TRESOR (
recursive acronym
A recursive acronym is an acronym that refers to itself, and appears most frequently in computer programming. The term was first used in print in 1979 in Douglas Hofstadter's book '' Gödel, Escher, Bach: An Eternal Golden Braid'', in which Hofs ...
for "TRESOR Runs Encryption Securely Outside RAM", and also the German word for a
safe
A safe (also called a strongbox or coffer) is a secure lockable enclosure used for securing valuable objects against theft or fire. A safe is usually a hollow cuboid or cylinder, with one face being removable or hinged to form a door. The body ...
) is a
Linux kernel
The Linux kernel is a Free and open-source software, free and open source Unix-like kernel (operating system), kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the k ...
patch which provides
encryption
In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...
using only the
CPU to defend against
cold boot attack
In computer security, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) ...
s on computer systems by performing encryption inside
CPU register
A processor register is a quickly accessible location available to a computer's processor. Registers usually consist of a small amount of fast storage, although some registers have specific hardware functions, and may be read-only or write-onl ...
s rather than
random-access memory
Random-access memory (RAM; ) is a form of Computer memory, electronic computer memory that can be read and changed in any order, typically used to store working Data (computing), data and machine code. A random-access memory device allows ...
(RAM). It is one of two proposed solutions for general-purpose computers. The other, called "frozen cache" uses the
CPU cache
A CPU cache is a hardware cache used by the central processing unit (CPU) of a computer to reduce the average cost (time or energy) to access data from the main memory. A cache is a smaller, faster memory, located closer to a processor core, whi ...
instead. It was developed from its predecessor
AESSE, presented at
EuroSec 2010 and presented at
USENIX
USENIX is an American 501(c)(3) nonprofit membership organization based in Berkeley, California and founded in 1975 that supports advanced computing systems, operating system (OS), and computer networking research. It organizes several confe ...
Security 2011.
The authors state that it allows RAM to be treated as untrusted from a security viewpoint without hindering the system.
Motivation
In
computer security
Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
, a common problem for data security is how an intruder can access
encrypted data on a computer. Modern encryption algorithms, correctly implemented and with
strong passwords, are often unbreakable with current technology, so emphasis has moved to techniques that bypass this requirement, by exploiting aspects of data security where the encryption can be "broken" with much less effort, or else bypassed completely.
A
cold boot attack
In computer security, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) ...
is one such means by which an intruder can defeat encryption despite system security, if they can gain physical access to the running machine. It is premised on the physical properties of the circuitry within
memory devices that are commonly used in computers. The concept is that when a computer system has encrypted data open, the
encryption key
A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key ...
s themselves used to read or write that data are usually stored on a temporary basis in physical memory, in a plain readable form. (Holding these keys in "plain" form during use is hard or impossible to avoid with usual systems since the system itself must be able to access the data when instructed by the authorized user). Usually this is no benefit to an unauthorised intruder, because they cannot access or use those keys—for example due to security built into the software or system. However, if the memory devices can be accessed outside the running system without loss of contents, for example by quickly restarting the computer or removing the devices to a different device, then the current contents—including any encryption keys in use—can be plainly read and used. This can be important if the system cannot be used to view, copy or access that data—for example the system is locked, or may have
booby trap
A booby trap is a device or setup that is intended to kill, harm or surprise a human or an animal. It is triggered by the presence or actions of the victim and sometimes has some form of bait designed to lure the victim towards it. The trap may b ...
s or other intrusion controls, or is needed in a guaranteed untouched form for
forensic
Forensic science combines principles of law and science to investigate criminal activity. Through crime scene investigations and laboratory analysis, forensic scientists are able to link suspects to evidence. An example is determining the time and ...
or
evidentiary purposes.
Since this is a physical property of the hardware itself, and based on physical properties of memory devices, it cannot be defeated easily by pure software techniques, since all software running in memory at the point of intervention becomes accessible. As a result, any encryption software whose keys could be accessed this way is vulnerable to such attacks. Usually a cold boot attack involves cooling memory chips or quickly restarting the computer, and exploiting the fact that data is not immediately lost (or not lost if power is very quickly restored) and the data that was held at the point of intervention will be left accessible to examination.
Cold boot attacks can therefore be a means of unauthorized data theft, loss or access. Such attacks can be nullified if the encryption keys are not accessible at a hardware level to an intruder–i.e., the devices in which the keys are stored when in use are not amenable to cold boot attacks–but this is not the usual case.
TRESOR's approach
TRESOR is a software approach that seeks to resolve this insecurity by storing and manipulating encryption keys almost exclusively on the
CPU alone, and in registers accessible at
ring 0 (the highest privilege level) only—the exception being the brief period of initial calculation at the start of a session. This ensures that encryption keys are almost never available to
userspace
A modern computer operating system usually uses virtual memory to provide separate address spaces or regions of a single address space, called user space and kernel space. This separation primarily provides memory protection and hardware prote ...
code or following a cold boot attack. TRESOR is written as a
patch to the
kernel that stores encryption keys in the
x86 debug register
On the x86 architecture, a debug register is a register used by a processor for program debugging. There are six debug registers, named DR0...DR7, with DR4 and DR5 as obsolete synonyms for DR6 and DR7. The debug registers allow programmers to sele ...
s, and uses
on-the-fly round key generation,
atomicity, and blocking of usual access to the debug registers for security.
