Friday, February 22, 2008

It Isn't Gone

usage of encryption software can be thwarted by simply looking at the ram. what i want the nerds to tell me is if the ram would be cleared if i dismount my encrypted files and then play a game of say minesweeper? or am i thinking too simply. i forsee a new add on to encryption software that will write random junk to the ram before the machine shuts off.


Daniel said...

RAM (well DRAM not swap space on your disk) doesn't maintain data without power. So, buy lots of DRAM and turn off the disk based swapping. Secure operating systems (such as UNIX and I believe windows NT on up) pre-write memory before giving a process access to it. When I was working on one piece of freeware I tried allocating large chunks of memory for a bitmap and then displaying the bitmap without doing anything to the memory. In an OS like windows 98 I saw all the garbage left behind by the previous process (looks like colorful static when rendered as a bitmap). On windows 2000 it was solid black (pre-initialized to zeros). This hurts the OS on performance. Based on my gut feeling the overwriting was taking place at allocation time, not deallocation time (which would be more secure). Also, in theory one process cannot access another process's memory space (unless there is a security hole in the OS).

Daniel said...

So I read your link... and better understand the question now... There problem is full disk encryption that needs the key in memory for the disk to be used.

Minesweeper might not be the best tool... you could however write a simple c-program that does this...

void main () {
int *p;

this would rely on the OS to clear the ram before you allocate 1G for no reason at all.

DRAM won't hold data for more the a few seconds at room temperature and once the power rails drop that number goes down fast. It will hold data a little longer if it is cold (so break out the freeze spray :)).