Crypto systems can be owned if you manage to get a memory dump, because the crypto key must be in RAM. Here we evaluate possibilities to get the dump and how to restore the key from the dump.
FireWire - all your memory are belong to us
Firewire/i.Link is well known as a way for connecting video devices or external hard-disks to computers. One little known fact is that the Firewire protocol also allows to read and write physical memory on connected machines without further software support. This can be leveraged to escalate privileges or to spy on connected machines. We will present some fun software using FireWire to do things to computers which shouldn't happen.
Restart a running crypto system, boot our modified memtest to scan the RAM. This works, because SDRAM stays mostly valid on short power off.
- dual boot usb stick using grub
- fdisk -l /dev/sda
Device Boot Start End Blocks Id System /dev/sda1 1 185 97664 83 Linux /dev/sda2 186 937 397056 83 Linux
(hd0) /dev/sda (hd0,0) /dev/sda1 (hd0,1) /dev/sda2
- cat sda1/boot/grub/menu.lst
default 0 timeout 3 title grml-small kernel (hd0,1)/linux26 ramdisk_size=100000 init=/etc/init lang=us usb apm=power-off vga=791 nomce BOOT_IMAGE=grml initrd (hd0,1)/minirt26.gz title memtest kernel (hd0,0)/memtest.bin
install grml to usb stick used as target system (grml-small 0.4)
- install on sda2
- copy memtest.bin on sda1
- network support integrated
see our modifications
- test with qemu
qemu -cdrom bin/gpxe.iso -serial file:serial.log
- trigger "dns resolving" with