DOC PREVIEW
Purdue CS 42600 - Compromising Computers using Forced Restarts

This preview shows page 1-2-3 out of 10 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 10 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 10 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 10 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 10 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

BootJacker: Compromising Computers using ForcedRestartsEllick M. Chan, Jeffrey C. Carlyle, Francis M. David, Reza Farivar, Roy H. CampbellDepartment of Computer ScienceUniversity of Illinois at Urbana-Champaign201 N Goodwin AveUrbana, IL 61801-2302{emchan,jcarlyle,fdavid,farivar2,rhc}@illinois.eduABSTRACTBootJacker is a proof-of-concept attack tool which demonstratesthat authentication mechanisms employed by an operating systemcan be bypassed by obtaining physical access and simply forcinga restart. The key insight that enables this attack is that the con-tents of memory on some machines are fully preserved across awarm boot. Upon a reboot, BootJacker uses this residual memorystate to revive the original host operating system environment andrun malicious payloads. Using BootJacker, an attacker can breakinto a locked user session and gain access to open encrypted disks,web browser sessions or other secure network connections. Boot-Jacker’s non-persistent design makes it possible for an attacker toleave no traces on the victim machine.Categories and Subject DescriptorsD.4.6 [Operating Systems]: SecurityGeneral TermsSecurityKeywordsSecurity, attacks, memory remanence1. INTRODUCTIONA plethora of security schemes have been deployed to protectinformation on computer systems that are vulnerable to physicaltheft or unauthorized access. Most systems minimally employ anauthentication system that requires the user to enter a password be-fore granting access to the system. Many systems also employ con-sole or screen saver locks that require re-authentication if the usersession has been idle for some period of time. Modern systemsare capable of encrypting network connections and the contents ofsecondary storage for additional protection. To ensure secrecy, en-cryption keys used in such systems are typically not generated untilafter the user has successfully logged in. Once created, these keysPermission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.CCS’08, October 27–31, 2008, Alexandria, Virginia, USA.Copyright 2008 ACM 978-1-59593-810-7/08/10 ...$5.00.are stored in volatile memory as part of the user’s session state un-til the user logs out. It is commonly believed that if a computer isphysically stolen, these encryption and authentication mechanismswill significantly hinder attackers from readily accessing stored se-crets. In this paper, we demonstrate that this assumption is flawedand present a tool that allows attackers to bypass the system’s au-thentication defenses and gain instant access to user sessions on alive system.BootJacker is a proof-of-concept attack tool that utilizes an un-conventional attack vector to break into the system: a forced restart.This attack exploits the observation that, on many computers, thecontents of memory are preserved even after a restart. In fact, re-searchers have shown that the contents of memory are preservedto a great extent for several minutes after machines physically losepower [18, 19].An attacker using BootJacker forces an immediate restart on thevictim computer and then boots from an alternate device such as aCD or USB drive containing the malware. The sudden restart en-sures that the normal shutdown procedure of the victim machine iscircumvented, thus preventing security applications from clearingvital keys, and preserving the system’s operational state in mem-ory. BootJacker then patches the residual contents of memory withmalware payloads and restores the state of the original system.Although gaining superuser privileges on a victim computer bysimply booting an alternate operating system from a peripheral de-vice is trivial, BootJacker is more insidious because it allows anattacker to break into live user sessions. BootJacker thus providesaccess to open encrypted disks, VPN sessions, secure web browsersessions and other active applications.In addition to providing unauthorized access to the victim com-puter, BootJacker’s design also allows it to operate in a covert non-persistent mode, which protects the attack tool from discovery byhost based intrusion detection systems. This is important if the in-tent of the attacker is to compromise a machine in place withoutraising suspicions. It is possible to use BootJacker in such a waythat no changes are made to any non-volatile s torage in the system.This ensures that minimal evidence of an intrusion remains after anattack.BootJacker supports the execution of arbitrary malicious soft-ware payloads. The core of BootJacker operates like a small boot-strap environment that resuscitates the state of the core system hard-ware and software environment, while an extensibility frameworkallows the creation of custom malware payloads and device drivers.We highlight the threat posed by BootJacker by discussing the im-plications of two specific malicious payloads: one grants the at-tacker a command shell with superuser privileges and the otherterminates security programs such as event logging services or in-trusion detection systems. Similar to BootJacker, the payloads we555have developed are designed to be stealthy, and are therefore alsonon-persistent.Researchers have shown that encryption keys can be recoveredfrom memory chips several minutes after power is disconnected [19].Firewire ports on computers can also be used to directly accessmemory and obtain sensitive information [4, 29]. Such attacks arealso possible even in the presence of technologies such as TPM [38]that provide secure key storage when the machine is powered down.These applications trust the operating system’s ability to protect thein-memory plain-text keys when the system is active. While key re-trieval attacks can locate secrets in memory, us ing the keys to gainaccess to secured information requires further work and may in-volve substantial effort in cases such as hijacking secure networkconnections. Unlike key retrieval attacks, BootJacker is able to pro-vide the attacker with full access to the live victim operating envi-ronment within a matter of seconds. Additionally, BootJacker doesnot have to address the problem of locating keys in memory. Thisis especially helpful when


View Full Document

Purdue CS 42600 - Compromising Computers using Forced Restarts

Download Compromising Computers using Forced Restarts
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Compromising Computers using Forced Restarts and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Compromising Computers using Forced Restarts 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?