be in hardware, so still an attacker could remove the SD-Card and insert is own. To prevent this glue the SD-Card into the RPi and issue a reboot if movement is detected. Therefore you could use a sensor like SW-18010p or SW-18020p.

You find the testing methods for RAM remanence here https://www.raspberrypi.org/forums/view ... 9&t=246996

Of course these steps are only useful if you use some encryption on your RPi-Device. Best protection is to encrypt your whole RPi. Therefore see for example here https://github.com/NicoHood/NicoHood.gi ... n-Tutorial
or in this forum viewtopic.php?t=219867
Didn’t try these tutorials yet.

Here are the steps to implement RAM Zeroing out after boot.
In /etc/default/raspberrypi-kernel uncomment the line #INITRD=Yes

Install sdmem via sudo apt-get install secure-delete

Create a hook to copy sdmem into /etc/initramfs-tools/hooks/sdmem_hook

Code: Select all

#!/bin/sh

set -e

PREREQ=""

prereqs () {
        echo "${PREREQ}"
}

case "${1}" in
        prereqs)
                prereqs
                exit 0
                ;;
esac

. /usr/share/initramfs-tools/hook-functions

copy_exec /usr/bin/sdmem /usr/bin


exit 0
Important: Add execution right via chmod +x


If you like you can create a file /etc/initramfs-tools/conf.d/custom containing only
COMPRESS=lzma
This reduces initramfs filesize from about 9 MB to about 6 MB. Since boot partition space is very limited prior fresh installations of Raspian Buster this seems a good idea. There is a warning of unsupported compression method, however it works and is LZMA compressed.

Then create a file that executes our sdmem. We place it in init-top to execute as early as possible. Exection takes on a RPI 3 only 2-3 seconds. You see it only when there is a monitor connected, you can’t see execution in logs, see https://superuser.com/questions/1188407 ... ng/1188585

cat /etc/initramfs-tools/scripts/init-top/ramDelete.sh

Code: Select all

#!/bin/sh
PREREQ=""
prereqs()
{
   echo "$PREREQ"
}

case $1 in
prereqs)
   prereqs
   exit 0
   ;;
esac

/usr/bin/sdmem –llv
Important: Add execution right via chmod +x

Now create the initramfs via sudo update-initramfs -c -k $(uname -r)
Ignore the warning about cryptsetup and „ln failed“. Ln failed is because it is a fat filesystem which doesn’t support links
To make it executed you have to add the line
initramfs initrd.img-4.19.57-v7+ #Replace this with your corresponding version for your kernel
in /boot/config.txt
Here we go. Reboot and you’ll see shortly for about 2-3 seconds executing RAM delete outputing a lot of asterisks **********

In /boot/cmdline.txt add net.ifnames=0 to keep the network adapter naming scheme like eth0. In fact without this line you can verify your initramfs is executed because the name of the network apdater has changed.

Since every kernel update needs a new initramfs you can use automatisms to update everything automatically. Just follow https://raspberrypi.stackexchange.com/q ... spberry-pi
Basically it is placing a script into /etc/kernel/postinst.d/rpi-initramfs-tools
And there is a script for manual updating. Both ensure that the right initramfs filename is in /boot/config.txt

Important: Cold boot attacks are only one attack vector. Ensure secure passwords. Install services like fail2ban to prevent an attacker breaking into via network.

EDIT: Update paths from /bin to /usr/bin in initramfs for Debian Buster
Last edited by RDPUser on Tue Aug 06, 2019 9:38 pm, edited 1 time in total.

User avatar
mahjongg
Forum Moderator
Forum Moderator
Posts: 12825
Joined: Sun Mar 11, 2012 12:19 am
Location: South Holland, The Netherlands

Re: [Tutorial] Hardening/Securing RPi against cold boot attacks

Mon Aug 05, 2019 6:18 pm

I think this is aluminium foil hat FUD, but by instigation of JDB I moved it here, he wrote
It's a legitimate topic, though. It's an excercise for the reader to figure out why this workaround doesn't in fact protect against cold-boot attacks.
RDPUser will be back next week, I gave him a week off to rethink about the validity of spreading fear, while failing to provide a valid solution to a non existing problem....

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 25971
Joined: Sat Jul 30, 2011 7:41 pm

Re: [Tutorial] Hardening/Securing RPi against cold boot attacks

Mon Aug 05, 2019 8:25 pm

I've undone RDPUser week ban. Tin Foil Hat conspiracy it may be, but responding with why it's not an issue is the appropriate action.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“My wife said to me `...you’re not even listening`.
I thought, that’s an odd way to start a conversation.."

