aeskeyfind/0000755007273400016420000000000011040032655012473 5ustar jhaldermgradaeskeyfind/aes.c0000644007273400016420000000655111040032652013413 0ustar jhaldermgrad#include #include #include #include "util.h" uint8_t sbox[256] = { //0 1 2 3 4 5 6 7 8 9 A B C D E F 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, //0 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, //1 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, //2 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, //3 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, //4 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, //5 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, //6 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, //7 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, //8 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, //9 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, //A 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, //B 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, //C 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, //D 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, //E 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 }; //F uint8_t rcon[255] = { 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb }; aeskeyfind/aes.h0000644007273400016420000000130611040032652013411 0ustar jhaldermgrad#ifndef __AES_H__ #define __AES_H__ typedef uint32_t aeskey_t[4]; typedef uint32_t keyexp_t[44]; extern uint8_t sbox[255]; extern uint8_t rcon[255]; // Perform the AES key core operation on a word. // (Assumes the standard byte order.) static inline uint32_t key_core(uint32_t k, int i) { uint32_t t = 0; for (int j=0; j<4; j++) t = set_byte(t, (j-1)%4, sbox[get_byte(k,j)]); return set_byte(t, 0, get_byte(t,0) ^ rcon[i]); } // Run each byte of a word through the sbox separately for word 4 of 256-bit AES. static inline uint32_t sbox_bytes(uint32_t k) { uint32_t r = 0; for (int j=0; j<4; j++) r = set_byte(r,j,sbox[get_byte(k,j)]); return r; } #endif//__AES_H__ aeskeyfind/aeskeyfind.c0000644007273400016420000001766711040032652014777 0ustar jhaldermgrad// AESKeyFinder 1.0 (2008-07-18) // By Nadia Heninger and Ariel Feldman #include #include #include #include #include #include #include #include extern char *optarg; extern int optind, opterr, optopt; #include #ifdef __FreeBSD__ #include #else #define err(x,y) { perror(y); exit(x); } #endif #include "util.h" #include "aes.h" #define DEFAULT_THRESHOLD 10 static long int gThreshold = DEFAULT_THRESHOLD; static int gVerbose = 0; static int gProgress = 1; // Print a key, assuming the key schedule starts at map[0]. // num_bits should be 128 or 256 // if gVerbose is on it will print the entire key schedule as well // as the constraints--the XOR of words that should XOR to 0 static void print_key(uint32_t* map, int num_bits, size_t address) { if (gVerbose) { printf("FOUND POSSIBLE %d-BIT KEY AT BYTE %zx \n\n", num_bits, address); printf("KEY: "); } int num_words = num_bits/32; for (int col = 0; col < num_words; col++) print_word(map[col]); printf("\n"); if (gVerbose) { printf("\n"); printf("EXTENDED KEY: \n"); int num_roundkeys = 0; if (num_bits == 256) num_roundkeys = 15; if (num_bits == 128) num_roundkeys = 11; for (int row=0; row= 4) break; if (column==0) print_word(key_core(map[num_words*row-1],row) ^ map[num_words*(row-1)] ^ map[num_words*row]); else if (column == 4) print_word(sbox_bytes(map[num_words*row+3]) ^ map[num_words*(row-1)+4] ^ map[num_words*row+4]); else print_word(map[num_words*row+column-1] ^ map[num_words*(row-1)+column] ^ map[num_words*row + column]); } printf("\n"); } printf("\n"); } } // Simple entropy test // // Returns true if the 176 bytes starting at location bmap[i] contain // more than 8 repeats of any byte. This is a primitive measure of // entropy, but it works well enough. The function keeps track of a // sliding window of byte counts. static int entropy(const uint8_t* bmap, int i) { static int new_call = 1; static int byte_freq[256] = {0}; if (new_call) { for (int i=0; i<176; i++) byte_freq[bmap[i]]++; new_call = 0; } int test = 0; for (int b=0; b<=0xFF; b++) { if (byte_freq[b] > 8) { test = 1; break; } } byte_freq[bmap[i]]--; byte_freq[bmap[i+176]]++; return test; } // Prints info about the program's command line options static void usage() { fprintf(stderr, "Usage: aeskeyfind [OPTION]... MEMORY-IMAGE\n" "Locates scheduled 128-bit and 256-bit AES keys in MEMORY-IMAGE.