“The Princeton tool does essentially two things: It is a bootable USB that would copy the contents of memory and RAM of any system it was booted on, and [it] also has software to pull down encryption keys out of memory,” Securosis analyst Rich Mogull told SCMagazineUS.com on Wednesday. “The tool Wesley McGrew released is a bootable USB. It only does the first part, not the second part.”
Princeton computer science professor Edward Felten and a group of graduate students made headlines last month when they successfully grabbed data from a DRAM chip that had been removed from a powered-down PC and then chilled. The team used its own custom-made encryption scanner to decode and read encrypted data contained on the chip.
McGrew decided to create his own RAM dumping program because he was intrigued by the Princeton tool and wanted to experiment with the concept, he told SCMagazineUS.com.
“I had experimented with recovering data from RAM before – about a year ago when it first came to my attention that RAM had this little-known property,” he said. “When I read the Princeton paper, I saw that they got around this by making their memory dumper a small SysLinux plug-in. I thought this was a great idea, so I used the information from their paper and video to put together my own quick-and-dirty implementation.”
McGrew admitted that while he hasn't done any testing to recover keys for encryption software, he did not rule it out in the future. Nor does he think he has provided a new tool for cybercriminals.
“Serious attackers with the motivation to perform this kind of attack have the skill to develop this tool independently,” he said. “In contrast, the legitimate uses for this tool far outweigh the negatives. Other security researchers can use it as a starting place for further research into the same techniques the Princeton researchers published, and other ways of analyzing memory dumps for vulnerabilities.”
However, Mogull expressed concern at how quickly the Princeton code was replicated and indicated that vigilance must be maintained within organizations to protect encrypted data on DRAM chips from possible attacks.
He has said in a blog post that the most effective way to deter the attack is to power down computers completely, not keep them in sleep mode.
“I don't see this as anything to panic about today,” Mogull said. “But I do see this as somebody basically rang a bell on this, and we need to pay much more attention.”