Below is a listing of some of the current literature and research describing physical memory attacks on computer systems.
Memory chips used in most computers retain their contents for seconds to minutes after power is lost, leaving the contents available for malicious or forensic acquisition. This research paper describes how encryption keys for most popular disk encryption systems can be obtained through cold boot attacks.
Tags: Cold Boot Attack, Encryption Keys
A 2013 research paper that verifies previous research around cold boot attacks using 17 systems and system configurations.
Tags: Cold Boot Attack, Encryption Keys
A white paper published describing how malware using Direct Memory Access (DMA) functionality of modern microprocessors provides a way for attackers to access sensitive information in memory. DMA refers to the capability of peripheral system hardware to transfer data to or from main memory without the involvement of the CPU. This feature is intended to improve system performance, but comes at the expense of centralized memory access enforcement.
Tags: DMA Attack, Malware, Rootkit
This DEFCON 20 conference presentation and associated white paper highlights the ease with which hardware systems can be compromised via backdoors that are not detected by anti-virus.
Tags: Hardware Backdoor, Rookit , Bootkit
A research paper highlighting that some hardware interfaces are vulnerable to Direct Memory Access (DMA) attack including a proof of concept which integrates FireWire attacks into Metasploit.
Tags: DMA Attack, Memory Extraction Attacks, Metasploit
A University of Cambridge research paper highlighting that static Random Access Memory at low temperatures retains its contents and can be accessed to compromise security materials.
Tags: Cold Boot Attack, Memory Extraction Attacks
A presentation describing the role of hardware including methods such as Direct Memory Access (DMA) in software attacks.
Tags: DMA Attack, Privilege Escalation
A VIKING Technology press release announcing Non-volatile Direct Random Access Memory (DRAM) technology that retains contents in memory even in the event of power failure.
Tags: NVDIMM, Cold Boot Attacks
A presentation highlighting a proof of concept attack on a Broadcom NetExtreme network interface card (NIC) that provides Direct Memory Access.
Tags: DMA Attack, Rootkit
An IEEE Xplore article surveying attacks I/O-based attacks on Intel x86 architectures.
Tags: DMA Attack, NIC, PCI
A research paper from the French Network and Information Security Agency (ANSSI) describing how Network Interface Cards can be compromised to take control of a system.
Tags: DMA Attack, NIC
An IEEE Xplore article surveying methods of inspecting and analyzing operational state of computers for the purpose of digital forensics. The tools used for legitimate purposes could also be used for illegitimate purposes.
Tags: DMA Attack, PCI
A research paper describing how to perform memory forensics on a target system. The paper demonstrates how memory can be dumped and operating systems can be compromised.
Tags: FireWire, DMA Attack
A seminar presentation from the CanSecWest conference showing how an attacker could remotely exploit a particular network card model.
Tags: DMA Attack, Rootkit, NIC
Presentation by researchers at France’s Network and Information Security Agency (ANSSI) describing how compromised network interface cards can be used to compromise a host system.
Tags: DMA Attack, NIC, PCI
VIKING Technologies Non-Volatile Dual Inline Memory Module (NVDIMM) retains memory even in the event of a power failure.
Tags: NVDIMM
A research paper from Invisible Things Labs describing novel practical attacks on System Management Mode (SMM) memory (SMRAM) that exploit CPU caching semantics of Intel-based systems. System Management Mode (SMM) is the most privileged CPU operation mode on x86 architectures.
Tags: SMM, Trusted Execution Technologies, TXT
A presentation describing how Network Interface Card (NIC) firmware can be modified to gain access to systems.
Tags: NIC, DMA Attack
A university research paper explaining tools available for forensic acquisition and analysis can access volatile memory (RAM)
Tags: DMA Attack, Windows
A research paper explaining a procedure for acquiring volatile memory using a hardware expansion card that can copy memory to an external storage device.
Tags: PCI, DMA Attack
TRESOR and similar systems strive to confine the encryption key and encryption process itself to the CPU so that sensitive key material is never released into system memory where it could be accessed by a DMA attack. This paper describes how such systems systems are nonetheless vulnerable to DMA attack.
Tags: DMA Attack, TRESOR, Memory Encryption
A research paper describing the design and implementation of an isolated execution environment on commodity x86 platforms that only relies on the CPU, without needing to trust the memory, buses, peripherals, or any other system components.
Tags: Secure Execution, Cache-as-RAM
A research paper describing how memory containing cryptographic keys can be exposed along with mechanisms to deal with the exposure of cryptographic keys caused by memory disclosure attacks. The suggested countermeasures can secure small portions of memory.
Tags: DMA Attack, Memory Encryption
A research paper describing TRESOR, a Linux kernel patch that implements the AES encryption algorithm and its key management solely on the microprocessor. Instead of using RAM to store encryption materials, TRESOR ensures that all encryption states as well as the secret key and any part of it are only stored in processor registers throughout the operational time of the system.
Tags: Cold Boot Attack, TRESOR