Comment by repost

12 years ago

Reading between the lines in the announcement it sounds like dropping and reconnecting may cause it to read memory freed up from a prior connection. It may "just" be a matter of keep trying or it may be a matter of opening lots of connections to consume resources dropping them all then connecting and seeing what was left on the beach after the tide went out.

BTW Amazon AWS/ELM is vulnerable, confirmed publically by their support.

6 comments

repost

Reply
bostik  12 years ago

> It may "just" be a matter of keep trying

I gave this some thought earlier today, and expect that address space randomisation can make this bug eventually expose the server keys. You need to hit an address that has been just vacated from a (crashed) httpd worker.

Most implementations clear encryption key material on exit, but a crashed process never got to run that code.

  • tjgq  12 years ago

    In most systems, this will only work within the same process. Contemporary Unix kernels always allocate zeroed pages to processes, so it's impossible for a process to recover data from another unless there's a kernel bug.

astrange  12 years ago

If it just reads the up-to-64KB after that allocation, wouldn't you expect to see the server process segfault before too long?

Of course, servers helpfully just start themselves back up again.

As for scanning for key material, I wonder how to tell that 256-bit random data is the 256-bit random data you want.

  • juhanima  12 years ago

    When for instance an AES-key is being used by OpenSSL, it is put into a 'struct aes_key_st' which is not random at all but quite easily recognizable when scanning memory.

    The Cold Boot attack paper by Halderman, Schoen et al. here

    https://citp.princeton.edu/research/memory/

    ...discusses this in detail in chapter 6, Identifying Keys in Memory.

    EDIT: fixed the reference

  • HappMacDonald  12 years ago

    Well, one way is to brute iterate through every potential 256-bit string you dredge out of the canal against the known public key.

    If you can dredge up 64kB of fresh data every time, that's 511,744 tests per shovelful which is quite a bit to sift through from a performance perspective but it's also a trivially parallel task.

    Additionally, folk might know of even better ways to narrow that down. For example, the data representation in memory might have easy to grep for delimiters.

    • ibmthrowaway218  12 years ago

      65505 tests as I work it out as it's unlikely to be non-byte aligned:-

      256 bits is 32 bytes

      If you get 64kB of payload data back each time then it can only contain 65536-31=65505 different consecutive strings of 32 bytes.