On Mon, Feb 25, 2008 at 10:00 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote: > Actually the BIOS executes from EPROM or Flash memory until it's initialised > the system memory. > Otherwise, how would it work before it's initialised system memory?
The BIOS machine code is stored in ROM, but it's stack and heap exist in RAM, just like any other program. One of the first things the BIOS code does at POST is initialize RAM so that it has a place to store it's stack. Without a stack, you're limited to four 16-bit CPU registers (BIOS is real mode) -- a total of eight bytes of storage. You can't do much with that. If you're not familiar with machine-level programming: "Stack" and "heap" are the places in RAM where a program stores its data. "Variables" get stored in RAM. Without RAM, you have no variables. Function calls are also impossible, as without a call stack, the system can't save function context, or restore it on function return. > So, prior to initialising system memory it could ask the user for a > password/PIN that is stored > in non-volatile or CMOS or something. No, it couldn't. In order to ask the user anything, it needs to have storage (RAM) for the keyboard input buffer and the password the user enters. I'm believe you need a buffer to initialize the video display, too, but I can't swear to that. If you still don't believe me: Pull the RAM out of a computer and turn it on. > Also, full-disk encryption technologies that are embedded in the hardware of > modern hard disks typically > do not store keys in RAM. The user enters the PIN that's required to have the > controller release the key. The PIN would then pass through RAM. Again, I'm not commenting on how practical the attack vector actually is, I'm just saying you can't get around the issue of data in RAM for a user-provided key. That said, the PIN only has to be in RAM briefly (once the disk is unlocked, you don't need the PIN until the disk is reset). You could then sanitize the RAM used for the PIN. And, of course, if you're allowing a simple password to unlock the hard disk, you're giving up things like two-factor authentication or a strong key. I'd say the threat posed by this "recover from RAM" attack is a lot smaller than the threat posed by a week password, shoulder surfing, brute-force PIN guessing attack, etc. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
