2

I read "Data Remanence in Semiconductor Devices" by Peter Gutmann, in which it is stated that it is possible to reconstruct the content of an erased SRAM based on changes of properties of the memory cells (thresholds, times).

Does this issue also apply to DDR2?

I use a laptop that contains a 2GB DDR2 module (PSD22G8002S), I always do a BIOS post test after working with sensitive data to overwrite them. In this case, is there any way to retrieve the deleted (overwritten) information?

Should I be worried about something like this?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Hasbo
  • 19
  • 4
  • In case of DDR2 the issue is worse. https://en.wikipedia.org/wiki/Cold_boot_attack See "TCG Platform Reset Attack Mitigation Specification" But I guess the DDR2 laptop does not use that. It also won't prevent putting the RAM into a different machine. Maybe consider buying a new device? – secfren Nov 30 '22 at 21:18
  • Thanks for the warning, as I say I use the BIOS POST memory test, everything is overwritten in a few seconds and in addition my laptop does not contain any graphics memory. As I said, I'm interested in the issue described by Professor Gutmann, or you can explain to me what man-in-the-RAM attack means, because I'm hearing this for the first time and they don't write anything about it anywhere on Google. – Hasbo Dec 01 '22 at 01:09
  • What issue? The wikipedia link mentions a relevant attack. What is your threat model?Someone dumping memory? Someone taking your memory modules and putting them into a different computer? Where is man-in-the-RAM attack mentioned? – secfren Dec 01 '22 at 09:57
  • @secfren man-in-the-RAM is mentioned at the end of Secure erasure of memory section, in the wiki link... i realy dont understand what they mean by this? – Hasbo Dec 01 '22 at 14:44
  • My threat model is that someone will take the Ram module from my PC and perform an analysis of the properties of the memory cells, possibly microscopy (but microscopy might be not possible). Based on the divergenceies of voltage thresholds and timings, an attacker could estimate the previous stored value in the cell, even before the value (0,1) was overwritten. With SRAM, these divergencies arise due to "Hot electrons". The question remains for me, does this also happen in much modern, compared to Sram, DDR2 under normal circumstances? – Hasbo Dec 01 '22 at 14:52
  • No need for a microscope. The only thing an attacker has to do in this case is to unplug the RAM and plug it into some other PC. Ideally quickly and with cooling. If it would somehow hold the information forever there would be no need for that. These attacks have also been demonstrated for DDR2 RAM. Dunno what man-in-the-RAM is, the section looks odd to me and says "Citation needed". Maybe the single source is helpful? – secfren Dec 01 '22 at 15:12
  • @secfren I don't know if I understand it well. Do you want to say that with DDR2 in common home PCs cell parameters decreases like mentioned in Gutmanns study during normal use and that the contents based on voltage thresholds, r/w time can be reconstructed even though the ram was overwritten? How often and to what extent does this phenomenon occur, can you somehow prove your claim? It seems to me that you keep talking about cold boot attack. – Hasbo Dec 01 '22 at 15:42
  • I do. If RAM is overwritten then there should not be a way to get data. If your threat is "someone takes your RAM and analyses it" then cold boot attacks are relevant. Because nothing will be overwritten in this case. Unless having been overwritten RAM will still have the data. This will decay over time depending on temperature and type of RAM. – secfren Dec 01 '22 at 15:56
  • @secfren It's good that you mentioned it here, on the other hand, the internet is full of CBO attack. I am really interested in the thread model, in which the properties of the parameters of the overwritten cells are analyzed. I don't know much about it yet, but the good news is that on another forum they called it highly improbable and on another forum they outright rejected it. – Hasbo Dec 01 '22 at 16:02
  • @Hasbo Are you talking about retrieving the contents after an _extended_ period of no power? – forest Dec 02 '22 at 01:55
  • @forest Rather, it is about retrieving the original content overwritten by one round of pattern. – Hasbo Dec 02 '22 at 05:48
  • @Hasbo There is no way I am aware of that could recover any of the data, _especially_ after power off. Remember that every 64 ms, the current data is overwritten _again_. – forest Dec 02 '22 at 22:39

2 Answers2

1

If I understand the question correctly, you're asking if it's possible to retrieve the contents of a DRAM cell after it is overwritten with new data, but while the system is still powered on.

There is no way to obtain the previous state of a DRAM cell after it has been overwritten. DRAM is dynamic, which means that each memory cell is refreshed regularly. As soon as you write new data to a memory location, you haven't just overwritten the data once. You're actively overwriting it again and again every 64 milliseconds. Whatever used to be there is long, long gone.

