Cold Boot Attacks

There has been a little fuss about cold boot attacks recently, and I've been thinking about it. While it cannot be prevented altogether on the software/firmware side, it can be made harder to orchestrate. First, all macs for a long time now have come with a feature called "Automatic reboot after power failure." It can still be found now under energy saver in the system preferences dialogue. This was achieved by an Open Firmware extension, and with Intel Macs an EFI extension. The logical thing to do to prevent against cold boot attacks that involve booting off of a USB key is to have the power failure extension clear the key from RAM by writing zeros to it if there is an encrypted disk. Since Open Firmware loads before the operating system, the key will be long gone before that pen drive operating system has a chance to load. An even simpler way to do it would be to just set the firmware to clear the contents of memory, commonly known as ECC, or Error Correcting Ram.

Preventing against the transferring to another computer would involve more difficulties, since the cutting of power can't be anticipated. The best way to do this would be to use a kind of volatile RAM that does lose its contents immediately. However, a way to do this software level is to clear the key when the computer goes to sleep, then require the user to enter the password to get the key once the computer wakes up again. Of course, the best defense is still shutting down your machine until it goes into ACPI G3 mode (off).