[SOLVED] Is it possible that RAM is encrypted too, without special hardware?

Ulysses_ · 03-27-2015, 05:17 PM

It may be a long shot, but can the entire RAM be encrypted with some simple sort of encryption whereby the key is held in cpu registers?

jefro · 03-27-2015, 06:57 PM

No. (pretty darn sure)

metaschima · 03-27-2015, 07:26 PM

What do you want to accomplish ?

Ulysses_ · 03-28-2015, 03:37 AM

Maybe run arbitrary software with an emulator or hypervisor that intercepts all access to ram encrypting/decrypting the data so real ram is always encrypted and a core dump does not reveal what the software is processing. A core dump is possible by an adversary that owns the hardware (VPS hoster).

TobiSGD · 03-28-2015, 06:00 AM

Quote:

Originally Posted by Ulysses_

Maybe run arbitrary software with an emulator or hypervisor that intercepts all access to ram encrypting/decrypting the data so real ram is always encrypted and a core dump does not reveal what the software is processing. A core dump is possible by an adversary that owns the hardware (VPS hoster).

A VPS hoster can make a a snapshot from the entire machine, including the CPU registers, at any given time, so this excercise would be moot.

273 · 03-28-2015, 08:12 AM

I was intrigued by this concept so I did some googling and it would appear that it has been tried and there should be a proof of concept out there:
http://ieeexplore.ieee.org/xpl/login...mber%3D5655081
While encrypting RAM contents is probably not all that much of a defense I can see it making it tougher for a provider to snoop and if there are any built-in snooping measures I wouldn't have thought they would expect encrypted RAM -- so, perhaps, there is some use in doing this?

TobiSGD · 03-28-2015, 08:44 AM

This may work on bare metal machines, but that simply doesn't apply to VMs.

273 · 03-28-2015, 08:59 AM

Quote:

Originally Posted by TobiSGD

This may work on bare metal machines, but that simply doesn't apply to VMs.

I meant that, for example, if the VPS provider takes automated memory dumps of machines for "auditing" purposes they're not going to be of much use if most data is encrypted. In other words I know that if the VPS provider is aware of these things they could employ countermeasures but automated systems could be defeated.
Whether that is "enough security" is another question entirely, of course.

Ulysses_ · 03-28-2015, 09:00 AM

Does it matter if it is a vmware VM, not a VPS?

Vmware VM's look very much like real hardware from the inside, complete with a BIOS etc and therefore capable of running any PC operating system.

TobiSGD · 03-28-2015, 09:18 AM

Any VM, regardless if it is VMware, Virtualbox, KVM, ..., allows the host running the VM to make snapshots of the running machine, including all encryption keys (this is what happens when you suspend the VM, only that the VM is shut down afterwards). If they have the keys, encryption is no protection at all

Ulysses_ · 03-28-2015, 09:21 AM

Someone has already found enough space for the keys in the cpu for some reason:

Quote:

TRESOR is a software approach that seeks to resolve this insecurity by storing and manipulating encryption keys almost exclusively on the CPU alone ... TRESOR is written as a kernel patch that stores encryption keys in the x86 debug registers

https://en.wikipedia.org/wiki/TRESOR...R.27s_approach

Ulysses_ · 03-28-2015, 09:36 AM

Sure all cpu registers must appear in a core dump, even if AES-NI is supported?

Quote:

Its developers state that "running TRESOR on a 64-bit CPU that supports AES-NI, there is no performance penalty compared to a generic implementation of AES",[5] and run slightly faster than standard encryption despite the need for key recalculation, a result which initially surprised the authors as well

273 · 03-28-2015, 09:39 AM

Quote:

Originally Posted by TobiSGD

Any VM, regardless if it is VMware, Virtualbox, KVM, ..., allows the host running the VM to make snapshots of the running machine, including all encryption keys (this is what happens when you suspend the VM, only that the VM is shut down afterwards). If they have the keys, encryption is no protection at all

Indeed, they even have them when stored in debug registers as per the abobe posted TRESOR. However, as I mentioned previously, it would depend upon what the VPS host does as regards monitoring. Again though I'm not suggesting this is security which could be relied upon but wonder whether it would frustrate any routine "records keeping" by a provider. Sadly I don't know how VPS provisers work as I never got past the interview stage when I attempted to work for one.

TobiSGD · 03-28-2015, 11:08 AM

Quote:

Originally Posted by Ulysses_

Sure all cpu registers must appear in a core dump, even if AES-NI is supported?

I am not talking about core dumps. A VPS hoster can save the machine's state at any given time, including RAM and all CPU registers.

metaschima · 03-28-2015, 11:22 AM

In conclusion, yes you can encrypt RAM, but no it won't help you if the VPS host owns the hardware and is the adversary.