![Page 1: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/1.jpg)
Protecting Cryptographic Keys from Memory Disclosure Attacks
Presented by John Shu
Shouhuai Xu and Keith HarrisonUTSA, Dept. Computer Science
![Page 2: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/2.jpg)
Outline
Introduction
Threat Assessment
Understanding the Attack
Countering Memory Disclosure Attacks
Conclusion
![Page 3: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/3.jpg)
Introduction
Cryptography as an indispensable tool in security
Premise here is the security of cryptographic keys
A brief example of how it all works
![Page 4: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/4.jpg)
Introduction Cryptographic Keys (Symmetric)
[source: http://securitycerts.org/images/symmetric-alice-bob.jpg]
![Page 5: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/5.jpg)
Introduction Cryptographic Keys (Asymmetric) e.g. RSA
1. Choose two distinct prime numbers P and Q
2. Calculate n=PQ
3. Calculate ϕ(n) = (P-1)(Q-1), ϕ is Euler totient function
4. Choose an integer e, 1<e< ϕ(n), e co-prime to ϕ(n)
5. Find d = e-1 mod ϕ(n), (i.e d is the multiplicative inverse)
![Page 6: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/6.jpg)
Introduction
These cryptographic keys should be kept secret
Memory Disclosure Vulnerabilities violate this
Attacks built on this concept can access information:
Allocated Memory
Unallocated Memory
These attacks can effectively expose RSA private Keys !!!
![Page 7: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/7.jpg)
Threat Assessment
Initial experiments on OpenSSH and Apache HTTP servers
Memory Disclosure Vulnerabilities in Linux Kernels prior to 2.6.12, 2.4.30 and 2.6.11.
Directories created in the file system could leak 4KB
Portions of memory may be disclosed from unsigned types in certain files.
![Page 8: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/8.jpg)
Recall RSA crypto system
System consist of d, e, P, Q, ϕ(n) and a PEM (.pem) file which contains the whole key.
Disclosure of either d, P, Q and the PEM encoded file can lead to compromise or private key.
Experiment included 3.2 Intel Pentium 4 CPU Gentoo Linux OS and 2.6.10 kernel OpenSSH 4.3 server and Apache 2.0.55 Server
![Page 9: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/9.jpg)
OpenSSH server Procedure
Plugged in USB to machine running OpenSSH
Script performed the following function
1. Created large number of connections to localhost
2. Then script immediately closed all connections
3. Created a large number of directories in USB where each directory revealed less than 4072 bytes of memory onto the USB device
Device was then removed and searched for copies of private key
![Page 10: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/10.jpg)
OpenSSH: # of keys found
source: [4]
![Page 11: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/11.jpg)
OpenSSH: success rate of attacks
source: [4]
![Page 12: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/12.jpg)
Understanding the Attacks
The need for a tool to take ‘snapshots’ of memory
A tool was developed in C code to Obtain snapshots of memory
Do bookkeeping: “which processes have access to memory pages that contain private keys”
Deployed as a Loadable Kernel Module
![Page 13: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/13.jpg)
Output from LKM
source: [4]
![Page 14: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/14.jpg)
Countering Memory Disclosure Attacks
Following Measures were proposed
Crypto key should appear in allocated memory minimal number of times
Unallocated memory should not have a copy of cryptographic key
These measures were enforced at various levels of the System
![Page 15: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/15.jpg)
Application Layer
Solution: Utilize “Copy on Write management Policy” to
avoid unnecessary duplication of private key
Implementation RSA_memory_align() function was used to ensure
that only one copy of private key appears in secluded region of allocated memory
![Page 16: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/16.jpg)
Library Layer
Solution: Eliminate unnecessary duplication of
cryptographic keys in allocated memory using the same scheme as above
Implementation Pages from the special region of memory are not
copied or swapped.
![Page 17: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/17.jpg)
Kernel Layer
Solution: Ensure that unallocated memory does not contain
any private keys by zeroing physical pages after use.
Implementation free_hot_cold_page()function was modified to
ensure that pages are cleared before being added to list of free pages in unallocated memory
![Page 18: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/18.jpg)
Experimental Proof of Concept
![Page 19: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/19.jpg)
Conclusion
Discovered vulnerability leading to disclosure of memory.
Proposed and tested solutions to eliminate the attack and mitigate damaged already caused.
However, complete elimination will be contingent upon extra hardware.
![Page 20: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/20.jpg)
References1. P.Broadwell,M.Harren,andN.Sastry.Scrash:Asys- tem
for generating secure crash information. In Usenix Security Symposium’03.
2. J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In Usenix Security Symposium’04.
3. J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum. Shredding your garbage: Reducing data lifetime. In Proc.USENIX Security Symposium’05.
4. Harrison K. Protecting Cryptographic Keys from Memory Disclosure Attacks. 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 137-143, 2007.
![Page 21: Protecting Cryptographic Keys from Memory Disclosure Attacks Presented by John Shu Shouhuai Xu and Keith Harrison UTSA, Dept. Computer Science](https://reader030.vdocument.in/reader030/viewer/2022032313/56649e715503460f94b6f3f3/html5/thumbnails/21.jpg)
QUESTIONS