Note that it might be possible to use a rowhammer-like attack rapidly reading rows of memory to trigger hot-carrier injection that could damage nearby rows and increase their sensitivity to future rowhammer attacks. In theory, an attacker might be able to watermark memory by damaging it selectively in this way. Recovery of the watermarked data could be done by performing another rowhammer attack and determining which addresses are now more sensitive to rowhammer.

forest
  • 65,613
  • 20
  • 208
  • 262
  • if we, for example, overwrote value "1111" by value "1111", the positive charge might not be released, so if we immediately , in couple minutes, write 0 into the cell and measure the voltage or time of that cell, we would find a divergency, based on which we could assume that the value previously stored was "1". Under normal operating conditions, however, the cell is only slightly stressed, so in my opinion there should be no divergencies, at least not significant enough to be able to measure them in a short period of time, like 2 minutes, and woud not occur in significant extent. – Hasbo Dec 03 '22 at 04:21
  • I quote from the document: Reduction of Signal Voltage of DRAM Cell Induced by Discharge of Trapped Charges in Nano-meter Thick Dual Dielectric Film”, J. Kumagai, K. Toita, S. Kaki, and S. Sawada, Proceedings of the International Reliability Physics Symposium (IRPS 1990) "Trap/detrap characteristics strongly depend on stress voltage. Therefore, thicknesses and plate bias should be optimized by considering not only leakage current trough film but also detrap of trapped charge." – Hasbo Dec 03 '22 at 04:49
  • @Hasbo Not only are some cells "true cells" and others "anti cells" (which means a logical 1 may or may not be stored as a charge), contents written to memory are first XORed with the output of an LFSR, which effectively randomizes the bit pattern. – forest Dec 05 '22 at 01:46
  • do you mean that a classic memory dump reads logical values while the measurement technique examines physical cells? content is xored even in the case of a memory dump, but I guess what you mean... probably due to inaccurate values, we couldn't reverse the xor process right? – Hasbo Dec 05 '22 at 21:35
  • Scrambling was introduced with DDR3, at least this study suggests "Lest we forget: Cold-boot attacks on scrambled DDR3 memory" the condition is also that this technology must support your CPU. I am afraid that DDR2 is not scrambled. – Hasbo Dec 05 '22 at 22:58
  • @Hasbo Ah, you're correct. I forgot that you were only talking about DDR2. Comment deleted. – forest Dec 05 '22 at 23:00
  • I found the KINGSTON DDR2 ZD8000C6/2G product specification. Reseller states the following: They work at a standard voltage of 1.8 V up to a non-standard and risky 2.4 V. Many memory can handle a voltage in the range of 1.8 - 2.2 V, then damage can occur. From this I would estimate that if someone does not change the voltage as part of an attack or as a result of a HW error, then the voltage of 1.8V should be safe enough and even if there were occasional small divergencies, it would not allow to guess the content of the overwritten data. What is Your's opinion? – Hasbo Dec 05 '22 at 23:36
  • @Hasbo Are you referring to the risk of watermarking via hot-carrier injection? That is not damage caused by overvoltage. Rowhammer-type attacks can cause damage without needing to adjust the voltage by hammering the same rows for hundreds of hours. I'm not sure if DDR2, which is far less vulnerable to rowhammer due to its much larger access transistors, can be affected in the same way. – forest Dec 05 '22 at 23:39
  • If the attacks were not possible because the computer does not have access to the network. Then only excessive heat or voltage peaks would affect the HC injection, if I'm not wrong. From that I deduced that at standard temperatures and voltages, HC injection will not occur to a noticable extent. Am I saying it right? – Hasbo Dec 05 '22 at 23:59
  • @Hasbo It has nothing to do with access to the network but about a local malicious process. – forest Dec 06 '22 at 00:01
  • And if we don't take into account any malicious process? – Hasbo Dec 06 '22 at 00:04
  • @Hasbo If there are no local malicious processes, then there's no way to selectively damage the DRAM, meaning that a single overwrite will destroy any previous data. – forest Dec 06 '22 at 00:06
  • I think that Rowhamer could be identified by excessive ram load in Task manager or Process hacker. – Hasbo Dec 06 '22 at 00:07
  • @Hasbo There are some papers on attempting to detect rowhammer, but it all the techniques (such as using the perf monitor to count LLC cache misses and the like) are easy to bypass. All you can do is see excessive _CPU_ load, which is bound to cause false positives. – forest Dec 06 '22 at 00:10
  • Now I'm not sure if I got it right before. If we access DDR3 after restarting the memory controller, the data can no longer be unscrambled. Am I saying it right? – Hasbo Dec 10 '22 at 05:47
  • @Hasbo If you restart the memory controller, the previous scrambling seed will be lost. However, it will be easy to break, either with brute force or by using the Berlekamp-Massey algorithm. – forest Dec 10 '22 at 22:17
  • Ah, well I didn't know that, thanks. I thought switching to DDR3 might solve this problem. Could you give me a link where I can read about it? – Hasbo Dec 11 '22 at 01:13
  • @Hasbo https://doc.lagout.org/security/DFRWS-EU-2016-7.pdf – forest Dec 11 '22 at 21:48
  • It seems terribly complicated to me, like pulling a rabbit out of a wizard hat, but I agree that it would be possible in the case of not overwritten ram. But if they had to rely only on divergencies of the voltage shift and derive from whether it was 1 or 0 in the cell, because the ram was overwritten, then it would be many times more difficult, moreover, DDR3 is among other nm technologies for which, according to Conundrum, it is not feasible. – Hasbo Dec 12 '22 at 04:56
  • Despite the fact that so far everyone I have talked to about the problem has told me that it is not feasible even with DDR2, I have to say that 1. DDR2 is probably not smaller than 50nm 2. it's quite possible that @Conundrum is talking about 256MB as a memory chip and does not mean the capacity of the entire ram module, and from that it could be deduced that in the case of 2GB DDR2 it is theoretically feasible at least according to Conundrum. Although this is a theoretical attack and the RAM module will probably not be subjected to as much stress as in the studies, I still qestion it. – Hasbo Dec 12 '22 at 04:56
  • https://security.stackexchange.com/questions/99906/can-ram-retain-data-after-removal – Hasbo Dec 12 '22 at 05:03
  • I would rather phrase my question: Is it possible, in the case of DDR2, to recover the previous contents of a DRAM cell after it has been overwritten by an erase pattern and the computer has been immediately turned off? Maybe I wouldn't associate this problem with watermarking via hot-carrier injection , but rather with threshold voltage degradation or treshod voltae shifts. Did something change after I clarified my question, or do you still claim that recovery is not possible? – Hasbo Dec 12 '22 at 20:00
  • @Hasbo Recovery is not possible after the previous contents have been overwritten. – forest Dec 12 '22 at 22:33
  • I think I got it now. I misinterpreted Conundrum's post. Apparently the attack, he describes, can only be used if the ram hasn't been overwritten, it makes sense. Thank you – Hasbo Dec 13 '22 at 21:41
-1

