In a recent publication, the Princeton University described an attack, labeled as a ‘Cold Boot Attack’ against DRAM system memory. The attack completely transforms the traditional concepts of DRAM’s volatility and shows that the content of a supposedly ‘Volatile’ RAM can be accessed even when the power has been turned off.

Cold Boot attacks present an imminent threat to cryptographic key material that may be retained in the system memory and might later be used for both forensic and malicious applications.

Booting

Booting is the process of starting your computer and loading your Operating System. The term “boot” comes from “boot strapping”, a manual process, and long and involved with older computers. As an electronic device, computers are helpless without some sort of program running. The boot process that we see on modern PCs and MACs is carried out in combination with firmware called the “BIOS” and the master boot record for an operating system stored on a disk drive that the system looks for by wrote every time it is powered up. It does things like enumerate the peripherals, set up interrupt vector handlers and enable or disable the A20 line in some systems.

DRAM

DRAM stands for Dynamic Random Access Memory. DRAM employs a series of capacitors to store information by representing a single bit as a charge. Computers refresh their power every few milliseconds to retain the information. If power is Off from DRAM, the charge in the capacitor leak to ground state making the data unrecoverable. The ground state is either zero (0) or one (1).

Formal Definition

A cold boot attack (platform reset attack) is a type of side channel attack in which an attacker accesses a computer from a running operating system. After using cold reboot, he restarts the machine from an Off state and retrieves encryption keys.

An attacker makes the access time to 35 seconds or less. In some cases, this time is as low as 2.5 seconds. During this he must steal the computer, open it, access the DRAM and cool it. In this process, the owner of the PC remains unaware of the attack; however he should prevent the system by restricting physical access.

DRAM Attack (Cold Boot Attack)

It involves the use of cooling agents that slow the failure speed of DRAM so that the data could be reassembled. This data usually contains encryption keys such as the keys used for FDE products. The speed of attack is not related to data security as attacker has an uncontrollable access to the hacked machine. Instead, it is related to the time period between off state and failure of DRAM.

If the machine is stolen while powered on, it is useless to break the encryption when the data can be easily accessed. In case machine is in Standby mode, it is more likely to get attacked. During this time, sensitive data may remain in unencrypted form in memory. The time period for attackers can be as low as 2.5 seconds before complete memory loss or can be 35 seconds.  The attacker gradually drops the temperature of DRAM during this time period allowing him to access the contents of memory. Latest memory technologies have shorter time to total decay than older memory technologies.

Password strings retrieved from dump file

Users Web browsing history present in memory dump

Launching an Attack

Step 1: Powering Off the Machine

The simplest attack is to reboot the machine and configure the BIOS to boot a memory imaging tool. A cold boot will result in little or no decay depending on the memory’s retention time. Restarting the system in this way denies the operating system and applications any chance to scrub memory before shutting down.

Step 2: Fetching the Contents of the RAM

Place the RAM in other machine and start the system, or keep the RAM in the same machine, attach a bootable USB flash drive in the USB PORT, and reboot the system. Boot priority of the system must be set to ‘External USB Drive’ and not to ‘Internal hard Drive’. Otherwise the system will reboot again into its native Operating System. The memory-imaging tool or scrapper present on USB Drive starts executing. It fetches the memory dump present on the RAM into the USB Drive.

Step 3: Making the Memory Dump Readable

After taking the memory dump of the RAM in a USB drive. It can now be analyzed. Data can be read straight out of the dump either by dumping it to a flat-file using ‘dd’ or by examining it in-place.

Use of Memory Acquisition Hardware & Software

A cold boot attack against a suspect computer system should only be carried out in the event that no other methods of acquiring the system’s memory are possible.  Although cold boot attack is the best method possible for acquiring a suspect system’s memory, there are several issues left to be considered.  These issues are related to the use and exploitation of memory acquisition-specific hardware and software.

Defenses for Software-Based Full Disk Encryption

There are many possible solutions for this attack but most of them failed. However, some are considerable enough to discuss here.

1)      Change the location of keys during runtime. DRAM is totally frozen at the attack time. A key search algorithm represents the location of the key and their periodic movement. Encryption can be made difficult, but theoretically it is not valid.

2)      Multiple keys should be used for different parts of disk. It prevents all contents of disk during a single attack. Multiple keys need more authentications to prevent in the same attack instance. Although it is a suitable preventive measure, but it is not sure that most sensitive data would not be present on the exposed part. Additional layer of encryption should be used for top secret data.

3)      Fragment keys into discontinuous pieces. It will increase the difficulty of encryption. This may delay an attack, but it wouldn’t prevent one. Moreover, this will delay the decryption time too. Among all problems, performance degradation is termed as number one complaint. This means that application of this technique is not useful.

