Forgot your password?
typodupeerror
Security Encryption Portables Ubuntu Linux

Protecting a Laptop From Sophisticated Attacks 169

Posted by Soulskill
from the living-inside-a-faraday-cage-doesn't-count dept.
mike_cardwell sends in a detailed writeup of how he went about protecting a Ubuntu laptop from attacks of varying levels of sophistication, covering disk encryption, defense against cold boot attacks, and even simple smash-and-grabs. (He also acknowledges that no defense is perfect, and the xkcd password extraction tool would still work.) Quoting: "An attacker with access to the online machine could simply hard reboot the machine from a USB stick or CD containing msramdmp to grab a copy of the RAM. You could password protect the BIOS and disable booting from anything other than the hard drive, but that still doesn't protect you. An attacker could cool the RAM, remove it from the running machine, place it in a second machine and boot from that instead. The first defense I used against this attack is procedure based. I shut down the machine when it's not in use. My old Macbook was hardly ever shut down, and lived in suspend to RAM mode when not in use. The second defense I used is far more interesting. I use something called TRESOR. TRESOR is an implementation of AES as a cipher kernel module which stores the keys in the CPU debug registers, and which handles all of the crypto operations directly on the CPU, in a way which prevents the key from ever entering RAM. The laptop I purchased works perfectly with TRESOR as it contains a Core i5 processor which has the AES-NI instruction set."
This discussion has been archived. No new comments can be posted.

Protecting a Laptop From Sophisticated Attacks

Comments Filter:
  • by Anonymous Coward on Friday August 26, 2011 @04:08PM (#37222972)

    The real enemy, which is the alien space zebra vampires that are out to suck your blood.

    Seriously, this much effort is excessive considering the value of what anybody in a normal situation should have on their laptop. If you have a genuine need for this, you should be on the level of the person carrying the Football, and as such, you would be better investing in the Secret Service equivalent.

    • Re: (Score:3, Insightful)

      by CadentOrange (2429626)
      I agree that it's just too much hassle to go through to secure a standard laptop. It's still an interesting experiment and it neatly lays out the attack vectors and potential counters.
      • by EdIII (1114411)

        It is a neat experiment.

        Unfortunately, some people need to have a laptop and move around in the field. I am not talking about executives either. So this is hardly worthless.

        Regardless of what he said, I am reminded about the security principle of "Once the equipment is out of your possession, there is no security".

        To make sure we have always been secure, we don't store sensitive data on the laptops themselves, but remote in and do work on different machines. Windows Server 2008 remote desktop sessions ar

    • by idontgno (624372)

      Yes.

      TFA's a fine intellectual exercise, but as explicitly pointed out, the willingness to commit kidnapping and inflict torture rather pathetically trumps all of that.

      Interesting. Not completely practical, but interesting.

      • by Tetsujin (103070)

        Yes.

        TFA's a fine intellectual exercise, but as explicitly pointed out, the willingness to commit kidnapping and inflict torture rather pathetically trumps all of that.

        Interesting. Not completely practical, but interesting.

        Well, it depends on how you define practical - and what kind of situation you're in.

        I mean, if it were my laptop? Sure, probably not worth this kind of security. Someone could get credit card numbers, site passwords perhaps, and possibly enough personal information to do some identity theft scheme... Damaging stuff, potentially, but probably not worth their while to extract the data, or worth my while to protect it.
        But let's say it contained some sensitive, valuable information from my job - so that steal

        • by wwphx (225607)
          One thing that I really like about his technique is the practical application of the honeypot. It would be great for crossing the border back into the U.S.

          Customs Agent: Please open and log on to your laptop.
          Honeypot Owner: Yessir! (logs on to functional Win 7 partition while his private stuff is nicely hidden away)

          The problem for me is that an 8 gig partition is not viable.
    • this much effort is excessive

      Oh let the guy fantasize that he's Johnny Mnemonic or whatever. It's preferable to playing with guns and pretending he's The Terminator

      • by Qzukk (229616)

        It's preferable to playing with guns and pretending he's The Terminator

        As long as he only blows out their kneecaps, they'll live.

