DRAM is not a safe place to store your secrets due to cold boots, so it gets stored in SRAM (which includes registers and L1/L2 cache) instead.
Buuuuut, you might be able to dump SRAM across boots with this technique.
If I understand correctly: SRAM/cache/registers all require a lower voltage to maintain their state than the cpu requires to run.
So attach that intermediate voltage on the VCC pin closest to/running the SRAM and pull the plug on everything else. I guess they’re either not cross-connected internally or the choice of voltage stops that from being a problem. Just don’t let your voltage sag lower than required to maintain the SRAM.
Now your cache/registers/SRAM are maintained. Power up with JTAG or a custom/debugging bootrom/mode that hopefully doesn’t overwrite much/any and dump away.
> Our experiments across various devices reveal that hardware SRAM resets during boot are uncommon. Most boot with undefined SRAM states, persisting until overwritten by software.
Chips often have multiple VCC pins exactly because otherwise there is voltage drop across the chip. This is a hard problem. For chips where this is a security issue, I guess one answer may be to do voltage distribution on the interposer, since fewer attackers can deal with a raw die.
If I understood the article correctly; the different on-chip elements have separate power supplies.
Makes sense: you might want to turn off the CPU but keep the SRAM/cache/etc running for hibernation, and that’s controlled externally for some reason (?)
You're right, that was the hole here. The reply by Tuna-Fish gives the correct reason for this setup (different voltages). The actual power converter usually needs at least an off-chip capacitor, even if the logic is integrated, because that's too large to be cost-efficient in silicon; so there might be an opening even if as much as possible was integrated - haven't thought that through though.
It's not normally controlled externally, but the power comes from an external source, and as the different parts of the chip want different voltages, they connect to different power sources. If you control everything outside the chip and cut the supply to parts of it, there is little that the chip can do about it, even if it normally controls distribution.
This looks like another extremely obscure attack vector which is largely leveraged only to secure devices against their rightful owners.
Physical access to these devices leads to a wide range of security exploits
Physical ownership = real ownership. That's how it's always been and should've stayed that way, if it weren't for the greedy megacorps. Valid exceptions to this level of paranoia are state secrets and other military-adjacent applications.
> Physical ownership = real ownership. That's how it's always been and should've stayed that way, if it weren't for the greedy megacorps.
Playing devil's advocate, what are your security expectation when someone steals your device? Is it acceptable that they immediately gain control of all services available through your them, such as email address, bank accounts, and investment portfolios?
> Playing devil's advocate, what are your security expectation when someone steals your device? Is it acceptable that they immediately gain control of all services available through your them, such as email address, bank accounts, and investment portfolios?
Legally they have no right to anything. Physically, they access whatever they access. That's how it's been forever. I don't get the point of the question.
What are you talking about? The scenario involves someone stealing from you. Do you think the legality of it is a dissuasion?
Also, OP's point was that "Physical ownership = real ownership."
> Physically, they access whatever they access. That's how it's been forever. I don't get the point of the question.
The whole point is that that's not the expectation or desire of every single person around you. Not one.
That's the fact you're not understanding. The ability to lock down a device and prevent unauthorized third parties from accessing it is a strong ask by everyone, not only "megacorps". The ability to track down and remotely pull a kill switch are sold as premium features by some manufacturers. Mobile operators have for a long time the ability to block cellphones by IMEI to prevent theft. A very popular product from one of the biggest companies in the world is a small tag that consumers can attack to their property to be able to find them and recover them.
And in spite of all these facts, are we suppose to pretend no one wants control access to their hardware to prevent unauthorized access from third parties?
> Also, OP's point was that "Physical ownership = real ownership."
You don't have "ownership" over something you stole. You have possession of it. Possession != ownership.
> The whole point is that that's not the expectation or desire of every single person around you. Not one.