4)      Multiple Keys used in sequence for decryption. An additional layer of difficulty would delay an attack but all the keys would be accessible to attacker. Search algorithms do not depend on decrypted plain text to check integrity of key which allows the attacker to have a number of keys to correctly decrypt data. It might slow the process but that doesn’t mean that it is being prevented from attack. Largest available key lengths should be applied.

5)      Longer encryption keys should be used. As time period passes, DRAM loses more of its data making the searchable key space larger and so attacker would build the correct key with more difficulty. Longer decryption key makes larger searchable key space. This way degradation of key will take same time period and will make a shorter key still recoverable.

6)      Trusted Platform Module (TPM) combined with Full Disk Encryption (FDE) is used for additional protection in alternative attack scenarios. Usually it does nothing as TPM doesn’t perform the drive decryption. Key must be copied in memory for decryption.

7)      Clear Memory at boot time before loading any operating system. It will prevent an attacker to use stolen machine. However, an attacker might move the DRAM to another machine.

8)      All accessible ports should be blocked. Though its influence is same as of clearing memory at boot time but it is recommended by many software vendors.

Eliminate DRAM Attacks with Hardware-Based Full Disk Encryption

Hardware based full disk encryption is nowadays embedded in hard drives to eliminate DRAM attacks. This technology has more influence than software based encryption. The data encryption keys never enter into computer memory and are not easily accessed for this kind of attack.

1)      Location of the data encryption keys.

In hardware based encryption, the encryption keys are located in self contained computing environment and never enter into DRAM. This ways DRAM itself do not get attacked. A separate key, Key Encryption Key (KEK), is used to access and decrypt the Data Encryption Key (DEK). This key is encrypted using a hash value of username/ password or certificate depending upon the authentication.

The KEK is only decrypted. It is used to unlock disk drive and is not available in DRAM.

An attacker should have the capability to shut down power to drive immediately after the drive is unlocked and KEK is wiped off from memory. All this process has to be done in milliseconds after software authentication with the computer owner being present and willing.

2)      Physical Challenges

The attack could be modified to hit directly on the chipset or HDD against the Data Encryption Key. It increases physical complexity, because more time will be required to access the chipset or hard disk drive.

If chipset based full disk encryption is removed and chips ingresses in liquid nitrogen, it would become a challenge for an attacker to either detach the chipset or keeping liquid nitrogen that could be enough to submerge the whole motherboard or computer/ laptop. However, both of the above options are difficult to manage. It is impractical to detach full disk encrypted hard drive in a short period of time. Whereas, if the entire motherboard or hard drive is submerged in liquid nitrogen data might get harm such that it won’t get repair.

Frozen Cache

It is another way to counter the cold boot attack. Store the keys in the computer cache, instead of RAM. In contrast to the RAM which is a separate device connected to the computers motherboard, the Cache resides on the CPU die, and cannot easily be extracted or read-out. However, caches are difficult to control and one needs to make sure that keys are really frozen in the cache and are never written to the RAM.

Conclusion

DRAMs hold their values for long intervals without power or refresh. It enables a variety of security attacks that can be used to access sensitive information such as cryptographic keys from memory.

There is no easy solution to overcome these attacks. Software changes have benefits and drawbacks too; hardware changes are possible but require time and expense. Latest trusted computing technologies can’t protect keys present in memory. Laptops have more probability of these attacks. Disk encryption on laptops does not give perfect protection.

Therefore, it is necessary to treat DRAM as insecure so that sensitive data from SSL, FDE, and other sensitive applications needs to processed with greater consideration. In the end, without significant architecture changes in the current computers, we are all fairly vulnerable.

There are a plethora of fuzzers available nowadays that target everyday network protocols and file formats. These fuzzers thoroughly iterate through their targeted protocols and files, and act as a valuable resource for stress testing as well.

There are two genres of fuzzers; specialized and generic (aka ‘dumb’) fuzzers. Specialized fuzzers are designed for specific targets. E.g. for a range of email servers like Microsoft Exchange, Sendmail, qmail etc., a specialized SMTP fuzzer would be invaluable. Conversely, ‘dumb’ fuzzers are used for arbitrary protocols and file formats as well as performing simple and non-protocol mutations.

At times, programmer may need more customized and thorough fuzzing for the purpose of performing on propriety and untested protocols, even if the dumb fuzzers could effectively be used against various common applications. It is times like these that the significance of Fuzzing Frameworks is realized and in this document we shall look at some of the most popular and potent Fuzzing Frameworks available in the public domain.

