RamCrypt: Kernel-based Address Space Encryption for User-mode Processes


1 2 3

Abstract

We present RamCrypt, a solution that allows unmodified Linux processes to transparently work on encrypted data. RamCrypt can be deployed and enabled on a per-process basis without recompiling user-mode applications. In every enabled process, data is only stored in cleartext for the moment it is processed, and otherwise stays encrypted in RAM. In particular, the required encryption keys do not reside in RAM, but are stored in CPU registers only. Hence, RamCrypt effectively thwarts memory disclosure attacks, which grant unauthorized access to process memory, as well as physical attacks such as cold boot and DMA attacks. In its default configuration, RamCrypt exposes only up to 4 memory pages in cleartext at the same time. For the nginx web server serving encrypted HTTPS pages under heavy load, the necessary TLS secret key is hidden for 97% of its time.

Paper: RamCrypt (by Johannes Götzfried, Tilo Müller, Gabor Drescher, Stefan Nürnberger, and Michael Backes)
Slides: RamCrypt Slides (presented at ASIACCS'16, Xi'an, Shaanxi, China)

Installation

To install and use RamCrypt, follow these steps:

  1. Download the Linux Kernel (Version 3.19) and patch it using the kernel patch provided below.
  2. Activate the option RAMCRYPT when configuring the kernel with make menuconfig. For this to work, you need to disable swapping and enable TRESOR. Any key acquiring method that is provided by TRESOR should work with RamCrypt.
  3. Build, install and boot the patched kernel. uname -a should now show a kernel version that contains -ramcrypt.
  4. Flag any binary for which you want to enable RamCrypt using the command line utility provided below.
  5. Anytime a process is spawned by executing the flagged binary, the address space of this process and all child processes will be encrypted within main memory. This holds true until a new non-flagged binary is executed by the process.

Get the Code

Implementation:
ramcrypt-linux-3.19.patch: RamCrypt patch for the Linux Kernel (Version 3.19)
rcelf.tar.bz2: Command line utility to enable or disable RamCrypt for a given ELF file