06-09, 10:30–11:30 (America/New_York), Grand Salon
We present the design and construction of a robot that reliably extracts contents of RAM of modern embedded devices at runtime. We discuss the practical engineering challenges and solutions of adapting the traditional cold-boot attack to non-removable DDR chips commonly found on modern embedded devices. Lastly, we present a practical guide to building your own cryo-mem rig from COTS parts for less than a thousand bucks.
Have you noticed that embedded hardware is getting harder to reverse? BGA chips, massively integrated packages, vertical stackups, encrypted firmware at rest, and a pinch of "no jtag or uart" has become standard fare. While these artifacts do not correlate to material improvements in device security, you can't prove it because you can't dump the firmware or debug the hardware. Skip the noise and change up the game. Sometimes it's easier just to grabbing unencrypted firmware from live RAM. All you have to do is keep the chips at -50C on a running system, pull all the chips off on the same CPU instruction, slap it on an FPGA that sort of respects the DDR state machine without punching a whole in your device, or cause shorts due to condensation, and without freezing your eyebrows off. We'll show you how to build a robot to do this in an afternoon for about a thousand dollars.
Cryogenic mechanical memory extraction provides a means to obtain a device’s volatile memory content at run-time. Numerous prior works has have demonstrated successful exploitation of the Memory Remanence Effect on modern computers and mobile devices. While this approach is arguably one of the most direct paths to reading a target device’s physical RAM content, several significant limitations exist. For example, prior works were done either on removable memory with standardized connectors, or with the use of a custom kernel/bootloader.
We present a generalized and automated system that performs reliable RAM content extraction against modern
embedded devices. Our cryo-mechanical apparatus is built using low-cost hardware that is widely available, and supports
target devices using single or multiple DDR1|2|3 memory modules. We discuss several novel techniques and hardware
modifications that allow our apparatus to exceed the spatial and temporal precision required to reliably perform memory
extraction against modern embedded systems that have memory modules soldered directly onto the PCB, and use custom
memory controllers that spread bits of each word of memory across multiple physical RAM chips.
Ang Cui is an American cybersecurity researcher and entrepreneur. He is the founder and CEO of Red Balloon Security in New York City, a cybersecurity firm that develops new technologies to defend embedded systems against exploitation.
Yuanzhe Wu (Hans) has received a Master of Science in Mechanical Engineering degree with specialization in robotics and control from Columbia University in 2019. He has 5 years of experience in embedded device security analysis and is RBS's leading hardware and firmware reverse engineering expert. Mr. Wu was the engineering lead for the cold-boot robot work as well as in recent work examining root-of-trust for Siemens PLC secure boot implementations.