you know RAM remanence, here's a new one: graphic cards?

Discussion in 'other security issues & news' started by katio, Jan 11, 2011.

Thread Status:
Not open for further replies.
  1. katio

    katio Guest

    Remember cold boot attacks against RAM?

    I'm not sure if I'm interpreting everything correctly so I'll just describe what I see:

    I disconnect all harddrives and flash drives from the system, boot it into a Ubuntu live CD, using the open source radeon driver with KMS on a Radeon HD 5770 Series card. Now I open some application and click on reboot. The system restarts. Like before it shows some funny patterned artifacts. But before the Gnome desktop fully loads I suddenly see the window I opened in the previous session for a few seconds. The screen flickers and I get the default and empty desktop.
    So either it was still in RAM or it's in the graphic cards memory.

    Fully reproducible for me, steps to reproduce (I think):
    Buy a 5770 and use the radeon drivers coming with Ubuntu Maverick alpha 1, in the live CD boot menu select the first entry so it boots into full GNOME and not the installer.

    This is a privacy issue, if I install the system anyone can see what I was last doing without logging in. I'd first need to close all applications but the (potentially NSFW :p) wallpaper is still visible.
     
  2. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    Hi katio,

    Simply rebooting does not wipe RAM, therefore it is probable you saw a remnant of the previous session.

    You need to install a wipe routine in the shutdown sequenct of the halt routine to wipe RAM prior to reboot or actual power down. Then and only then will the remnants of the previous session be gone from RAM.

    I do not think you saw any graphic card memory, although that may be possible. So, to make possitively 100% sure, if you wipe both RAM and the graphic card's memory then you would be covering yourself almost but not quite - remember there is swap memory that also would probably be required to be wiped to be certain you have no remnants left over.

    You could test the theory by substituting another graphics card. I recommend the package secure-delete be installed. Then look at the man pages to see how to wipe RAM and Swap memory. For the graphic card, check the manufacturer's documentation to see if there is an interface for that kind of wiping on shutdown that can be activated from the graphic's card firmware, similar to that of the hard drive on-board wipe routines in some hard drive firmware.

    Also, in the shutdown sequence (halt) you could replace your NSFW wallpager with a black screen image to cover yourself there.

    To do all of this, you probably need to roll a new Live CD/USB with persistence to make it happen.

    -- Tom
     
    Last edited: Jan 11, 2011
  3. katio

    katio Guest

    Thank you for the reply!

    Manufacturer documentation - that's a good one considering the state of AMD/ATI's Linux support :p
    Swap is no issue, just use FDE, also in my case there's no swap.
    Using another graphic card: tricky as it might be very driver dependent. The open source radeon driver doesn't really support my card that well (no Compiz/Unity). What I'm seeing is a bug in the driver in any case. The really interesting question is if and what kind of data survives a reboot inside the graphic card.

    Wiping RAM to rule that out is a great idea, will have to do more testing.

    PS:
    That NSFW comment was just to illustrate my point (what else did you think?) :p
     
  4. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    Hi katio,

    Oh, I suppose I missed the word "potentially"! I really didn't think anything else.

    sdmem is the name of the routine you need to run from the halt script.

    One way to see how it is implemented is to boot up the August 2008 Incognito Live CD, which does what you need. Look at the scripts in init.d - shutdown and halt. There is a parameter in the shutdown code to make sure that the sdmem can run without wiping itself when run from RAM (i.e. Live CD) - may have something to do with running from swap? I am a bit hazy on the details as it was perhaps a year or more ago I looked at the code, so what I have described here is my best guess at what may be an incomplete attribute that booting up the Incognito Live CD can clear up upon inspection. As best I can recall it may have had something to do with utmp or wtmp. I need to do my homework (i.e. go back and read the code)! :))

    -- Tom
     
  5. katio

    katio Guest

    I finally got around testing this further. I tried using the halt/init scrips but I couldn't find further info on how to do it in a way that erases all RAM and not just the free space. Instead I came up with another idea:

    My method:
    install Ubuntu 10.10, updated as of today, same hardware, drivers
    open a few windows
    press power button for a few seconds to force a reboot
    in grub go into single user/recovery mode
    log in and execute
    sudo sdmem -ll
    (-ll is one pass overwrite zeros which should _definitely_ be enough for flash/RAM kind of memory)
    this takes a few seconds
    hard reboot again
    SUCCESS! I can still see the windows from the first session. It's not a clear picture but text is partially readable.

    I do hard reboots because it seems that when I log out of gnome it first closes all windows and then kills xorg. Only the very last content of xorg is "freezed" into the graphic card memory (at least I can't see anything else). Presumably forensics could recover more - and on any graphic card/OS/driver combination.
     
  6. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Katio, one possibility to explore (although inconvenient) is to boot from the diagnostic CD provided by the manufacturer of your PC and run the memory and graphics tests. Presumably, these operations would destroy any residual information.
     
  7. katio

    katio Guest

    I built the system myself :p

    I think we can now safely rule out RAM and disk remanence. What's left is the graphic card. I don't see a need for further proof.
    BTW I have no interest in "fixing" this. I only want to rise awareness and make public that graphic card memory too can be used in forensics against encrypted systems for example akin the known cold boot attacks.
     
  8. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    Hi katio,

    Try the following in Ubuntu 10.10 for the file /etc/init.d/halt before the halt command on line 62, i.e.
    halt -d -f $netdown $poweroff $hddown:

    As root, replace line 61 with the following 3 lines, and time the different
    parameters available for your amount of RAM to the sdmem command:

    echo "preparing to wipe RAM" # notify user prior to wipe
    halt -w &> /dev/null # write wtmp record
    /usr/bin/sdmem > /dev/null # wipe RAM

    -- Tom
     
  9. katio

    katio Guest

    I used this:
    echo "preparing to wipe RAM" # notify user prior to wipe
    halt -w &> /dev/null # write wtmp record
    /usr/bin/sdmem -ll # wipe RAM

    (with kms and plymouth I can't see anything anyway)

    I don't think it's working, halting the system is way to fast. I don't know what you mean by timing the parameters, should I let the script wait for sdmem to finish or something like that?

    Anyway I don't see how it could make a difference to run sdmem at poweroff instead of, rebooting into single user mode then wiping all free RAM (the windows from the previous session certainly aren't in active RAM...), booting up into X and still being able to see remanent data.
     
  10. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    There are several alternatives:
    1) surround the sdmem command with data command
    2) run sdmem command as parameter of time command

    In both cases, wait for sdmem command to complete.

    If you don't wait for sdmem command to complete - you will never know.

    -- Tom
     
Loading...
Thread Status:
Not open for further replies.