Cold Boot Attack - Mitigations - CPU-based Key Storage

CPU-based Key Storage

Kernel patches such as TRESOR (for Linux), presented at USENIX Security 2011, modify the kernel of an operating system so that CPU registers (in TRESOR's case the x86 debug registers) can be used to store encryption keys, rather than RAM. Keys stored at this level cannot easily be read from userland and are lost when the computer restarts for any reason. TRESOR uses on-the-fly round key generation, atomicity, and blocking of usual access to the debug registers via ptrace for security, adding CPU-only AES as an additional encryption method.

TRESOR was foreshadowed by a 2010 thesis by Tilo Muller which analyzed the cold boot attack issue. He concluded that modern x86 processors had two register areas where CPU-based kernel encryption was realistic: the SSE registers which could in effect be made privileged by disabling all SSE instructions (and necessarily, any programs relying on them), and the debug registers which were much smaller but had no such issues. He left the latter for others to examine, and developed a proof of concept distribution called paranoix based on the SSE register method.

The developers claim that "running TRESOR on a 64-bit CPU that supports AES-NI, there is no performance penalty compared to a generic implementation of AES", and run slightly faster than standard encryption despite the need for key recalculation.

A second method using similar techniques had also been described in 2010 under the title "frozen cache" (sometimes known as "cache as RAM"); the two are similar in using CPU based encryption key storage, but differ in that one uses CPU registers and the other uses CPU cache.