πŸ‰_cybergym

0.1.8 RAM β€” the desk

4 min read

0.1.8 RAM β€” the desk

In one line: RAM is the working space where your computer keeps everything it’s currently using β€” and everything in there is in plaintext, until the power goes off.

A DDR4 RAM module.
A RAM stick looks boring. During runtime, it can hold passwords, tokens, decrypted files, malware, and the exact story of what the machine is doing. Image: Wikimedia Commons, RAM Module (SDRAM-DDR4).jpg.

A story β€” the magnetic donuts of the 1950s

The first practical computer memory wasn’t silicon. It was literally tiny ceramic donuts.

In the early 1950s, MIT professor Jay Forrester invented magnetic core memory. Each bit was a doughnut of ferrite ceramic about a millimetre wide, threaded with three wires. Pulse the wires one way, the donut magnetised β€œnorth” = 1. Pulse the other way, β€œsouth” = 0. To read a bit, you tried to flip it β€” if it changed, it was a 0; if not, a 1. Reading destroyed the bit, so you had to write it back immediately. Computers had whole rooms full of these things, hand-woven by women called β€œcore stringers” β€” IBM’s primary supplier was textile mills.

In 1968 Intel started selling DRAM (Dynamic RAM) β€” silicon chips that did the same job a million times faster, at a tiny fraction of the size. Core memory was dead in a decade. But the name stuck β€” the operating system kernel’s memory image is still called a core dump, fifty years after the last ceramic donut was strung.

What’s actually going on

RAM (Random Access Memory) is the computer’s working memory β€” the desk surface. When you double-click a program:

  1. The OS reads the program file from storage (slow).
  2. It copies the program’s instructions and data into RAM (fast access from now on).
  3. The CPU executes from RAM, billions of times per second.

It’s called β€œrandom access” because the CPU can jump to any byte directly β€” unlike a tape, where you’d have to spool through everything. Modern desktops typically have 16–64 GB. Servers run 256 GB to multiple TB.

RAM is volatile: the moment you cut power, every bit returns to garbage within seconds. That’s the trade-off you make for the speed.

DRAM works by storing each bit as charge in a tiny capacitor. The capacitor leaks charge over milliseconds, so the memory controller has to refresh every cell thousands of times per second β€” read and rewrite each row. That refresh cycle is also the basis for the Rowhammer family of attacks.

Why a hacker cares

RAM is the goldmine of forensic and offensive value because everything is in plaintext while the program is running:

  • Decrypted documents β€” the disk file may be encrypted, but the open document in your editor lives unencrypted in RAM.
  • Encryption keys β€” your VeraCrypt, BitLocker, full-disk-encryption keys all sit in RAM while you’re logged in. Cold-boot attacks chill the RAM with cooling spray (slowing the leak) and dump it before it forgets.
  • Passwords β€” typed credentials, browser-stored cookies, session tokens, OAuth bearer tokens β€” all of them touch RAM in plaintext.
  • Live malware β€” RAM-resident malware that never writes to disk. Antivirus that only scans files misses it. This is fileless malware and it’s a major modern threat.

For defenders, memory forensics (tools like Volatility, Rekall) is its own specialty. Triage an incident, dump RAM first, then image the disk β€” because RAM tells you what was running, while the disk only tells you what’s stored.

For offence, Rowhammer, Meltdown, and DMA attacks (Direct Memory Access from a malicious USB or Thunderbolt device) all let attackers read or modify RAM they shouldn’t be able to touch.

In one sketch

     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€ RAM stick (DIMM) ─────────┐
     β”‚  β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“ β”‚
     β”‚  β–“ DRAM chips (8 or 16 of them)  β–“ β”‚
     β”‚  β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“β–“ β”‚
     β”‚  ════════════════════════════════  β”‚ ← gold contacts
     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
              ↓ slots into motherboard

   What's inside RAM right now:
     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
     β”‚  Linux kernel                    β”‚
     β”‚  Browser process β€” 3 GB          β”‚
     β”‚  Spotify β€” 800 MB                β”‚
     β”‚  VS Code β€” 1.2 GB                β”‚
     β”‚  Claude desktop β€” 600 MB         β”‚
     β”‚  ... encryption keys ...         β”‚ ← everything in plaintext
     β”‚  ... OAuth tokens ...            β”‚
     β”‚  ... your typed password ...     β”‚
     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Reference and image credit

Memory peg

RAM is the desk. Fast, volatile, plaintext. Pull the plug β€” it forgets. Read it while it’s running β€” you read everything.

Graph View

Backlinks