    • by Jonner (189691)

      The real enemy, which is the alien space zebra vampires that are out to suck your blood.

      Seriously, this much effort is excessive considering the value of what anybody in a normal situation should have on their laptop. If you have a genuine need for this, you should be on the level of the person carrying the Football, and as such, you would be better investing in the Secret Service equivalent.

      I think the education of the author and indirectly those who read the post goes far beyond the value of protecting that particular laptop. I don't have the patience to spend as much time as he did researching and experimenting, but now I can benefit for his work by implementing some of the same protections. The logical extension of this project would be to produce an install disk making it possible for anyone to have the same level of security on her laptop with only slightly more effort than a standard Ubu

  • wow (Score:2, Funny)

    by Anonymous Coward

    you must value your pron a whole lot more than i do.

  • by Anonymous Coward

    An attacker could cool the RAM, remove it from the running machine, place it in a second machine and boot from that instead.

    Is this the whole "freeze electrons in place" nonsense? I'd love to see a real world example of this actually working.

    Sounds like the whole "well if you dont wipe your drive with zeros a hundred times a guy with a tunneling electron microscope could count the off spin of the variant quarks.. blah blah " ie; theoretically possible with infinite funding, but not feasible in real life

    • by Baloroth (2370816)

      I was surprised to read that too, but apparently freezing RAM in liquid nitrogen can retain the data stored in it for up to a week. All RAM modules have some data remanence, apparently [wikipedia.org], and data can last for a few seconds or even minutes in RAM after power loss at room temperature (which is why the hard reset attack works at all) and longer if the modules are cooled (even without liquid nitrogen). I imagine a can of compressed air held upside down would do the trick in a pinch. I was surprised too, but it

    • Nonsense in movies data recovery is usually understated while things like breaking encryption are overstated. Oh my god he's using Adk1221 Encryption, that's CIA grade encryption, but I'm a super genious *tap tap tap* 5 seconds later, Got it!. While data recovery is seemingly imposible, a room of people looking at images on a server, OMG he hacked and deleted the images *images instantly disapear from the open file on the screen.
  • You and your fancy registers, I use a specially trained hamster to push buttons depending on the bits it sees on an LED board. And the hamster only taps the buttons in the correct way if fed the correct combination of grains!

    Although I am having my suspicions that the little bugger is selling information to the north korean hamsters...
  • There's caring about the safety and security of your data, then there's being obsessed about the safety and security of your data, and way over the horizon is this guy.

    • Re:Paranoid Much? (Score:5, Insightful)

      by Sancho (17056) * on Friday August 26, 2011 @04:53PM (#37223382) Homepage

      Think of it like a hobby. It may not be really practical, but it's interesting to some people.

    • by TheCarp (96830)

      There is also just being interested and wondering if you can do it. There is also the possibility of doing it because someone large like a major national government's thugs (china, US, etc) want your data, or the data of the people you are developing the procedures to help.

      of course, if thats the case, then.... this is perhaps not over the horizon at all, they are, in fact, inadequate protections.

      Course, nothing will protect you from the "$5 wrench" scenario (not that any government would ever pay that litt

    • by jovius (974690)

      Unless he's talking abut color codes and security clearances I don't think he's being overly paranoid. Although tampering with a computer is highly suspicious.

  • by BitZtream (692029) on Friday August 26, 2011 @04:53PM (#37223380)

    TRESOR is an implementation of AES as a cipher kernel module which stores the keys in the CPU debug registers, and which handles all of the crypto operations directly on the CPU, in a way which prevents the key from ever entering RAM.