\n" "\n" "\t-v\t\tverbose output -- prints the extended keys and \n" "\t\t\tthe constraints on the rows of the key schedule\n" "\t-q\t\tdon't display a progress bar\n" "\t-t THRESHOLD\tsets the maximum number of bit errors allowed \n" "\t\t\tin a candidate key schedule (default = %d)\n" "\t-h\t\tdisplays this help message\n", DEFAULT_THRESHOLD); } // Prints the progress to stderr static void print_progress(size_t percent) { fprintf(stderr, "Keyfind progress: %zu%%\r", percent); } // The core key finding loop // // Searches for AES keys in memory image bmap with starting offsets up // to last; prints any keys found static void find_keys(const uint8_t* bmap, size_t last) { size_t percent = 0; const size_t increment = last / 100; if (gProgress) print_progress(percent); for (size_t i = 0; i < last; i++) { if (entropy(bmap,i)) continue; uint32_t* map = (uint32_t*)&(bmap[i]); // Check distance from 256-bit AES key int xor_count_256 = 0; for (size_t row = 1; row < 8; row++) { for (size_t column = 0; column < 8; column++) { if (row == 7 && column == 4) break; if (column == 0) xor_count_256 += popcount(key_core(map[8*row-1],row) ^ map[8*(row-1)] ^ map[8*row]); else if (column == 4) xor_count_256 += popcount(sbox_bytes(map[8*row+3])^ map[8*(row-1)+4] ^ map[8*row+4]); else xor_count_256 += popcount(map[8*row+column-1] ^ map[8*(row-1)+column] ^ map[8*row + column]); } if (xor_count_256 > gThreshold) break; } if (xor_count_256 <= gThreshold) print_key(map,256,i); // Check distance from 128-bit AES key int xor_count_128 = 0; for (size_t row = 1; row < 11; row++) { for (size_t column = 0; column < 4; column++) { if (column == 0) xor_count_128 += popcount(key_core(map[4*row-1],row) ^ map[4*(row-1)] ^ map[4*row]); else xor_count_128 += popcount((map[4*row + column-1] ^ map[4*(row-1)+column]) ^ map[4*row + column]); } if (xor_count_128 > gThreshold) break; } if (xor_count_128 < gThreshold) print_key(map,128,i); if (gProgress) { size_t pct = (increment > 0) ? i / increment : i * 100 / last; if (pct > percent) { percent = pct; print_progress(percent); } } } if (gProgress) { print_progress(100); fprintf(stderr, "\n"); } } // Memory maps filename and return a pointer on success, setting len // to the length of the file (does not return on error) unsigned char *map_file(char *filename, unsigned int *len) { int fd = open(filename, O_RDONLY); if (fd < 0) err(1, "image open failed"); struct stat st; if (fstat(fd, &st) != 0) err(1, "image fstat failed"); unsigned char *map; map = (unsigned char*)mmap(0, st.st_size, PROT_READ, MAP_SHARED, fd, 0); if (map == MAP_FAILED) err(1, "image mmap failed"); *len = st.st_size; return map; } int main(int argc, char * argv[]) { int ch = -1; while ((ch = getopt(argc, argv, "hvqt:")) != -1) { switch(ch) { case 'v': gVerbose = 1; break; case 'q': gProgress = 0; break; case 't': { errno = 0; char* endptr = NULL; gThreshold = strtol(optarg, &endptr, 10); if (gThreshold < 0 || errno != 0 || endptr == optarg) { fprintf(stderr, "invalid threshold\n"); usage(); exit(1); } } break; case '?': case 'h': default: usage(); exit(1); } } argc -= optind; argv += optind; if (argc != 1) { usage(); exit(1); } unsigned int len; unsigned char *image = map_file(argv[0], &len); if (len < 240) { fprintf(stderr, "memory image too small\n"); exit(1); } find_keys(image, len - 240); return 0; } aeskeyfind/LICENSE0000644007273400016420000000303611040032652013477 