Then you're misunderstanding what people are arguing. People want the owner to be the ultimate authority. The owner gets to encrypt what they like, expose what they like, track what they like, trust megacorp they like, etc. And if a thief steals the device, they get whatever they get as a result of the owner's decisions. Which could be all their data, or a visit from the local police, depending on how the owner prepared for it.
> You don't have "ownership" over something you stole. You have possession of it. Possession != ownership.
You need to develop your functional literacy skills because you clearly are failing to even understand the topics being discussed, let alone the arguments going either way.
You were literally saying "not one" person (period!) wants the ability to control their own device. Clearly such people exist, even if we aren't the majority.
What is wrong about the OPs arguments that suggests a failure of literacy on their part?
If you want a device that is locked down by the manufacturer so it only runs software they approve of, in the name of security, that is a tradeoff you should be allowed to make, and the free market is ready to accomodate your desire. Unfortunately, those of us who want the opposite are not so lucky currently.
Is it really impossible to see for you why some people have a problem with this situation persisting, and with comments like yours further normalizing it?
Hi, also chiming in as someone who also would like to stop cheering when these kinds of vulnerabilities are found, and I'll do it when manufacturers stop treating me, the person buying their products, like the thief in your example.
It's an attack vector that means some of the protection you thought you had if your device is lost or stolen can be bypassed.
You seem to feel there is no benefit to this protection (from non-owners of the device), and instead is protecting the device from the owner. Would you care to expand on that?
I don't know why you are being downvoted. I also clicked on the link expecting another article on exploits being found on cycling gear. Last week I posted one about Shimano. The top comment was a joke about SRAM.
Cool article;
Layman’s article: https://cacm.acm.org/research-highlights/technical-perspecti...
Also seems like ACM republished the author’s paper from 2022? https://dl.acm.org/doi/pdf/10.1145/3503222.3507710
My summary:
DRAM is not a safe place to store your secrets due to cold boots, so it gets stored in SRAM (which includes registers and L1/L2 cache) instead.
Buuuuut, you might be able to dump SRAM across boots with this technique.
If I understand correctly: SRAM/cache/registers all require a lower voltage to maintain their state than the cpu requires to run.
So attach that intermediate voltage on the VCC pin closest to/running the SRAM and pull the plug on everything else. I guess they’re either not cross-connected internally or the choice of voltage stops that from being a problem. Just don’t let your voltage sag lower than required to maintain the SRAM.
Now your cache/registers/SRAM are maintained. Power up with JTAG or a custom/debugging bootrom/mode that hopefully doesn’t overwrite much/any and dump away.
> Our experiments across various devices reveal that hardware SRAM resets during boot are uncommon. Most boot with undefined SRAM states, persisting until overwritten by software.
Oops.
Chips often have multiple VCC pins exactly because otherwise there is voltage drop across the chip. This is a hard problem. For chips where this is a security issue, I guess one answer may be to do voltage distribution on the interposer, since fewer attackers can deal with a raw die.
If I understood the article correctly; the different on-chip elements have separate power supplies.
Makes sense: you might want to turn off the CPU but keep the SRAM/cache/etc running for hibernation, and that’s controlled externally for some reason (?)
You're right, that was the hole here. The reply by Tuna-Fish gives the correct reason for this setup (different voltages). The actual power converter usually needs at least an off-chip capacitor, even if the logic is integrated, because that's too large to be cost-efficient in silicon; so there might be an opening even if as much as possible was integrated - haven't thought that through though.
It's not normally controlled externally, but the power comes from an external source, and as the different parts of the chip want different voltages, they connect to different power sources. If you control everything outside the chip and cut the supply to parts of it, there is little that the chip can do about it, even if it normally controls distribution.
> So attach that intermediate voltage on the VCC pin closest to/running the SRAM and pull the plug on everything else.
Isn't easier to just read the password from the hard drive ? You already have access.
This looks like another extremely obscure attack vector which is largely leveraged only to secure devices against their rightful owners.
