undefined | Better HN

0 pointsc0nsumer12y ago0 comments

What's even niftier is, say with Windows and BitLocker, the BitLocker key can be recovered from a memory dump pulled this way. Couple this with live patching of RAM to bypass the lock screen and you're just kinda sunk.

And yes, me, a not particularly security-oriented guy, did this fairly quickly as a demonstration for coworkers. It required only marginally more than script kiddie levels of knowledge.

0 comments

2 comments · 1 top-level

lstamour12y ago· 1 in thread

On Mac you can get the encryption key from RAM too, though if you turn on some settings, you can force the Mac to attempt a shutdown when it sleeps, clearing the encryption key until you enter your password later. There's still a DMA leak at startup also, but securing the EFI firmware helps keep things locked down. There was an article on HN recently with step by step instructions on scanning memory for things that look like AES keys when using TrueCrypt.

I suspect without a Yubikey or Microsoft TPM, effectively storing the key outside of RAM, there's not much that can be done to fight this. And of course, physical access means you've got the TPM or Yubikey in front of you. And unencrypted data in RAM. So.... Yeah.

giovannibajo112y ago

Actually, there are solutions to store the keys in CPU privileged registers (eg: hw debug registers), and when combined with AES-NI don't even cause much overhead: http://en.m.wikipedia.org/wiki/TRESOR

Not sure why these techniques aren't mainstream yet.

j / k navigate · click thread line to collapse