I think that the design of commercially available ram modules cannot be modified, at least not without damage and risk of data loss, as a result it is not possible to replace the dummy sense amplifier with a more accurate type that would read the exact cell voltage values from which it was possible to infer what the values have been stored for a long time. viz. picture

https://medium.com/@hritwik567/concurrent-refresh-aware-dram-memory-architecture-4ff2b2b302c8

It would be theoretically possible to use the pause time measurement technique of single cells as mentioned in "Reduction of Signal Voltage of DRAM Cell Induced by Discharge of Trapped Charges in Nano-meter Thick Dual Dielectric Film", J. Kumagai, K. Toita, S .Kaki, and S. Sawada.

User @Conundrum in the link Can RAM retain data after removal? states that this can only be done up to 256MB ram due to new geometries.

I think the same will apply to microscopic probing, although unfortunately I cannot confirm this. In addition, the memory modules would have to be tunnelled.

Furthermore, from the graphs of the reference cells in the aforementioned study, it can be seen that the DRAM voltage shift under normal operating conditions is not significant (+-0.05V) and returns to its original state in short time intervals even during the constant "1" write operation, and the pause time divergent slightly, but is stable and does not rise or fall.

In the link https://m.hexus.net/tech/tech-explained/ram/18846-ddr-ddr2-memory/ you can also find a mention of OCD (Off Chip Driver calibration)

I reckon that the previously investigated problem did not get worse, but on the contrary improved, even though the dimensions are reduced, because it also introduced other countermeasures such as material or a reduction of the operating voltage.

I think unwanted effects like hot carrier can occur to different degrees depending on different criteria, but it doesn't change the fact that the previous content cannot be reconstructed due to the previous reasons, provided that excessive thermal and voltage changes were not caused by malware or a hardware error.

https://www.eesemi.com/oxidebreakdown.htm

Hasbo
  • 19
  • 4
  • 1
    Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 02 '22 at 21:54