Physical access to these devices leads to a wide range of security exploits
Physical ownership = real ownership. That's how it's always been and should've stayed that way, if it weren't for the greedy megacorps. Valid exceptions to this level of paranoia are state secrets and other military-adjacent applications.
> Physical ownership = real ownership. That's how it's always been and should've stayed that way, if it weren't for the greedy megacorps.
Playing devil's advocate, what are your security expectation when someone steals your device? Is it acceptable that they immediately gain control of all services available through your them, such as email address, bank accounts, and investment portfolios?
> Playing devil's advocate, what are your security expectation when someone steals your device? Is it acceptable that they immediately gain control of all services available through your them, such as email address, bank accounts, and investment portfolios?
Legally they have no right to anything. Physically, they access whatever they access. That's how it's been forever. I don't get the point of the question.
> Legally they have no right to anything.
What are you talking about? The scenario involves someone stealing from you. Do you think the legality of it is a dissuasion?
Also, OP's point was that "Physical ownership = real ownership."
> Physically, they access whatever they access. That's how it's been forever. I don't get the point of the question.
The whole point is that that's not the expectation or desire of every single person around you. Not one.
That's the fact you're not understanding. The ability to lock down a device and prevent unauthorized third parties from accessing it is a strong ask by everyone, not only "megacorps". The ability to track down and remotely pull a kill switch are sold as premium features by some manufacturers. Mobile operators have for a long time the ability to block cellphones by IMEI to prevent theft. A very popular product from one of the biggest companies in the world is a small tag that consumers can attack to their property to be able to find them and recover them.
And in spite of all these facts, are we suppose to pretend no one wants control access to their hardware to prevent unauthorized access from third parties?
> Also, OP's point was that "Physical ownership = real ownership."
You don't have "ownership" over something you stole. You have possession of it. Possession != ownership.
> The whole point is that that's not the expectation or desire of every single person around you. Not one.
Then you're misunderstanding what people are arguing. People want the owner to be the ultimate authority. The owner gets to encrypt what they like, expose what they like, track what they like, trust megacorp they like, etc. And if a thief steals the device, they get whatever they get as a result of the owner's decisions. Which could be all their data, or a visit from the local police, depending on how the owner prepared for it.
> You don't have "ownership" over something you stole. You have possession of it. Possession != ownership.
You need to develop your functional literacy skills because you clearly are failing to even understand the topics being discussed, let alone the arguments going either way.
You were literally saying "not one" person (period!) wants the ability to control their own device. Clearly such people exist, even if we aren't the majority.
What is wrong about the OPs arguments that suggests a failure of literacy on their part?
If you want a device that is locked down by the manufacturer so it only runs software they approve of, in the name of security, that is a tradeoff you should be allowed to make, and the free market is ready to accomodate your desire. Unfortunately, those of us who want the opposite are not so lucky currently.
Is it really impossible to see for you why some people have a problem with this situation persisting, and with comments like yours further normalizing it?
Hi, also chiming in as someone who also would like to stop cheering when these kinds of vulnerabilities are found, and I'll do it when manufacturers stop treating me, the person buying their products, like the thief in your example.
It's an attack vector that means some of the protection you thought you had if your device is lost or stolen can be bypassed.
You seem to feel there is no benefit to this protection (from non-owners of the device), and instead is protecting the device from the owner. Would you care to expand on that?
Oh, that SRAM. I once again forgot about the other SRAM and was imagining Bauke Mollema going through HN, reading this and cursing them one more time.
[0] https://www.youtube.com/watch?v=Tsk3zAZyLaQ
Or Andy Schleck https://www.youtube.com/shorts/fRWHIKE-aHM
and I'm in the same boat. Or bike, as it were, what with hours of watching the Tour this month.
Ha, I was trying to parse the headline thinking about the same SRAM.
I don't know why you are being downvoted. I also clicked on the link expecting another article on exploits being found on cycling gear. Last week I posted one about Shimano. The top comment was a joke about SRAM.
https://news.ycombinator.com/item?id=44614837