0ustar jhaldermgradSoftware License Agreement (BSD License) Copyright (c) 2008, Nadia Heninger and Ariel Feldman All rights reserved. Redistribution and use of this software in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the names of the authors nor the names of their institutions may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. aeskeyfind/Makefile0000644007273400016420000000025111040032652014126 0ustar jhaldermgradCFLAGS= -Wall -O4 -std=c99 OBJS= aeskeyfind.o aes.o util.o all: aeskeyfind aeskeyfind: $(OBJS) $(CC) -o aeskeyfind $(OBJS) clean: @rm -f aeskeyfind *~ \#* $(OBJS) aeskeyfind/README0000644007273400016420000000326111040032652013352 0ustar jhaldermgradAESKeyFinder 1.0 (2008-07-18) By Nadia Heninger and Ariel Feldman This program illustrates automatic techniques for locating 128-bit and 256-bit AES keys in a captured memory image, as described in Section 6.1 of the research paper: J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. "Lest We Remember: Cold-Boot Attacks on Encryption Keys." Proc. 17th USENIX Security Symposium (Sec '08), San Jose, CA, July 2008. For more information, see: http://citp.princeton.edu/memory/ The program uses the following algorithm: 1. Iterate through each byte of the memory image. Treat the following block of 176 or 240 bytes as an AES key schedule. 2. For each word in the potential key schedule, calculate the Hamming distance from that word to the key schedule word that should have been generated from the surrounding words. 3. If the total number of bits violating the constraints on a correct AES key schedule is sufficiently small, output the key. For efficiency, it also performs a simple entropy test to filter out blocks that are not keys. It counts the number of repeated bytes and skips blocks that have too many repeats. This method works even if several bits of the key schedule have been corrupted due to memory decay. USAGE: aeskeyfind [OPTION]... MEMORY-IMAGE Options: -v verbose output -- prints the extended keys and the constraints on the rows of the key schedule -q don't display a progress bar -t THRESHOLD sets the maximum number of bit errors allowed in a candidate key schedule -h displays usage help aeskeyfind/util.c0000644007273400016420000000101111040032652013602 0ustar jhaldermgrad#include #include #include "util.h" const uint64_t m1 = 0x5555555555555555LL; // binary: 0101... const uint64_t m2 = 0x3333333333333333LL; // binary: 00110011.. const uint64_t m4 = 0x0f0f0f0f0f0f0f0fLL; // binary: 4 zeros, 4 ones ... const uint64_t h01 = 0x0101010101010101LL; // the sum of 256 to the power of 0,1,2,3... // Print a word in order byte0 byte1 byte2 byte3 void print_word(uint32_t word) { for (int byte = 0; byte < 4; byte++) printf("%02x",get_byte(word,byte)); } aeskeyfind/util.h0000644007273400016420000000215611040032652013622 0ustar jhaldermgrad#ifndef __UTIL_H__ #define __UTIL_H__ // Return bit n of vector. static inline int bit(uint32_t vector, int n) { return (vector >> n) & 1; } // Set byte n of vector to val. static inline uint32_t set_byte(uint32_t vector, int n, uint8_t val) { return (vector & ~(0xFF << (8*n))) | (val << (8*n)); } // Return byte n of vector. static inline uint8_t get_byte(uint32_t vector, int n) { return (vector >> (8*n)) & 0xFF; } extern const uint64_t m1; // binary: 0101... extern const uint64_t m2; // binary: 00110011.. extern const uint64_t m4; // binary: 4 zeros, 4 ones ... extern const uint64_t h01; // the sum of 256 to the power of 0,1,2,3... // Return the number of bits in x that are 1. static inline int popcount(uint64_t x) { x -= (x >> 1) & m1; // put count of each 2 bits into those 2 bits x = (x & m2) + ((x >> 2) & m2); // put count of each 4 bits into those 4 bits x = (x + (x >> 4)) & m4; // put count of each 8 bits into those 8 bits return (x * h01) >> 56; // returns left 8 bits of x + (x<<8) + (x<<16) + (x<<24) + ... } void print_word(uint32_t word); #endif//__UTIL_H__