protecting cryptographic keys from memory disclosure attacks presented by john shu shouhuai xu and...

Protecting Cryptographic Keys from Memory Disclosure Attacks

Presented by John Shu

Shouhuai Xu and Keith HarrisonUTSA, Dept. Computer Science

Outline

Introduction

Threat Assessment

Understanding the Attack

Countering Memory Disclosure Attacks

Conclusion

Introduction

Cryptography as an indispensable tool in security

Premise here is the security of cryptographic keys

A brief example of how it all works

Introduction Cryptographic Keys (Symmetric)

[source: http://securitycerts.org/images/symmetric-alice-bob.jpg]

Introduction Cryptographic Keys (Asymmetric) e.g. RSA

1. Choose two distinct prime numbers P and Q

2. Calculate n=PQ

3. Calculate ϕ(n) = (P-1)(Q-1), ϕ is Euler totient function

4. Choose an integer e, 1<e< ϕ(n), e co-prime to ϕ(n)

5. Find d = e-1 mod ϕ(n), (i.e d is the multiplicative inverse)

Introduction

These cryptographic keys should be kept secret

Memory Disclosure Vulnerabilities violate this

Attacks built on this concept can access information:

Allocated Memory

Unallocated Memory

These attacks can effectively expose RSA private Keys !!!

Threat Assessment

Initial experiments on OpenSSH and Apache HTTP servers

Memory Disclosure Vulnerabilities in Linux Kernels prior to 2.6.12, 2.4.30 and 2.6.11.

Directories created in the file system could leak 4KB

Portions of memory may be disclosed from unsigned types in certain files.

Recall RSA crypto system

System consist of d, e, P, Q, ϕ(n) and a PEM (.pem) file which contains the whole key.

Disclosure of either d, P, Q and the PEM encoded file can lead to compromise or private key.

Experiment included 3.2 Intel Pentium 4 CPU Gentoo Linux OS and 2.6.10 kernel OpenSSH 4.3 server and Apache 2.0.55 Server

OpenSSH server Procedure

Plugged in USB to machine running OpenSSH

Script performed the following function

1. Created large number of connections to localhost

2. Then script immediately closed all connections

3. Created a large number of directories in USB where each directory revealed less than 4072 bytes of memory onto the USB device

Device was then removed and searched for copies of private key

OpenSSH: # of keys found

source: [4]

OpenSSH: success rate of attacks

source: [4]

Understanding the Attacks

The need for a tool to take ‘snapshots’ of memory

A tool was developed in C code to Obtain snapshots of memory

Do bookkeeping: “which processes have access to memory pages that contain private keys”

Deployed as a Loadable Kernel Module

Output from LKM

source: [4]

Countering Memory Disclosure Attacks

Following Measures were proposed

Crypto key should appear in allocated memory minimal number of times

Unallocated memory should not have a copy of cryptographic key

These measures were enforced at various levels of the System

Application Layer

Solution: Utilize “Copy on Write management Policy” to

avoid unnecessary duplication of private key

Implementation RSA_memory_align() function was used to ensure

that only one copy of private key appears in secluded region of allocated memory

Library Layer

Solution: Eliminate unnecessary duplication of

cryptographic keys in allocated memory using the same scheme as above

Implementation Pages from the special region of memory are not

copied or swapped.

Kernel Layer

Solution: Ensure that unallocated memory does not contain

any private keys by zeroing physical pages after use.

Implementation free_hot_cold_page()function was modified to

ensure that pages are cleared before being added to list of free pages in unallocated memory

Experimental Proof of Concept

Conclusion

Discovered vulnerability leading to disclosure of memory.

Proposed and tested solutions to eliminate the attack and mitigate damaged already caused.

However, complete elimination will be contingent upon extra hardware.

References1. P.Broadwell,M.Harren,andN.Sastry.Scrash:Asys- tem

for generating secure crash information. In Usenix Security Symposium’03.

2. J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In Usenix Security Symposium’04.

3.  J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum. Shredding your garbage: Reducing data lifetime. In Proc.USENIX Security Symposium’05.

4. Harrison K. Protecting Cryptographic Keys from Memory Disclosure Attacks. 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 137-143, 2007.

QUESTIONS