5

Let's say I have a computer with full disk encryption which is logged and running, but I suspect it has anti-forensics software (eg. usbkill), which means that I risk compromising the integrity of the data with one of the following actions:

  • inserting a USB/SD card
  • downloading/uploading from internet
  • not executing a specific action each X hours (a dead man's switch)

What do you think is the best course of action in order to perform forensic analysis on it? If there is no good way to perform it, what do you think is the best approximation?

forest
  • 65,613
  • 20
  • 208
  • 262
J. Doe
  • 53
  • 2

1 Answers1

8

There are many ways to compromise a running computer if you have physical access. How likely it is that you will be able to obtain the level of access you need depends on several factors, including your resources, the level of skill of the defender, and the amount of time you have available. You haven't provided much information about your target, so this answer will be fairly general but will assume they are fairly sophisticated and have a good understanding of the x86 architecture and hardware security. Specifically, it would be helpful if you provided more information on the following:

  • Is the target using COTS (Commercial Off-The-Shelf) hardware, or is it custom?
  • Are there physical security measures in place, like chassis intrusion detection?
  • What is your budget? Can you pay for custom attack hardware?
  • Are you willing to sign an NDA with Intel to use their JTAG SDK?
  • Is the memory acquisition done on-scene, or in a dedicated laboratory?
  • Do you prefer higher risk of detection, or higher risk of data corruption?

All of these points, especially the ones about the target's particular choice of hardware, can help narrow down exactly what the optimal strategy is. Otherwise the answer will be broad. The worst-case scenario is that the target has a deep understanding of the x86 architecture and has developed a sophisticated solution similar to vCage, reducing the TCB to that of the CPU itself and mitigating virtually all physical attacks. This would require novel acquisition methods to be created.


Below are some general classes of memory acquisition attacks against x86 hardware.

IEEE 1149.1

The "best" course of action would be to use the IEEE 1149.1 protocol, aka JTAG. This is a debugging protocol which puts a processor into probe mode. From there it can be halted, registers can be read or modified (including the instruction pointer), addresses in memory can be read or modified, etc. There is generally no defense from a JTAG attack short of destruction of the physical JTAG header (XDP) on the motherboard. A JTAG attack for Intel motherboards requires an expensive probe. Newer systems support DCI, which allows JTAG debugging to be performed over USB. Many BIOSes will disable DCI support, requiring a fallback to the expensive alternative.

Bus mastering

PCIe devices natively support hotplugging and have in their configuration space a two-byte command register. Bit 2 is bus master enable which, when set, allows the device to perform DMA requests to read and write to generally arbitrary locations in memory. While the PCIe device may be able to set this bit on its own, the PCI bridge also needs the bit set in order to forward the DMA request. All the PCIe device has to do is convince the operating system that it requires a driver which does grant it DMA abilities. At that point you can read or write to arbitrary locations in memory. Note that some systems will use DMA Remapping, or DMAR, which can restrict the locations of memory you can access (though this might not be enough to mitigate such attacks, and some older systems have a broken IOMMU). If this is the case, or if you expect the system is further hardened to detect the insertion of new DMA-capable devices, then it may not be fruitful to attempt to use a PCIe device for DMA. DMA is among the most commonly used for memory acquisition.

Cold boot attacks

There are two types of cold boot attacks. You can either reboot the system into another bootloader which then reads memory, or you can physically remove (and optionally freeze) the memory modules and transfer them to a system under your control. This cannot generally be detected unless you attempt to freeze the memory while it is still under control of the target computer, but it risks large amounts of data loss if done improperly. Modern memory (DDR3 and DDR4) also uses a feature called memory scrambling to reduce excessive electrical interference. The scrambling seed is very weak as it uses an LFSR, but it still requires at least basic cryptanalysis to break. There is an additional benefit to the cold boot attack, though, which is that the memory acquisition is atomic, leaving no memory smear. I wrote more about this in another answer.