What is a Fuzzing Framework?

Apart from the language platform, way of abstraction, designing and orientation, a fuzzing framework always comes with the central goal of providing fuzzer developers with a quick, flexible, reusable and homogenous development environment. A good fuzzing framework abstracts and minimizes a number of different tasks like converting network traffic into framework compatible format.

A functional framework should include Automatic length calculation e.g TLV (type, length, value), ASN, CRC calculations and many other algorithms. If automatic length calculation is not performed correctly, communication will be failed to get observed. If the CRC is not correctly updated it will void all fuzzing efforts.

Generating Pseudo random data, including an assured list of attack heuristics like format string and directory traversal should be a feature of good framework. A good framework should be able to detect its fault as soon as the target fails to setup a connection. While making a framework more advanced, it should fairly be ensured that the framework allows the fuzzer to directly communicate with a debugger that is being attached to the target.

In addition to this, an advance fuzzing framework should include an interface designed for communicating with a metric gathering tool. Lastly in an advanced framework there are facilities that carry out code reuse at its maximum by making creating developed components that are readily available for future use.

Existing Frameworks

Antiparser

Antiparser is a fuzz testing and fault injection API. Its goal is to provide an API that can be used to model network protocols and file formats by their composite data types. Once an instance has been created it works as a container. All data objects in the container have its own properties and thus they can be saved and used later on when needed.

Although this framework is simple and beneficial for simple fuzzers, it doesn’t support complex tasks. The ratio of framework specific code versus generic code is low in antiparser. It lacks automated methods that are considerably important for a good framework. It has a single version 2.0 that released in August 2005.

Dfuz

To uncover a range of vulnerabilities that are affecting Microsoft, Ipswitch, and RealNetworks, Dfuz fuzzing network was designed, actively maintained and frequently updated. Capable of running on UNIX/Linux operating system, Dfuz exposes a custom language for developing new fuzzers. Though it is not the most advanced fuzzer but it is simple and easy to use and understand.

Defuz comprises of some basic components ranging from data, functions and lists to options protocols and variables. These components are used to define a set of rules that parse to generate and transmit data. Unlike antiparser, Dfuz is a self contained fuzzer.

Through, custom scripting language data can be represented in multiple ways and multiple data definitions can be declared using comma separator. Basic components combined with some additional directives that create a rule file.

Dfuz is a simple and powerful fuzzing framework having a relatively quick learning curve and fast development time. Accomplishing fuzzer development in its own scripting language has both pros and cons. It is positive in that non programmers can fuzz and describe protocols and negative in that experienced programmers can not have benefits from the basic powers or features of a mature programming language. Dfuz has a better code reusability but it lacks a strong set of attack heuristics.

Spike

Spike, the most commonly used framework, is an API for quick and efficient network protocols. It has been released under a favorable license i.e. GNU general public license that enables programmer creation of SpikeFile, a repurposed version. Spikes are basically blocks of protocol data structures which are broken down containing both binary data and the size of the block. It enhances the abstraction with the help of automatic calculation of size.

Using spike, programmers can design and model arbitrarily complex protocols. As spike is documented very scattered it has lead to confusion among different researchers that it cannot prevent others from reducing systems information assurance. Spike is basically a Unix supported fuzzer but it can run on Windows using cygwin. Even a very simple change in framework requires recompilation which definitely could be a major drawback. Code reusability is a manual task and new elements could not be defined simply but globally across the framework.

Spike despite being an effective fuzzer has some shortcoming as it includes many useful utilities like proxy and fuzz communications. Its block based technique has been adopted by a number of frameworks making it quite popular.

Peach

Peach, released by IOACTIVE in 2004, is a cross platform framework having the most flexible architecture with code reusability technique. Basic components include generators, transformers, protocols, publishers and groups. Every component has a particular function.

Generators basically generate data from simple strings to complex binary messages. Combination of generators simplifies complex data types and abstraction allows code reusability. Data could be changed by transformers. It can be combined with other transformers and bounded to a generator. Once implemented, it also helps in code reusability. Values produced by a generator stepped through by a group that contains one or more generators. Script object serving as an additional component reduces the redundancy of code.

Another drawback is that this framework is not that much intuitive because it takes longer to develop a new fuzzer as compared to other frameworks. As an initial step individual subcomponents are being focused and then combining them to develop a complete fuzzer that is helpful to a programmer with the facility of code reusability. With proper installation of Python it can be run from any environment. Though Peach is advancing theoretically but there is no proper documentation.

