Marko Schuba

Paper Title

Cold Boot Attack on DDR2 and DDR3 RAM

Abstract

Cold boot attacks enable access to the volatile memory of computers which are in a running state or have just been disconnected from power. The attack makes use of the remanence effect of DRAM: data in memory is not immediately erased after loss of power – it is slowly disappearing. Even after a minute without refresh, data can be found in DRAM. The approach can for instance be used to recover hard disk encryption keys of a locked computer. In the paper cold boot attacks on DDR2 and DDR3 RAM and their results are presented. While attacks on DDR2 have been demonstrated in the past, attacks on DDR3 have been less successful. The authors explain, how they attacked DDR3 RAM of various types and manufacturers. While many PC mainboards overwrite DDR3 before they are powered off, this is not the case for the board of the ASUS Notebook P53E which was used in our experiments. As a result, memory content could be extracted with a measured bit error rate between 0.0007% and 0.07%. For one DDR3 type an attack without cooling was possible, even though the error rate in that case was high (around 80%). Additional analyses of the experimental results revealed, that error rates strongly depend on the address space of DRAM. For example, one DRAM type had clear 64 kB memory block boundaries: while some blocks had bit error rates of 6% or 3%, others had 0% error rate. Other DRAM types also showed different error rates for different areas. The effect is most likely related to the initial state of the respective DRAM type.

Speaker Bio

We are a research team at Aachen University of Technology. Marko Schuba is a full professor of computer science with special focus on security.