Lest we forget: Cold-boot attacks on scrambled DDR3 memory

Lest we forget: Cold-boot attacks on scrambled DDR3 memory

As hard disk encryption, RAM disks, persistent data avoidance technology and memory-only malware become more widespread, memory analysis becomes more important. Cold-boot attacks are a software-independent method for such memory acquisition. However, on newer Intel computer systems the RAM contents...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Digital investigation 2016-03, Vol.16, p.S65-S74
Hauptverfasser: Bauer, Johannes, Gruhn, Michael, Freiling, Felix C.
Format: Artikel
Sprache:eng
Schlagworte:
Cold-boot memory acquisition
Computer memory
Computer viruses
Decryption
Scrambling
Scraping
Semiconductors
Software
Whitening
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:As hard disk encryption, RAM disks, persistent data avoidance technology and memory-only malware become more widespread, memory analysis becomes more important. Cold-boot attacks are a software-independent method for such memory acquisition. However, on newer Intel computer systems the RAM contents are scrambled to minimize undesirable parasitic effects of semiconductors. We present a descrambling attack that requires at most 128 bytes of known plaintext within the image in order to perform full recovery. We further refine this attack using the mathematical relationships within the key stream to at most 50 bytes of known plaintext for a dual memory channel system. We therefore enable cold-boot attacks on systems employing Intel's memory scrambling technology.
ISSN:1742-2876
1873-202X
DOI:10.1016/j.diin.2016.01.009