No matter how much layer of security you implement on a computer there always will be one area that is protected by a simple old access control, the memory.
You can have a complex password policy, dual factor authentication, full disk encryption, file encryption which could even be extended through the use of an Information Right Management solution, for that protected information to be accessed and manipulated it needs to be decrypted into memory.
The security of that data in memory then relies on memory access control and proper segregation, I am not sure we can talk about memory sandboxing but thats the same idea. The data will, of course, also rely on the physical security of the device it is hosted on.
Gaining administrator access on that device would therefore grant you access to the full memory.
This last point is of significance.
For IRM solutions, being an administrator on a device does not necessarily mean you also have access to the users IRM protected files. The same is true for simpler file encryption solution, it can be used to protect access to documents even from system administrators.
To some extend this could be true for some full disk encryption solutions, but you would then limit what a support staff could do. Having said that, it is possible to implement a full disk encryption only on the user data space and leave the minimum boot and system filesystem unencrypted or encrypted but only giving administrators access to the area where they can support the users, not on the user data disks. To be efficient this would require a good, and probably complex to implement, temporary files handling strategy.
So why is the fact that data gets unencrypted in memory of significance?
For two main reasons:
1) System administrators on those devices could then gain access to data in use which is not accessible to them while at rest or on the move
2) Those same system administrators could also get access to other sensitive information such as personal information (date of birth from an email being written, wife or pet names, etc) which could be used to attack the user password and/or full disk encryption key. In a worst case scenario it could also mean gaining access to an unencrypted password/key stored or cashed in memory…
So we may all trust system administrators (*caugh*), but a recent article I read from Networkworld.com was referring to a report by SANS who identified memory scrapping attack as one of the most dangerous new attacks on the rise.
This type of attack attempts to gather personal identifiable information and other useful information non encrypted in memory to do what I just described, access encrypted/protected information one is not suppose to be allowed to.
Another extension of this attack could be done through the use of the FireWire or the new Thunderbolt ports. Those technologies allow for full access to the memory. This article from The Register highlights the issue by comparing the secured master/slave USB protocol and the unsecured peer-to-peer FireWire/Thunderbolt protocol.
It would seem that on devices with FireWire/thunderbolt ports an attacker with no admin access is still able to conduct memory scrapping attacks as long as he has physical access to those devices.
The above referenced article mentions an attack through the display port of a Mac, it is because “Thunderbolt is based on Displayport technology” and it is easy to think of possible attacks:
– Leave your laptop (screen locked, turned on) unattended at work or in a conference and an attacker could just walk by and plug something into your new and shiny thunderbolt port (and probably unused for quite a while until vendors starts to produce compatible products)
– You plug you laptop to a screen which has been compromised and an attacker can then gain full access to your laptop memory while you are doing a presentation.
How do you protect against those attacks?
The simple answer is that it is difficult and that right now you cannot really be protected.
You would need to choose a laptop with no Firewire/Thunderbolt ports (goodbye Apple products) or being able to disable them.
But more importantly more work to segregate access to parts of the memory may be required by future Operating Systems.
Administrator Access should no longer mean full computer access, user data should be held in a container not accessible by admins but only from the data owner or auditors.
If done correctly:
– Sys admins would still be able to support the users and their computers
– User data would be better protected against the attacks described above
– Compliance requirements and data recovery would still be met without impacting the security of the system. A very basic example is an auditor role that may not be allowed to access the user system and just allowed access to user data. It would require the disk to be physically removed from the computer. That access for the auditors could require two auditors to provide credentials to be allowed to view the data, etc.
The Security around computer memory is an area which may need more attention from vendors in future.