LockPicker: Leaking data from live LUKS partition

Presented at Hackfest 2016, Unknown date/time (Unknown duration).

Since the disclosure of privacy by various whistleblowers, people have realized the value of data protection by using strong cryptographic measures including but not limited to full disk encryption. Various tools like dm-crypt, TrueCrypt, BitLocker etc have been developed for the very same purpose. It is silently assumed that whole technical stack which facilitates full disk encryption is not compromised in any way, or is hard to compromise in an undetectable way because basic security system is configured and up on the machine in question. However, it is still possible to compromise the security while maintaining high stealth, by infecting the filesystem layer itself. Since all the security solutions rely upon truthfulness of the filesystem (even if they bypass the usual filesystem I/O and talk to filesystem driver directly), this provides full stealth from such systems. The paper presents proof-of-concept of such an attack on Linux using a minimalistic functional filesystem in kernel space. The proof of concept in question is capable of leaking the data from encrypted file system, while the disk is encrypted using some full disk encryption solution like dm-crypt. Since it does not rely upon specifics of any full disk encryption system, it is possible to use the same attack vector for other solutions too, with minimal changes, if any. However, this attack vector is not foolproof, and therefore can be detected and prevented in many cases. Couple of detection and prevention mechanisms will also be discussed.


Presenters:

  • Adhokshaj Mishra
    Adhokshaj Mishra is an independent security researcher with interest in theoretical and practical aspects of computer science. He mostly codes in C, C++, and assembly language. His primary domains of interest are cryptography, virology, cryptovirology, kleptography and mutation. He has been delivering lectures on various topics like malware techniques, reverse engineering, exploits etc at various overseas and Indian locations. In past he has also helped Uttar Pradesh Special Task Force in cracking various criminal cases related to cyber crime. He loves to attend and speak at various security conferences and meet-ups, and as a result has given talks in various Null/OWASP chapter meet-ups, and events like C0C0N(2014), DEFCON Lucknow (2015). He maintains a not-so-active blog at http://adhokshajmishraonline.in and can be followed on Facebook (AdhokshajMishra), and Twitter (@adhokshajmishra).

Similar Presentations: