Hackers of India

LockPicker: Leaking data from live LUKS partition

By  Adhokshaj Mishra  on 05 Nov 2016 @ Hackfest

Abstract

Since the disclosure of privacy by various whistleblowers, people have realized the value of data protection by using strong cryptographic measures including but not limited to full disk encryption. Various tools like dm-crypt, TrueCrypt, BitLocker etc have been developed for the very same purpose. It is silently assumed that whole technical stack which facilitates full disk encryption is not compromised in any way, or is hard to compromise in an undetectable way because basic security system is configured and up on the machine in question. However, it is still possible to compromise the security while maintaining high stealth, by infecting the filesystem layer itself. Since all the security solutions rely upon truthfulness of the filesystem (even if they bypass the usual filesystem I/O and talk to filesystem driver directly), this provides full stealth from such systems. The paper presents proof-of-concept of such an attack on Linux using a minimalistic functional filesystem in kernel space. The proof of concept in question is capable of leaking the data from encrypted file system, while the disk is encrypted using some full disk encryption solution like dm-crypt. Since it does not rely upon specifics of any full disk encryption system, it is possible to use the same attack vector for other solutions too, with minimal changes, if any. However, this attack vector is not foolproof, and therefore can be detected and prevented in many cases. Couple of detection and prevention mechanisms will also be discussed.