General Purpose Fuzzer

GPF, available as an open source designed for Unix environment, is a generic fuzzer designed to generate infinite number of mutations. The basic advantage of GPF is that it takes less time to get fuzzer up and run. GPF basic modes include PureFuzz, convert, GPF (main mode), PatternFuzz and Super GPF.

PureFuzzer is as easy to use as attaching a device to a socket. Convert translates libcap files into GFP file, generated by Ethereal or Wireshark. GPF main mode controls number of protocol attacks. PatternFuzz is the most distinct mode because it automatically tokenizes and fuzz protocols. SuperGPF detects whether a socket endpoint has been targeted for fuzzing or not. But it fuzzes ASCII protocols only.

One has to learn significantly as it is complex to work on. On the other hand it is extensible and flexible too. Automatically processing and fuzzing empowers it in against with other frameworks.

Autodafe

Autodafe, a next version of SPIKE, uses a block based approach to fuzz both network protocols and file formats. The main goal is to reduce the size and complexity, focusing on most resulted problems. When once implemented, it can be iterated through different HTTP mutations.

An interesting technique named Markers technique decides the importance of each fuzz variable as there could be hundreds of fuzz variables making test cases double, so important test cases containing important fuzz variables have to be sorted out. Autodafe includes a debugger named adbg to set breakpoints. It is the first framework that explicitly includes a debugger. Additional tools PDML2AD, TXT2AD and ADC are used to make development quick and efficient.

It has many pros and cons same as of Spike. Its debugging feature makes it quite distinguishable but even then, lack of Windows support and recompilation on even simple modifications might make it fail.

The web browser is one of the most used and most exploited applications. Its frequent use has made it risky and vulnerable in past few years. It made attackers to adopt it as their basic path to fulfill their malicious wishes.

Usually there are different exploit codes used as scripts for every browser. However these exploits are easy to detect through exploit patterns using different regular expression and heuristic based signature engines. Consequently there also exist numerous techniques that have been adopted by attackers to bypass these detective methods. Vendors of signature-based protection systems then focused on detecting the obfuscated exploit variants in this never ending cat and mouse game.

As a response attackers have resorted to creating a unique exploit that morphs uniquely in every instance, making it impossible for signature-based protection engines to identify these Holy Grail of all obfuscated attacks. Techniques to alter this load in iterations of request are commonly referred to as oligomorphic, polymorphic or metamorphic manipulation.

Code Morphing

Code morphing is one of the techniques to protect software applications from reverse engineering, analysis, modifications, and cracking. Code morphing breaks up the protected code into several processor commands and replaces them by others, while maintaining the same result. Thus the protector obfuscates the code at the intermediate level.

i) Malware Morphing

The concept of malware morphing is in use from many years. Malware authors and anti-virus researchers have identified the methods used to obfuscate and hide malware code with each infection. These techniques have been a source of innovation for web browser exploit developers. They were ineffective in early stages against traditional signature-based protection engines for the following reasons:

• There was no organizational structure or financial backing to develop obfuscation techniques that would be effective against modern security solutions.
• Patches were generally available when an exploit appeared.
• The methods used for attracting victims to malicious websites were relatively unsophisticated and static in nature.

The most common morphing classes found in malware development include the following:

a) Oligomorphic

The malware author used multiple decrypt engines instead of just one. It randomly builds an engine from several predefined alternatives with malware iteration. The very first technique was called WHALE (Aug 1990).

b) Polymorphic

Polymorphic malware uses a dynamic build process to incorporate noise instructions or an instruction to load an unused register with a value and random keys to encrypt the constant part.

c) Metamorphic

Metamorphic malware carries a copy of the source code whenever it finds a compiler recompiling itself after adding or removing junk code to its source.

ii) Exploit Morphing

Usually in web browsers, the more widely deployed and consistent the exploit code, the earlier protection is developed and deployed. Morphing exploit code bypasses the limiting factors of web browser exploitations.

In recent years there is a dramatic rise in web browser attacks. Attackers are dynamically altering the obfuscated exploit each time a potential user visits the insecure page, creating a unique exploit with each request. This is called x-morphic exploitation.

These unique principals are being applied to commercial exploit development incorporating within web browser attacks due to their susceptibility to content-level manipulation. With x-morphic exploitation, the code that morphs the exploit is never passed through to the victim host. Therefore there is no chance to identify exploitation by singling out the x-morphic engine, rendering useless signature-based protection engines, designed to detect polymorphic and metamorphic generating code, that make up the antivirus market.

Ideal Conditions

An ideal condition for x-morphic exploitation would contain:

a)      Possibly different exploit code for every user’s browser.

b)                                                                                                                                                                                                                                Services that exploit subscription based management.

c)      Exploits those are invulnerable to signature-based anti-virus software.

