BootJacker: Compromising computers using forced restarts

Ellick M. Chan; Jeffrey C. Carlyle; Francis M. David; Reza Farivar; Roy H. Campbell

doi:10.1145/1455770.1455840

BootJacker: Compromising computers using forced restarts

Ellick M. Chan, Jeffrey C. Carlyle, Francis M. David, Reza Farivar, Roy H. Campbell

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

BootJacker is a proof-of-concept attack tool which demonstrates that authentication mechanism', employed by an operating 'ystem can be bypassed by obtaining physical access and simply forcing a restart. The key insight that enables this attack is that the contents of memory on some machines are fully preserved across a warm boot. Upon a reboot, BootJacker uses this residual memory state to revive the original host operating system environment and run malicious payloads. Using BootJacker, an attacker can break into a locked user session and gain access to open encrypted disks, web browser sessions or other secure network connections. BootJacker's non-persistent design makes it possible for an attacker to leave no traces on the victim machine.

Original language	English (US)
Title of host publication	Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08
Pages	555-564
Number of pages	10
DOIs	https://doi.org/10.1145/1455770.1455840
State	Published - 2008
Event	15th ACM conference on Computer and Communications Security, CCS'08 - Alexandria, VA, United States Duration: Oct 27 2008 → Oct 31 2008

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Other

Other	15th ACM conference on Computer and Communications Security, CCS'08
Country/Territory	United States
City	Alexandria, VA
Period	10/27/08 → 10/31/08

Keywords

Attacks
Memory remanence
Security

ASJC Scopus subject areas

Software
Computer Networks and Communications

Online availability

10.1145/1455770.1455840

Library availability

Discover UIUC Full Text

Cite this

BootJacker: Compromising computers using forced restarts. / Chan, Ellick M.; Carlyle, Jeffrey C.; David, Francis M. et al.
Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08. 2008. p. 555-564 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Chan, EM, Carlyle, JC, David, FM, Farivar, R & Campbell, RH 2008, BootJacker: Compromising computers using forced restarts. in Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08. Proceedings of the ACM Conference on Computer and Communications Security, pp. 555-564, 15th ACM conference on Computer and Communications Security, CCS'08, Alexandria, VA, United States, 10/27/08. https://doi.org/10.1145/1455770.1455840

@inproceedings{0d941f59a89d4495b8d9ed19ca919764,

title = "BootJacker: Compromising computers using forced restarts",

abstract = "BootJacker is a proof-of-concept attack tool which demonstrates that authentication mechanism', employed by an operating 'ystem can be bypassed by obtaining physical access and simply forcing a restart. The key insight that enables this attack is that the contents of memory on some machines are fully preserved across a warm boot. Upon a reboot, BootJacker uses this residual memory state to revive the original host operating system environment and run malicious payloads. Using BootJacker, an attacker can break into a locked user session and gain access to open encrypted disks, web browser sessions or other secure network connections. BootJacker's non-persistent design makes it possible for an attacker to leave no traces on the victim machine.",

keywords = "Attacks, Memory remanence, Security",

author = "Chan, {Ellick M.} and Carlyle, {Jeffrey C.} and David, {Francis M.} and Reza Farivar and Campbell, {Roy H.}",

year = "2008",

doi = "10.1145/1455770.1455840",

language = "English (US)",

isbn = "9781595938107",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

pages = "555--564",

booktitle = "Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08",

note = "15th ACM conference on Computer and Communications Security, CCS'08 ; Conference date: 27-10-2008 Through 31-10-2008",

}

TY - GEN

T1 - BootJacker

T2 - 15th ACM conference on Computer and Communications Security, CCS'08

AU - Chan, Ellick M.

AU - Carlyle, Jeffrey C.

AU - David, Francis M.

AU - Farivar, Reza

AU - Campbell, Roy H.

PY - 2008

Y1 - 2008

N2 - BootJacker is a proof-of-concept attack tool which demonstrates that authentication mechanism', employed by an operating 'ystem can be bypassed by obtaining physical access and simply forcing a restart. The key insight that enables this attack is that the contents of memory on some machines are fully preserved across a warm boot. Upon a reboot, BootJacker uses this residual memory state to revive the original host operating system environment and run malicious payloads. Using BootJacker, an attacker can break into a locked user session and gain access to open encrypted disks, web browser sessions or other secure network connections. BootJacker's non-persistent design makes it possible for an attacker to leave no traces on the victim machine.

AB - BootJacker is a proof-of-concept attack tool which demonstrates that authentication mechanism', employed by an operating 'ystem can be bypassed by obtaining physical access and simply forcing a restart. The key insight that enables this attack is that the contents of memory on some machines are fully preserved across a warm boot. Upon a reboot, BootJacker uses this residual memory state to revive the original host operating system environment and run malicious payloads. Using BootJacker, an attacker can break into a locked user session and gain access to open encrypted disks, web browser sessions or other secure network connections. BootJacker's non-persistent design makes it possible for an attacker to leave no traces on the victim machine.

KW - Attacks

KW - Memory remanence

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=66149170813&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=66149170813&partnerID=8YFLogxK

U2 - 10.1145/1455770.1455840

DO - 10.1145/1455770.1455840

M3 - Conference contribution

AN - SCOPUS:66149170813

SN - 9781595938107

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 555

EP - 564

BT - Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08

Y2 - 27 October 2008 through 31 October 2008

ER -

BootJacker: Compromising computers using forced restarts

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this