Crypto systems can be owned if you manage to get a memory dump, because the crypto key must be in RAM. Here we evaluate possibilities to get the dump and how to restore the key from the dump.

closed

• http://www.freedom-to-tinker.com/?p=1257

• http://www.golem.de/0803/58166.html

FireWire - all your memory are belong to us

From http://md.hudora.de/presentations/#firewire-cansecwest

Firewire/i.Link is well known as a way for connecting video devices or external hard-disks to computers. One little known fact is that the Firewire protocol also allows to read and write physical memory on connected machines without further software support. This can be leveraged to escalate privileges or to spy on connected machines. We will present some fun software using FireWire to do things to computers which shouldn't happen.

• Folien

• Demo code for Linux

Memtest

Restart a running crypto system, boot our modified memtest to scan the RAM. This works, because SDRAM stays mostly valid on short power off.

• dual boot usb stick using grub
  • fdisk -l /dev/sda

Device Boot         Start         End      Blocks   Id  System
/dev/sda1               1         185       97664   83  Linux
/dev/sda2             186         937      397056   83  Linux

• sda1/boot/device.map

(hd0) /dev/sda
(hd0,0) /dev/sda1
(hd0,1) /dev/sda2

• cat sda1/boot/grub/menu.lst

default 0
timeout 3

title  grml-small
kernel (hd0,1)/linux26 ramdisk_size=100000 init=/etc/init lang=us usb apm=power-off vga=791 nomce BOOT_IMAGE=grml
initrd (hd0,1)/minirt26.gz

title memtest
kernel (hd0,0)/memtest.bin

• install grml to usb stick used as target system (grml-small 0.4)

  • install on sda2

• memtest 1.70

  • copy memtest.bin on sda1

gpxe

• network support integrated

• see our modifications

• test with qemu

qemu -cdrom bin/gpxe.iso -serial file:serial.log

• trigger "dns resolving" with

imgfetch http://ulm.ccc.de

key recovery

• Chaos Communication Camp 2007

• Folien

• hackszine.com

• Login

- last edited 2008-08-17 07:57:02 by localhost