Most smartphones and tablets use an ARM System-on-Chip (SoC) architecture. To protect sensitive data, in one protection model the ARM SoC provides a hardware-based isolation environment (e.g., TrustZone®) for running trusted services on the handheld device, in which running services are able to keep their secret state in RAM while the device is running.
However, this protection model has a significant vulnerability, in that once a relatively sophisticated attacker with appropriate resources has physical access to a mobile device (e.g., steals a smartphone), the attacker can try to read the RAM contents that stores these trusted services' secret state. Such attacks are thus directed towards stealing secret state, including AES cryptographic keys. Different ways to attack and read RAM include cold boot attacks, bus monitoring attacks and DMA attacks.
In a class of attacks referred to as cold boot attacks, the attacker (adversary) is able to physically extract the RAM from within a mobile device and read its contents to retrieve the cryptographic keys. This attack is possible because of the RAM remanence effect in which residual data remains into RAM long after the RAM has lost power. Disk encryption systems popular on contemporary personal computers/laptops are susceptible to cold boot attacks.
Another approach is to force the device to reboot a different operating system that dumps out the memory contents, for systems where the firmware does not automatically clear the memory on reboot.
In another class of attacks referred to as DMA attacks, a DMA-capable peripheral that manipulates the DMA controller is used to read arbitrary memory regions. On certain I/O buses, such as Firewire® and Thunderbolt™, this can be done without any cooperation from the processor or the operating system. These attacks may exploit any of several DMA interfaces. The mobile device does not even need to be unlocked, since as long as the device running, its DMA controller can be programmed over a DMA interface. One mechanism that can be used to defend against such attacks is by using an I/O memory management unit found on many contemporary personal computers and laptops, often referred to as an IOMMU, in which the operating system programs the IOMMU to restrict what memory regions different DMA-capable I/O devices can access. Despite IOMMU's popularity on personal computers and laptops, IOMMUs are not yet present on most other mobile devices today. Moreover, IOMMUs cannot authenticate the DMA devices, whereby they are susceptible to a spoofing attack in which a malicious DMA device can impersonate another device. Thus, to be effective, an IOMMU needs to be present and programmed to deny access to all DMA devices.
Bus monitoring attacks refer to yet another class of attacks, in which the attacker attaches a bus monitor to the memory bus and waits for the secret data (such as cryptographic keys) to be loaded from RAM into the CPU, or vice-versa. With disk encryption systems, a simple reboot ensures that the AES encryption keys are loaded into RAM, as they are needed to start decryption of the disk volumes upon startup.
Notwithstanding, bus monitoring attacks may be effective even against a system that does not even keep the AES keys (or any other secrets) in RAM. This is because most efficient AES implementations rely on caching pre-computation (e.g., data tables) to speed up encryption. Although this pre-computed state is not secret, the way in which the state is accessed during AES encryption (the access pattern) does leak valuable information about the encryption key; for example, such information may be used to significantly reduce the number of possible values for the encryption key. Attempts to protect against this vulnerability heretofore have not been straightforward, as pre-computed state is much larger than the encryption keys, significantly increasing the size of the secrets that need to be protected.
One way to mitigate such attacks is to use encrypted RAM. However, deploying the hardware needed for encrypted RAM is expensive and not practical, at least not presently. A software-based solution is thus desirable.