Prosecution based on memory forensics

[David Shaw]

On Jan 12, 2011, at 10:54 PM, Robert J. Hansen wrote:

> When you close a laptop, Windows (or Mac OS X, or Linux, or what-have-you) takes a snapshot of memory contents and writes it to disk.  This can be a really big problem, since encryption keys, passphrases, and so forth are written out in the process.  For instance, if you have gpg-agent set up to cache your passphrase, your passphrase will probably be written to the hibernation file, unless the GnuPG devs have taken heroic measures to prevent this.

We've taken some measures, but they are not infallible (it's hard for them to be infallible since hibernation can happen at a layer below us - and we don't necessarily get any notification in userspace that we're about to be suspended).  In short, don't count on GnuPG alone to save you here.

The manual mentions this:

       Note also that some systems (especially laptops) have  the  ability  to
       ``suspend  to  disk''  (also known as ``safe sleep'' or ``hibernate'').
       This writes all memory to disk before going into a low  power  or  even
       powered off mode.  Unless measures are taken in the operating system to
       protect the saved memory, passphrases or other sensitive  material  may
       be recoverable from it later.

So GnuPG can't do this alone, but there are ways to configure GnuPG alongside other packages and/or the OS to be safe(r) here.  For example, if you can arrange to run some commands as you are hibernating, you could get gpg-agent to dump its passphrase, etc.

This is similar in many ways to the old "key material ending up in swap" problem, though that was considerably easier to deal with since userspace had the necessary tools so GnuPG could handle the whole problem by itself.

David