Cryptkeeper: Improving security with encrypted RAM

Discussion in 'all things UNIX' started by mirimir, Oct 15, 2011.

Thread Status:
Not open for further replies.
  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Abstract

    Random Access Memory (RAM) was recently shown to be vulnerable to physical attacks exposing the totality of memory, including user data and encryption keys. We present Cryptkeeper, a novel software-encrypted virtual memory manager that mitigates data exposure when used with a secure key-hiding mechanism. Cryptkeeper significantly reduces the amount of cleartext data in memory by dividing RAM into a smaller, cleartext working set and a larger, encrypted area. This extends the standard memory model and provides encrypted swap as a side effect. Despite a 9x slowdown in pathological cases, target applications such as Firefox are only 9% slower with our Linux-based prototype. We also identify several optimizations which can significantly improve performance. Cryptkeeper enables the expression of new security policies for memory, and demonstrates that modern personal computers can perform heavy-duty work on behalf of operating systems with surprisingly low overhead.

    Peterson, P.A.H. (2010) Cryptkeeper: Improving security with encrypted RAM. 2010 IEEE International Conference on Technologies for Homeland Security (HST), pp 120-126.
    -http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5655081
    -http://tastytronic.net/~pedro/docs/ieee-hst-2010.pdf
     
    Last edited: Oct 15, 2011
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Is there a binary available or at least source?
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I haven't found it, and I've looked hard. I was hoping that someone here might know. Maybe I'll just email him and ask.

    I have found two related efforts with code.

    Security Through Amnesia: A Software-Based Solution to the Cold Boot Attack on Disk Encryption
    -http://linuxrocks123.livejournal.com/93919.html
    -https://www.ideals.illinois.edu/handle/2142/18862

    TRESOR Runs Encryption Securely Outside RAM
    -http://www.usenix.org/events/sec/tech/full_papers/Muller.pdf
    -http://www1.informatik.uni-erlangen.de/tresor/

    But these are just disk encryption methods.

    What I want is encrypted RAM for VMs. With VirtualBox, for example, one can run VMs in debug mode:

    >VirtualBox --debug --startvm FOO

    Then "da/db/dw/dd/dq -- print memory contents as ASCII/bytes/words/dwords/qwords" -http://www.virtualbox.org/manual/ch12.html
     
    Last edited: Oct 16, 2011
Loading...
Thread Status:
Not open for further replies.