TRESOR was foreshadowed by a 2010 thesis by Tilo Muller which analyzed the cold boot attack issue. He concluded that modern
x86
x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel, based on the 8086 microprocessor and its 8-bit-external-bus variant, the 8088. Th ...
processors had two register areas where CPU-based kernel encryption was realistic: the
SSE registers which could in effect be made privileged by disabling all SSE instructions (and necessarily, any programs relying on them), and the debug registers which were much smaller but had no such issues. He left the latter for others to examine, and developed a
proof of concept
A proof of concept (POC or PoC), also known as proof of principle, is an inchoate realization of a certain idea or method in order to demonstrate its feasibility or viability. A proof of concept is usually small and may or may not be complete ...
distribution called ''
Paranoix'' based on the SSE register method.
Its developers state that "running TRESOR on a 64-bit CPU that supports
AES-NI
An Advanced Encryption Standard instruction set (AES instruction set) is a set of instructions that are specifically designed to perform AES encryption and decryption operations efficiently. These instructions are typically found in modern proces ...
, there is no performance penalty compared to a generic implementation of
AES", and run slightly faster than standard encryption despite the need for key recalculation, a result which initially surprised the authors as well.
Potential vulnerabilities
The authors' paper notes the following:
* Although they cannot rule out CPU data leaking into RAM, they were unable to observe any case this happened during formal testing. Any such case is expected to be patchable.
*
Root access to the encryption keys via the kernel of a running system is possible using
loadable kernel module
A loadable kernel module (LKM) is an executable library that extends the capabilities of a running kernel, or so-called ''base kernel'', of an operating system. LKMs are typically used to add support for new hardware (as device drivers) and/or ...
s or virtual memory () and physical memory (), if compiled to support these, but otherwise appears not to be accessible in any known way on a standard running system.
*
ACPI
Advanced Configuration and Power Interface (ACPI) is an open standard that operating systems can use to discover and configure computer hardware components, to perform power management (e.g. putting unused hardware components to sleep), auto con ...
sleep and low power states: - on real processors registers are reset to zero during ACPI S3 states (suspend-to-ram) and S4 (suspend-to-disk) states since the CPU is switched off for these.
* Cold boot attacks on the CPU: - on real processors registers are cleared to zero on both hardware resets and software resets ("
Ctrl-Alt-Delete"). However CPU registers are currently vulnerable on
virtual machine
In computing, a virtual machine (VM) is the virtualization or emulator, emulation of a computer system. Virtual machines are based on computer architectures and provide the functionality of a physical computer. Their implementations may involve ...
s, since they are reset during simulated hardware resets but not during software resets. The authors deem this an apparent flaw in many implementations of virtual machines, but note that virtual systems would be inherently vulnerable even if this were rectified, since all registers on a virtual machine are likely to be accessible using the host system.
* TRESOR is resistant to
timing attack
In cryptography, a timing attack is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, an ...
s and cache-based attacks by design of the AES-NI instruction, where the CPU supports
AES instruction set
An Advanced Encryption Standard instruction set (AES instruction set) is a set of instructions that are specifically designed to perform AES encryption and decryption operations efficiently. These instructions are typically found in modern process ...
extensions.
[The authors cite ]Intel
Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California, and Delaware General Corporation Law, incorporated in Delaware. Intel designs, manufactures, and sells computer compo ...
: Shay Gueron, Intel Advanced Encryption Standard (AES) Instruction Set White Paper, Rev. 3.0: ''"Beyond improving performance, the AES instructions provide important security benefits. By running in data-independent time and not using tables, they help in eliminating the major timing and cache-based attacks that threaten table-based software implementations of AES."'' Processors capable of handling AES extensions as of 2011 are Intel
Westmere and
Sandy Bridge
Sandy Bridge is the List of Intel codenames, codename for Intel's 32 nm process, 32 nm microarchitecture used in the second generation of the Intel Core, Intel Core processors (Intel Core i7, Core i7, Intel Core i5, i5, Intel Core i3, i3). The Sa ...
(some i3 excepted) and successors,
AMD Bulldozer, and certain
VIA PadLock processors.
* In 2012 a paper called TRESOR-HUNT showed how a
DMA attack
A DMA attack is a type of side channel attack in computer security, in which an attacker can penetrate a computer or other device, by exploiting the presence of high-speed expansion ports that permit direct memory access (DMA).
DMA is included i ...
could break this system, by injecting code that would invisibly function at
ring 0 (the highest privilege level), bypassing the "lockout" imposed by TRESOR, which would allow it to read the keys from the debug registers and transfer them to usual memory. The paper also proposed ways to mitigate such attacks.
See also
*
Disk encryption
Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or disk encryption hardware, hardware to encry ...
*
Secure by design
Secure by design, in software engineering, means that software products and capabilities have been Software design, designed to be foundationally Application security, secure.
Alternate security strategies, tactics and patterns are considered at ...
References and notes
{{Reflist, 30em
External links
TRESOR home page
Disk encryption
Side-channel attacks
Computer security exploits