User avatar
mahjongg
Forum Moderator
Forum Moderator
Posts: 12825
Joined: Sun Mar 11, 2012 12:19 am
Location: South Holland, The Netherlands

Re: [Tutorial] Hardening/Securing RPi against cold boot attacks

Mon Aug 05, 2019 10:06 pm

I agree. :| and would like to offer an apology to RDPUser on how I misinterpreted his intentions, I'm sorry!

next up Rowhammer attacks? :mrgreen:

pica200
Posts: 216
Joined: Tue Aug 06, 2019 10:27 am

Re: [Tutorial] Hardening/Securing RPi against cold boot attacks

Wed Aug 07, 2019 11:42 pm

This is some firstclass snake oil content :D There is no way to truely secure a machine if the attacker has physical access to it and the RPi is not made with security in mind. No chain of trust (easily removeable boot media with unencrypted and unsigned bootloader) and no TrustZone so basically 0 protection.

User avatar
scruss
Posts: 3068
Joined: Sat Jun 09, 2012 12:25 pm
Location: Toronto, ON
Contact: Website

Re: [Tutorial] Hardening/Securing RPi against cold boot attacks

Wed Aug 07, 2019 11:57 pm

Did I miss the bit where RDPUser provided a working demo of pulling the µSD card from a running Raspberry Pi, replacing it with one that would dump RAM, and successfully reading memory from before the physical attack?
‘Remember the Golden Rule of Selling: “Do not resort to violence.”’ — McGlashan.
Pronouns: he/him

kilograham
Posts: 77
Joined: Fri Apr 12, 2019 11:00 am
Location: austin tx

Re: [Tutorial] Hardening/Securing RPi against cold boot attacks

Fri Aug 09, 2019 12:51 am

RDPUser wrote:
Mon Aug 05, 2019 9:44 am
Important: Cold boot attacks are only one attack vector. Ensure secure passwords.
"raspberry" is an insecure password; i suggest "yrrebpsar1"

Andyroo

Re: [Tutorial] Hardening/Securing RPi against cold boot attacks

Fri Aug 09, 2019 1:18 am

scruss wrote:
Wed Aug 07, 2019 11:57 pm
Did I miss the bit where RDPUser provided a working demo of pulling the µSD card from a running Raspberry Pi, replacing it with one that would dump RAM, and successfully reading memory from before the physical attack?
Closest I can find is the note on this post https://www.raspberrypi.org/forums/view ... p?t=199047

Not sure if this is repeatable and RDPUser links back to this as the basis for his work.

User avatar
scruss
Posts: 3068
Joined: Sat Jun 09, 2012 12:25 pm
Location: Toronto, ON
Contact: Website

Re: [Tutorial] Hardening/Securing RPi against cold boot attacks

Fri Aug 09, 2019 2:25 am

That's a very specific setup designed to preserve crash data over a reboot. I need to see an SD image that can be inserted into any running Raspberry Pi and it will recover significant parts of memory
‘Remember the Golden Rule of Selling: “Do not resort to violence.”’ — McGlashan.
Pronouns: he/him

RDPUser
Posts: 152
Joined: Tue Jan 30, 2018 12:18 pm

Re: [Tutorial] Hardening/Securing RPi against cold boot attacks

Sun Aug 25, 2019 9:07 pm

@scruss
You can use the method explained here https://www.raspberrypi.org/forums/view ... 9&t=246996
Just do this in an initramfs with as little as running possible to recover most of the memory. Of course you also could compile your own kernel with a smaller memory footprint.

User avatar
scruss
Posts: 3068
Joined: Sat Jun 09, 2012 12:25 pm
Location: Toronto, ON
Contact: Website

Re: [Tutorial] Hardening/Securing RPi against cold boot attacks

Mon Aug 26, 2019 1:48 pm

So this works if you have a bootable µSD with your programs on it, and we could stop any Raspberry Pi running any OS, change µSD and boot with your system, and we'd recover most of the memory? I didn't see a card change in your process, just a reboot.

TBH, since this requires physical access, all bets are off. Recover data after a reboot remotely (without ssh access) and I'd be impressed.
‘Remember the Golden Rule of Selling: “Do not resort to violence.”’ — McGlashan.
Pronouns: he/him

W. H. Heydt
Posts: 11993
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: [Tutorial] Hardening/Securing RPi against cold boot attacks

Wed Aug 28, 2019 2:58 am

This strikes me as a solution in search of a problem.

Return to “Advanced users”