1 / 21

Protecting Cryptographic Keys from Memory Disclosure Attacks

Shouhuai Xu and Keith H arrison UTSA, Dept. Computer Science. Protecting Cryptographic Keys from Memory Disclosure Attacks. Presented by John Shu. Outline. Introduction Threat Assessment Understanding the Attack Countering Memory Disclosure Attacks Conclusion. Introduction.

bowen
Télécharger la présentation

Protecting Cryptographic Keys from Memory Disclosure Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ShouhuaiXu and Keith Harrison UTSA, Dept. Computer Science Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu

  2. Outline • Introduction • Threat Assessment • Understanding the Attack • Countering Memory Disclosure Attacks • Conclusion

  3. Introduction • Cryptography as an indispensable tool in security • Premise here is the security of cryptographic keys • A brief example of how it all works

  4. Introduction • Cryptographic Keys (Symmetric) [source: http://securitycerts.org/images/symmetric-alice-bob.jpg]

  5. Introduction • Cryptographic Keys (Asymmetric) e.g. RSA • Choose two distinct prime numbers P and Q • Calculate n=PQ • Calculate ϕ(n) = (P-1)(Q-1), ϕ is Euler totient function • Choose an integer e, 1<e< ϕ(n), e co-prime to ϕ(n) • Find d = e-1 mod ϕ(n), (i.ed is the multiplicative inverse)

  6. Introduction • These cryptographic keys should be kept secret • Memory Disclosure Vulnerabilities violate this • Attacks built on this concept can access information: • Allocated Memory • Unallocated Memory These attacks can effectively expose RSA private Keys !!!

  7. Threat Assessment • Initial experiments on OpenSSH and Apache HTTP servers • Memory Disclosure Vulnerabilities in Linux Kernels prior to 2.6.12, 2.4.30 and 2.6.11. • Directories created in the file system could leak 4KB • Portions of memory may be disclosed from unsigned types in certain files.

  8. Recall RSA crypto system • System consist of d, e, P, Q, ϕ(n) and a PEM (.pem) file which contains the whole key. • Disclosure of either d, P, Q and the PEM encoded file can lead to compromise or private key. • Experiment included • 3.2 Intel Pentium 4 CPU • Gentoo Linux OS and 2.6.10 kernel • OpenSSH 4.3 server and Apache 2.0.55 Server

  9. OpenSSH server • Procedure • Plugged in USB to machine running OpenSSH • Script performed the following function • Created large number of connections to localhost • Then script immediately closed all connections • Created a large number of directories in USB where each directory revealed less than 4072 bytes of memory onto the USB device • Device was then removed and searched for copies of private key

  10. OpenSSH: # of keys found source: [4]

  11. OpenSSH: success rate of attacks source: [4]

  12. Understanding the Attacks • The need for a tool to take ‘snapshots’ of memory • A tool was developed in C code to • Obtain snapshots of memory • Do bookkeeping: “which processes have access to memory pages that contain private keys” • Deployed as a Loadable Kernel Module

  13. Output from LKM source: [4]

  14. Countering Memory Disclosure Attacks • Following Measures were proposed • Crypto key should appear in allocated memory minimal number of times • Unallocated memory should not have a copy of cryptographic key These measures were enforced at various levels of the System

  15. Application Layer • Solution: • Utilize “Copy on Write management Policy” to avoid unnecessary duplication of private key • Implementation • RSA_memory_align() function was used to ensure that only one copy of private key appears in secluded region of allocated memory

  16. Library Layer • Solution: • Eliminate unnecessary duplication of cryptographic keys in allocated memory using the same scheme as above • Implementation • Pages from the special region of memory are not copied or swapped.

  17. Kernel Layer • Solution: • Ensure that unallocated memory does not contain any private keys by zeroing physical pages after use. • Implementation • free_hot_cold_page()function was modified to ensure that pages are cleared before being added to list of free pages in unallocated memory

  18. Experimental Proof of Concept

  19. Conclusion • Discovered vulnerability leading to disclosure of memory. • Proposed and tested solutions to eliminate the attack and mitigate damaged already caused. • However, complete elimination will be contingent upon extra hardware.

  20. References • P.Broadwell,M.Harren,andN.Sastry.Scrash:Asys- tem for generating secure crash information. In Usenix Security Symposium’03. • J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In Usenix Security Symposium’04. •  J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum. Shredding your garbage: Reducing data lifetime. In Proc.USENIX Security Symposium’05. • Harrison K. Protecting Cryptographic Keys from Memory Disclosure Attacks. 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 137-143, 2007.

  21. QUESTIONS

More Related