Attacking TRESOR

TRESOR is a kernel patch for Linux which does encryption entirely outside of memory, mitigating cold boot attacks and passive DMA. The keys are kept only in the CPU's x86 debug registers, and key material never enters memory (except during an NMI or SMI). Defeating TRESOR requires the ability to write to memory. The most effective way to do this is to modify the IDT, triggering the execution of custom code in supervisor mode at the next interrupt. This code can be used to read the debug registers. This attack is described in more detail in another paper. Your target may not use this particular mitigation, or they may have developed their own using any number of innovative techniques. You should know as much as possible about your target before interacting with their machine.


Let's assume five different skill levels of the defender in order to approximate what attack vector would be ideal. These will be simplifications and the proper course of action should be to learn more about the target before attempting any risky procedures.

  1. No skills at all. The target knows effectively nothing about hardware security. They may run antivirus software and lock their computer when they leave, but that's about it. Any of the above techniques are liable to work. The average person may fit into this category.

  2. Low skill-level. The target has a very limited understanding of hardware security. They are capable of finding and running pre-written defensive software. They are using unmodified consumer hardware and likely do not check if DMAR is enabled. In this case, a DMA attack would easily be the most effective. Plugging in a PCIe device could make it possible to read memory. A security-conscious power user may fall into this category.

  3. Moderate skill-level. The target has a good understanding of hardware security. Their computer may have some basic modifications made to it, such as epoxy resin blocking sensitive ports. They may be able to write basic defensive software for a variety of attacks. DMAR is likely supported and correctly enforced, making DMA attacks impractical. The system may or may not react defensively when a new PCIe device is attached. In this case, a JTAG attack would be most effective. If TRESOR is not in use, a cold boot attack may do. A particularly clever amateur security researcher may fall into this category.

  4. High skill-level. The target has a deep understanding of hardware security and may have access to unreleased or confidential documents from their hardware manufacturer. Their system is either heavily modified, or completely customized. Intrusion detection may include cameras inside or near the chassis. Individual sensitive chips, traces, and buses may be encased in anti-tamper epoxy. JTAG headers could be physically destroyed or wired to alert the system to an attack. Attacking a system operated in this way requires in-depth knowledge of the target, a fair amount of custom hardware, and novel attacks. An employee for a large security contractor for a government working on sensitive data may fall into this category.

  5. Nation-state skill-level. The target has resources on par with a nation-state. The chipset itself is likely designed in-house and manufactured in a secure, on-site fab by a contractor. Every component is part of this target's own supply chain. Custom defense mechanisms are likely enforced, all the way down to the microscopic level (e.g. sophisticated chip-off protection mechanisms). Physical destruction (and black bagging) may occur if tampering is detected. The device is completely shielded from RFI/EMI leakage. Cryptographic modules may be certified with at minimum FIPS 140-2 level 4, and software running on the machine is likely to be at least partially formally verified and tested up to EAL7+. A highly-sensitive and well-funded branch of an FVEY or SSEUR member may fall into this category.

forest
  • 65,613
  • 20
  • 208
  • 262
  • Are there any introductory texts for hardware security that you would recommend, or other resources (videos, interactive modules, etc.) geared to beginners? –  Mar 14 '18 at 05:47
  • 1
    @orbuculum I can't think of anything specific for beginners, since hardware security is a pretty advanced topic. However there are lots of DEF CON and BlackHat presentations on video which are very enlightening. They vary from geared towards hardware designers to the average security researcher who may not specialize in hardware security. The dangers of DCI for example were popularized by a presentation called something like "Attacking the Core". – forest Mar 14 '18 at 05:50
  • 1
    Ah I was thinking of [Tapping into the Core](https://media.ccc.de/v/33c3-8069-tapping_into_the_core) from 33c3. CCC is also great for this kind of thing. Looks like the guys who did that presentation were the same guys who released the info on hijacking the CSME using JTAG! Their Twitter accounts are great for keeping up to date with some of the more advanced and cutting-edge attacks. It's actually a little scary. – forest Mar 14 '18 at 05:57