Web-Server Delivery

A web server is said to be harmful if it responds an HTTP GET or HTTP POST request with an HTTP exploit code to the victim’s request. A single exploited HTTP page is responded. If a signature that detects this exploited material is present, potential users are secured. The longer the harmful web server responds the exploited material the higher will be the security. This way attacker loses the ability to control and disguise himself.

X-morphic Engine

Attackers are developing a solution; behold the “x-morphic engine” that is designed to serve highly obfuscated and one-of-a-kind web browser exploits with each page uniquely rendered to a potential victim. The concept behind an x-morphic engine is simple, with the individual techniques and technologies.

There are two core elements to the x-morphic engine:

• Exploit Morpher

It focuses on manipulating a stock Web browser exploit by reordering, padding, swapping shell code, changing script components and altering the exploit code using oligomorphic and polymorphic principles.

• Obfuscators

It consists of engines at the network layer, content delivery layer or application content layer that take the morphed exploit code and wrap it in one or more layers of obfuscation. Each layer has its own influence and provides a metamorphic aspect. The x-morphic engine may also include additional exploits stored on the Web server

Techniques

There are number of obfuscation techniques which are used when integrated with automation system. It can be classified as:

i) Network Layer

The intent of obfuscating at the network layer is to bypass network-centric protection systems, intrusion detection systems (IDSs), intrusion protection systems (IPSs) and filtering proxies. It provides packet fragmentation as a primary tool. It breaks the original packets into smaller packets and alters the fragmented data. Some common techniques include:

Simple fragmentation:

‘AT’ ‘TAC’ ‘K’ à ATTACK

Out Of sequence packets:

‘C’ ‘T’ ‘K’ ‘A’ ‘A’ ‘T’ àATTACK

Overlapping packets:

‘AT’ ‘TAC’ ‘ACK’ ‘K’ à ATTACK

Overwriting redundant packets:

‘AT’ ‘QWE’ ‘TAC’ ‘RTY’ ‘ACK’ ‘K’ à ATTACK

Packet Timeout:

ATT—-long pause——ACK à ATTACK

ii) Content Delivery Layer

HTTP is used as a primary delivery protocol which might be obfuscated by the attacker. It is important to properly reassemble and parse encoding techniques, in order to identify the exploit material. It makes an attacker to adopt these techniques.

1)      HTTPS encryption over Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

2)      HTTP-supported compression.

3)      Multiple character set encoding.

4)      Transfer encoding, such as “chunked” and “token-extension”.

5)      Chaffing content with characters.

iii) Application Content Layer

It focuses the way the application rebuilds, compiles or executes HTML content. Some of the most popular application content layer obfuscation techniques are:

1)      Splitting up the source files and dynamically rebuilding the exploit page.

2)      Execution of embedded scripts to “unpack” and execute the exploit.

3)      Using file formats which have their own scripting languages and can be rendered inside the Web browser.

How to Deliver Malicious Content?

An attacker must obligate multiple users to request a page from the affected web server to increase the possibility of exploitation and malware. Some common methods used by the attackers are:

1)      Spam

2)      Phishing

3)      Hacking

4)      Banner advertising

5)      Search page-rank

6)      Expired domains

7)      Domain Name Server (DNS) hijacking

8)      Forum posting

9)      Tickers and counters

10)  404 page errors

11)  Server-side user-agent checks

Personalizing the Attack

X-morphic engines further obfuscate their attacks by taking advantage of advanced personalization techniques. Personalized attacks deceive visitors by creating a more dynamic “user experience” on the site, while bypassing many security systems.

Strategies that the x-morphic engine developers will likely adopt as part of their personalized attack delivery platform include the following

1)      Using the source IP address information of the request, the attacker ensures that only one exploit is being served. It prevents subsequent replay-based analysis.

2)      Implement a time-based approach to prevent their engine from exposure.

3)      Depending upon the browser type information, the attacker would ensure that only exploits relevant to that browser are being served. It prevents search engines and web crawlers from malicious content.

4)      Leveraging the IP address, the attacker can prevent IP addresses from any malicious content.

5)      One-time URLs will likely be used to ensure that exploit code is served just once.

Conclusion

Web browser exploit platforms will be vital for the infection success for organizations that rely on malware installation. Fortunately, legitimate security researchers and organizations have been developing more preventative means of fighting these sophisticated attacks. Recent advances in anomaly detection and intrusion prevention systems combined with more behavioral-based techniques are helping organizations identify suspicious activity earlier. With the arrival of x-morphic exploitation, the exploit and security world has entered into a different phase that has rendered trustworthy signature-based antivirus system obsolete