Re: security of hibernate (was: hibernate function)
On Fri, Feb 18, 2011 at 04:54:57PM -0500, Ted Unangst wrote: On Fri, Feb 18, 2011 at 3:35 PM, Joachim Schipper joac...@joachimschipper.nl wrote: Actually, if one could specify an encryption password for the memory written to disk, a stolen hibernating system would be less dangerous than a running/ACPI-sleeping system because it's suddenly impossible to get interesting data from the system memory. Interesting data like the keys in ssh-agent or a softraid decryption key. Not really much difference between encrypting memory that's written to disk and memory that's just left in memory. Yes, but when hibernating you can be pretty sure that e.g. disk cache and video memory are actually empty. You do have a good point, but there are just more potential problems with ACPI sleep. Or am I babbling nonsense? I'll admit to not knowing much about ACPI... Joachim -- TFMotD: ec (4) - 3Com EtherLink II (3c503) Ethernet device http://www.joachimschipper.nl/
Re: security of hibernate (was: hibernate function)
On Fri, 18 Feb 2011 16:54:57 -0500 Ted Unangst wrote: On Fri, Feb 18, 2011 at 3:35 PM, Joachim Schipper joac...@joachimschipper.nl wrote: Actually, if one could specify an encryption password for the memory written to disk, a stolen hibernating system would be less dangerous than a running/ACPI-sleeping system because it's suddenly impossible to get interesting data from the system memory. Interesting data like the keys in ssh-agent or a softraid decryption key. Not really much difference between encrypting memory that's written to disk and memory that's just left in memory. Unless the power is removed in between. Unfortunately motherboards don't do that without intervention, but they should. I've seen one abit board with a convenient switch but that doesn't help on remote systems. In fact they seem to be getting more and more stupid, especially in Bios access. I also have one system that won't let you hibernate two OS's at once and another system that wants you to reset the bios to detect a new hard disk etc.. Maybe the want for green systems will change keeping power to the ram but I doubt it, they'd need to distinguish between hibernate and standby at the lowest level or remove standby. A password or wipeable password file seem like good ideas to me or the user can just decide whether to allow hibernate at all.
Re: hibernate function
On Fri, 18 Feb 2011 20:53:42 +0100 Benny Lofgren wrote: I don't really see how hibernate could be done safely without all systems having a TPM. Maybe a storage file in /var that only root can access, but that's still a compromise. I'm sure it's just my too-narrow mind, but I fail to see any particular security implications that are not also implied by having actual physical access to the machine. Could you elaborate? If you switch the main power off before leaving your machine then that isn't true. Also I'm fairly sure it's easier to get access to data on a disk, especially if deleted than all data in memory.
hibernate function
does it exists?
Re: hibernate function
On Fri, Feb 18, 2011 at 10:51:27AM -0600, Orestes Leal R. wrote: does it exists? Not yet. Joachim -- PotD: converters/wv2 - library functions to access Microsoft Word/Excel files http://www.joachimschipper.nl/
Re: hibernate function
On Fri, 18 Feb 2011 16:17:25 +0100 Joachim Schipper wrote: On Fri, Feb 18, 2011 at 10:51:27AM -0600, Orestes Leal R. wrote: does it exists? Not yet. Joachim Hibernate offers more integrity of user data but it's a lot less secure, discounting the boot virus's like the one mentioned on P. Hansteen's site that may? be hindered by power removal. (Anyone heard more about those or how that one worked.) http://bsdly.blogspot.com/2010/10/if-it-runs-openbsd-it-has-to-be.html; I don't really see how hibernate could be done safely without all systems having a TPM. Maybe a storage file in /var that only root can access, but that's still a compromise.
Re: hibernate function
there are some patches floating around. On Fri, Feb 18, 2011 at 10:51:27AM -0600, Orestes Leal R. wrote: does it exists?
Re: hibernate function
On 2011-02-18 18.17, Kevin Chadwick wrote: On Fri, 18 Feb 2011 16:17:25 +0100 Joachim Schipper wrote: On Fri, Feb 18, 2011 at 10:51:27AM -0600, Orestes Leal R. wrote: does it exists? Not yet. Hibernate offers more integrity of user data but it's a lot less secure, discounting the boot virus's like the one mentioned on P. Hansteen's site that may? be hindered by power removal. (Anyone heard more about those or how that one worked.) http://bsdly.blogspot.com/2010/10/if-it-runs-openbsd-it-has-to-be.html; I don't really see how hibernate could be done safely without all systems having a TPM. Maybe a storage file in /var that only root can access, but that's still a compromise. I'm sure it's just my too-narrow mind, but I fail to see any particular security implications that are not also implied by having actual physical access to the machine. Could you elaborate? The one problem I see is the risk of being able to read system memory from the hibernation storage if someone unauthorized gains access to the system and boots it into single-user mode or removes the disk and reads it in another computer. But the way I imagine hibernation to be implemented would be to simply swap out all memory to the (by default) encrypted swap space, and then somehow flag the upcoming next boot that the swap contains live hibernation data, and provide the encryption key (which of course becomes the weak point). Then for the really paranoid, the location of that flag and key could perhaps be configurable, and be set to a USB stick or memory card that can be removed and for example travel separately from the laptop itself. Not perfect of course, but then again, if access to the physical hardware is gained all bets are more or less off anyway. Regards, /Benny -- internetlabbet.se / work: +46 8 551 124 80 / Words must Benny LC6fgren/ mobile: +46 70 718 11 90 / be weighed, / fax:+46 8 551 124 89/not counted. /email: benny -at- internetlabbet.se
Re: hibernate function
On Fri, Feb 18, 2011 at 11:51 AM, Orestes Leal R. l...@cubacatering.avianet.cu wrote: does it exists? It'll work if it's implemented in hardware like on a Thinkpad X40.
Re: security of hibernate (was: hibernate function)
On Fri, Feb 18, 2011 at 05:17:57PM +, Kevin Chadwick wrote: On Fri, 18 Feb 2011 16:17:25 +0100 Joachim Schipper wrote: On Fri, Feb 18, 2011 at 10:51:27AM -0600, Orestes Leal R. wrote: does it exists? Not yet. Hibernate offers more integrity of user data but it's a lot less secure, discounting the boot virus's like the one mentioned on P. Hansteen's site that may? be hindered by power removal. (Anyone heard more about those or how that one worked.) Actually, if one could specify an encryption password for the memory written to disk, a stolen hibernating system would be less dangerous than a running/ACPI-sleeping system because it's suddenly impossible to get interesting data from the system memory. Interesting data like the keys in ssh-agent or a softraid decryption key. Read e.g. http://citp.princeton.edu/pub/coldboot.pdf for a very readable introduction to rip-your-memory-out-of-your-machine attacks (figure 4 is particularly nice); in particular, note that such attacks are quite feasible. Despite the common with physical access, all bets are off wisdom, physical attacks can actually be defended against quite well - *if* the system is turned off when they are carried out and never turned on again. Joachim -- PotD: net/fping - quickly ping N hosts w/o flooding the network http://www.joachimschipper.nl/
Re: security of hibernate (was: hibernate function)
On Fri, Feb 18, 2011 at 3:35 PM, Joachim Schipper joac...@joachimschipper.nl wrote: Actually, if one could specify an encryption password for the memory written to disk, a stolen hibernating system would be less dangerous than a running/ACPI-sleeping system because it's suddenly impossible to get interesting data from the system memory. Interesting data like the keys in ssh-agent or a softraid decryption key. Not really much difference between encrypting memory that's written to disk and memory that's just left in memory.