Steve Gibson got into a technical segment at the end of this week’s Security Now about 3D XPoint Memory, in development as a collaboration between Intel and Micron, and it sounds super cool. The promise of being fast, non-volatile, and cheap? Of course! Lots of interesting things to read about it from Intel, Intel, Computer World, and Wikipedia. This memory is based on a material that can change resistance when a charge is applied, and hold that resistance until a new charge is applied.
What Gibson didn’t discuss was the security of such a thing. When you talk forensic capture, the first thing you do is image DRAM to get it before you think about cutting power to the device. DRAM provides all kind of interesting artifacts. Credentials for full disk or local file encryption. Certificates in use. Deleted files. Passwords. Processes, legit or malware. And the list goes on.
How much of the current security model is based on the assumption that DRAM is wiped once power is removed? Think back to 2008 when researchers out of Princeton came out that they could freeze DRAM to allow it to be moved without erasing its memory. But that was just the chance to hold onto memory for seconds. What if DRAM was replaced by this 3D XPoint as Intel is suggesting? I think it is a surmountable problem, but one that merits discussion.
Other segments to note:
Microsoft’s Golden Key – After hearing for over a week about this golden key that Microsoft failed to keep, it’s amazing that Gibson is the first I heard to call out that it really wasn’t a golden key at all! I heard a second questioning of this on this week’s Risky Business. Upon consideration, it makes perfect sense that the tech media would get this story wrong after the completely biased approach the tech media took in general to the iPhone unlock saga of a few months ago (this blog almost started many times during that bit of drama). What get’s Security Now into my top four is Steve’s desire to actually understand what he’s reading, and not just parrot back new stories (props to Risky Biz as well in this case, but no surprise, Risky is the best Info Sec podcast out there).
Airgap jumping over HD sounds – I guess this is interesting research, but at 180 bits per minute, I don’t see much value. Gibson’s claim that one might get a 4096-bit key out over the course over 22 minutes and thus this isn’t completely worthless strikes me as unconvincing. This is a scenario where someone can get to your airgaped system, install with the appropriate access (I’m figuring must be root/admin), remain close enough to get a microphone nearby, and still not just get the key seems pretty far fetched.