    Awesome, its stores the keys in the cpu debug registers when in use. The data to recreate them still has to flow into the CPU from ram, so all you're taking out is the path between ram and the CPU for an intermediate step. So all you get is a speed boost, no security gain since the attacker already knows the algorithm your using and all the data you provided to the CPU. The speed boost is nice if its being used all over the place (like for an encrypted FS) but otherwise its not that big of a deal and its certainly not new.

    As for the rest, cryptfs or bitlocker with your screensaver/lock setup to throw out your keys when the screen blanks/suspends/whatever.

    So basically Win7 with BitLocker enabled or whatever alternative setup results in the same thing on Linux. Its not even a little hard, and you've already got well past the point where they'll just beat the password out of you.

    If you did it to learn, good for you. If you did it for some sort of practical value, then this really is one place where epic fail applies.

    • by Sancho (17056) *

      I believe the idea is to load the keys into the debug registers, and then erase the keys from memory. Then cold-boot attacks won't work.

      Yes, the keys do go into RAM, but you significantly reduce the amount of time that they are there. Normally, keys are in RAM as long as there is a mounted cryptfs.

      • The massive, gigantic problem with all of this is that "weakest link" applies here. Theyre not going to wait for you to turn off your compter and walk away so they can do a RAM dump, theyre simply going to modify your bios or bootloader or insert a keylogger inbetween the keyboard and motherboard, and find out your passphrase.

        So at the end of the day TRESOR and all the rest is wonderful, but it doesnt prevent the hardware from being tampered with except in the most theoretical and irrelevant manner.

        • by swillden (191260)

          theyre simply going to modify your bios or bootloader or insert a keylogger inbetween the keyboard and motherboard, and find out your passphrase.

          That's a significantly different threat model. It presumes that the attacker can gain access to your hardware, modify it, then return it to you without you noticing it was gone or that it was modified, and then take your machine again.

          Not that this is impossible, but it raises the stakes and the difficulty significantly.

          • If youre worried about encrypting the contents of RAM, youre trying to protect against an attack which needs far more physical access than booting off of a CD and loading a malicious MBR onto the drive.

            • by swillden (191260)

              If youre worried about encrypting the contents of RAM, youre trying to protect against an attack which needs far more physical access than booting off of a CD and loading a malicious MBR onto the drive.

              Right, you have to take the laptop. So? In many contexts this is significantly easier than getting control of it twice, with the owner none the wiser in between.

    • The security gain comes from the fact that it is feasible to perform a side-channel attack on RAM but infeasible to perform a side-channel attack on CPU registers. The data to recreate the keys is scrubbed from RAM; the keys never leave RAM. I have done work on a similar project to TRESOR, called Loop-Amnesia [livejournal.com], which uses MSRs instead of the debug registers to perform the same task and does not require AES-NI support.

      ---linuxrocks123

    • Since I recently set up BitLocker on a Windows 7 laptop (requires Ultimate or Enterprise which are not cheap) - if you have a TPM chip it's convenient to use in the default setup with keys held in the TPM, but if the laptop is stolen it doesn't stop anyone booting it and trying passwords, though it does stop them booting from CD/USB drive to read the disk, or putting the disk in another PC.

      TrueCrypt and commercial Windows tools such as PointSec which require a separate disk decryption password every time yo

    • by Jonner (189691)

      TRESOR is an implementation of AES as a cipher kernel module which stores the keys in the CPU debug registers, and which handles all of the crypto operations directly on the CPU, in a way which prevents the key from ever entering RAM.

      Awesome, its stores the keys in the cpu debug registers when in use. The data to recreate them still has to flow into the CPU from ram, so all you're taking out is the path between ram and the CPU for an intermediate step. So all you get is a speed boost, no security gain since the attacker already knows the algorithm your using and all the data you provided to the CPU. The speed boost is nice if its being used all over the place (like for an encrypted FS) but otherwise its not that big of a deal and its certainly not new.

