BHDC11 - De-anonymizing Live CDs through Physical Memory Analysis

intrigeri intrigeri at
Thu Jan 13 11:37:51 UTC 2011


(Now Cc'ing tails-dev mailing list.)

coderman wrote (12 Jan 2011 12:06:05 GMT) :
> however, more than just wipe at shutdown is useful.

Ack. On second thought, it appears to me the current T(A)ILS "wipe
memory on shutdown" implementation does not necessarily protect
against the attacks that the mentioned talk will probably highlight.
It is likely that some other similar implementations in Live systems
are affected as well.

In short: we wipe *free* memory only, in order to keep the system in
working state and let the shutdown sequence finish its work afterwards
(i.e. actually halt or reboot the system). On the other hand, data
saved in the {union,au}fs ramdisk branch is not free memory and might
thus be recovered. A security announce about this is being worked on
(explaining this problem and the possible consequences to
non-technical users is, well, tricky).

> explicit ordered zeroisation is handy. (starting with keys and key
> schedules, working cipher state, then on to user data, before
> completing a full pass or three. this takes a smart kexec or other
> ham fisted - still worth the effort.)

The kexec idea seems brilliant to me: this is the best way I can think
of to run the memory wipe process inside an environment where almost
all of the memory is considered as being free.

I have thus started implementing this idea in T(A)ILS. Thanks to
Debian's initramfs-tools and kexec-tools, drafting an early prototype
was quite easy. Stay tuned, more to come soon.

> in any case, this begs the question of best practice in solid state
> remanence avoidance. it would make a good FAQ entry, perhaps...

T(A)ILS specification and security design document (draft almost ready
to be published to a wild, unsuspecting world) intends to propose a
set of best practices in this field.

  intrigeri <intrigeri at>
  | GnuPG key @
  | OTR fingerprint @
  | Do not be trapped by the need to achieve anything.
  | This way, you achieve everything.
To unsubscribe, send an e-mail to majordomo at with
unsubscribe or-talk    in the body.

More information about the tor-talk mailing list