Boot Jacker


Unformatted text preview:

BootJacker: Compromising Computers using Forced Restarts Ellick M. Chan, Jeffrey C. Carlyle, Francis M. David, Reza Farivar, Roy H. Campbell Department of Computer Science University of Illinois at Urbana-Champaign 201 N Goodwin Ave Urbana, IL 61801-2302 {emchan,jcarlyle,fdavid,farivar2,rhc}@illinois.edu ABSTRACT BootJacker is a proof-of-concept attack tool which demonstrates that authentication mechanisms employed by an operating system can be bypassed by obtaining physical access and simply forcing a restart. The key insight that enables this attack is that the con- tents of memory on some machines are fully preserved across a warm boot. Upon a reboot, BootJacker uses this residual memory state to revive the original host operating system environment and run malicious payloads. Using BootJacker, an attacker can break into a locked user session and gain access to open encrypted disks, web browser sessions or other secure network connections. Boot- Jacker’s non-persistent design makes it possible for an attacker to leave no traces on the victim machine. Categories and Subject Descriptors D.4.6 [Operating Systems]: Security General Terms Security Keywords Security, attacks, memory remanence 1. INTRODUCTION A plethora of security schemes have been deployed to protect information on computer systems that are vulnerable to physical theft or unauthorized access. Most systems minimally employ an authentication system that requires the user to enter a password be- fore granting access to the system. Many systems also employ con- sole or screen saver locks that require re-authentication if the user session has been idle for some period of time. Modern systems are capable of encrypting network connections and the contents of secondary storage for additional protection. To ensure secrecy, en- cryption keys used in such systems are typically not generated until after the user has successfully logged in. Once created, these keys Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CCS’08, October 27–31, 2008, Alexandria, Virginia, USA. Copyright 2008 ACM 978-1-59593-810-7/08/10 ...$5.00. are stored in volatile memory as part of the user’s session state un- til the user logs out. It is commonly believed that if a computer is physically stolen, these encryption and authentication mechanisms will significantly hinder attackers from readily accessing stored se- crets. In this paper, we demonstrate that this assumption is flawed and present a tool that allows attackers to bypass the system’s au- thentication defenses and gain instant access to user sessions on a live system. BootJacker is a proof-of-concept attack tool that utilizes an un- conventional attack vector to break into the system: a forced restart. This attack exploits the observation that, on many computers, the contents of memory are preserved even after a restart. In fact, re- searchers have shown that the contents of memory are ...

Loading Unlocking...


Join to view Boot Jacker and access 3M+ class-specific study document.

We will never post anything without your permission.
Don't have an account?

Sign Up

Join to view Boot Jacker and access 3M+ class-specific study document.


By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?