      As for the rest, cryptfs or bitlocker with your screensaver/lock setup to throw out your keys when the screen blanks/suspends/whatever.

      So basically Win7 with BitLocker enabled or whatever alternative setup results in the same thing on Linux. Its not even a little hard, and you've already got well past the point where they'll just beat the password out of you.

      If you did it to learn, good for you. If you did it for some sort of practical value, then this really is one place where epic fail applies.

      You clearly didn't read much of TFA and only demonstrate your own ignorance. The speed benefit for AES encryption comes from the AES-NI instructions in recent Intel CPUs regardless of where the key is stored. There is not a speed benefit from using TRESOR (which does use AES-NI when available), but it does make cold boot attacks on systems with encrypted disks much more difficult. This is because the key used to decrypt the disk contents only needs to exist in RAM long enough to copy it to CPU registers. Af

  • An attacker could cool the RAM, remove it from the running machine, place it in a second machine and boot from that instead
     
    Half of my netbook's memory isn't removable and if the author is actually worried about this kind of thing he can get a similar model and bite the bullet on performance by operating it with only the internal ram. I doubt the residual charge would last through unsoldering the chips and attaching them to a board to be put in another machine.

    • by sp0tter (1456139)
      or one could superglue the DIMMS in place
    • You could still connect an FPGA to the RAM (tricky soldering, but doable). Then, cool the RAM, shutdown the machine and use the FPGA to read out the RAM contents.
  • What does he have on his laptop that's so gd important that he has to go through this much hassle to secure it....kiddie porn?
    • by MacTO (1161105)

      Worse. Photos of kittens playing with balls of yarn! Something that he can't let his colleagues see lest he be shamed for the rest of his life.

    • What does he have on his laptop that's so gd important that he has to go through this much hassle to secure it....kiddie porn?

      Security does not imply criminality. Go fuck up some other thread, you asswipe troll.

      • Normally I'd agree with you, but he's going to pain-staking efforts to secure whatever it is he's lugging around on there. At first I thought he was just this for the fun of it, until I read this comment from him:

        If it leaves my side, I will consider it tainted, and do a reinstall. I really am willing to be that anal ;)

        Sure does seem like a lot of hassle to go through for not hiding something.
    • He has very important secrets.. Things so important, that he trusts a single USB drive to continue to work so that he can access it (since that is where he stores his FDE key. Oh, and a smartcard for his PGP) So two things to lose (or someone that wants to prevent him from pubiishing or whatever, just has to destroy..

  • If your laptop is valuable enough that someone would go through the effort of chilling the RAM and booting the machine, you should probably not be laying your laptop out on the table at Starbucks. In fact, if your laptop is that valuable, you've done something incredibly stupid in your systems design.

    Encrypt the data (either individual files, your homedir, or the whole drive), and don't use a really stupid password. If that's not good enough for your data, then your data belongs on a system which is not p

    • Err, booting it in a different machine. Though I suppose one can imagine a criminal saying "Aww man, it's turned off. Well, off to find an easier target!". :)

  • "Man, i can't boot anymore, that sucks!"

    "How come?"

    "A fish ate my USB disk"

  • Okay, I learned about TRESOR, that's cool. Also, running firefox as a different user is an old trick I've been using for a long time.

    However, I live by a basic rule that's served me well. Laptops are fundamentally weak places to keep data.
  • Don't get yourself in the situation where you have to defend yourself from people that want your info that badly. Disk encryption is fine, sure it drains battery. But i'd say 99% of people that get your laptop from there will give up. If you have to worry about the other 1% your life is pretty whacked. Or you are in the military and they have standards you should be following.
  • USB and Firewire Ports, meet Mister Hot Glue Gun. Mister Hot, the heat is on, do your thing, get some holes lubed up, do the old in-out, fill 'em up good with the creamy goodness.

The reason that every major university maintains a department of mathematics is that it's cheaper than institutionalizing all those people.

Working...