TUM Logo

FridgeLock: Preventing Data Theft on Suspended Linux with Usable Memory Encryption

To secure mobile devices, such as laptops and smartphones, against unauthorized physical data access, employing Full Disk Encryption (FDE) is a popular defense. This technique is effective if the device is always shut down when unattended. However, devices are often suspended instead of switched off. This leaves confidential data such as the FDE key, passphrases and user data in RAM which may be read out using cold boot, JTAG or DMA attacks. These attacks can be mitigated by encrypting the main memory during suspend. While this approach seems promising, it is not implemented on Windows or Linux. We present FridgeLock to add memory encryption on suspend to Linux. Our implementation as a Linux Kernel Module (LKM) does not require an admin to recompile the kernel. Using Dynamic Kernel Module Support (DKMS) allows for easy and fast deployment on existing Linux systems, where the distribution provides a prepackaged kernel and kernel updates. We tested our module on a range of 4.19 to 5.3 kernels and experienced a low performance impact, sustaining the system's usability. We hope that our tool leads to a more detailed evaluation of memory encryption in real world usage scenarios.

FridgeLock: Preventing Data Theft on Suspended Linux with Usable Memory Encryption

Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy

Authors: Fabian Franzen, Manuel Andreas, and Manuel Huber
Year/month: 2020/3
Booktitle: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy
Fulltext: fridgelock.pdf

Abstract

To secure mobile devices, such as laptops and smartphones, against unauthorized physical data access, employing Full Disk Encryption (FDE) is a popular defense. This technique is effective if the device is always shut down when unattended. However, devices are often suspended instead of switched off. This leaves confidential data such as the FDE key, passphrases and user data in RAM which may be read out using cold boot, JTAG or DMA attacks. These attacks can be mitigated by encrypting the main memory during suspend. While this approach seems promising, it is not implemented on Windows or Linux. We present FridgeLock to add memory encryption on suspend to Linux. Our implementation as a Linux Kernel Module (LKM) does not require an admin to recompile the kernel. Using Dynamic Kernel Module Support (DKMS) allows for easy and fast deployment on existing Linux systems, where the distribution provides a prepackaged kernel and kernel updates. We tested our module on a range of 4.19 to 5.3 kernels and experienced a low performance impact, sustaining the system's usability. We hope that our tool leads to a more detailed evaluation of memory encryption in real world usage scenarios.

Bibtex:

@inproceedings {
author = { Fabian Franzen and Manuel Andreas and Manuel Huber},
title = { FridgeLock: Preventing Data Theft on Suspended Linux with Usable Memory Encryption },
year = { 2020 },
month = { March },
booktitle = { Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy },
url = {https://www.sec.in.tum.de/i20/publications/fridgelock-preventing-data-theft-on-suspended-linux-with-usable-memory-encryption/@@download/file/fridgelock.pdf}
}