Skip to content

Entries from March 2009

Right, the kernel can access your encrypted volume keys. So what?

On January 15th, TechWorld published an article called Encryption programs open to kernel hack. Essentially, it warns that the key to encrypted volumes, that is, to volumes of software-encrypted virtual drives, is delivered by the encryption application to the kernel of the operating system, and thus may be captured by a malicious kernel.

According to a paper […] such OTFE (on-the-fly-encryption) programs typically pass the password and file path information in the clear to a device driver through a Windows programming function called ‘DevicelOControl’.”

And they consider it as a threat:

Dubbed, the Mount IOCTL (input output control) Attack by Roellgen, an attacker would need to substitute a modified version of the DevicelOControl function that is part of the kernel with one able to log I/O control codes in order to find the one used by an encryption driver. Once found, the plaintext passphrase used to encrypt and decrypt a mounted volume would be vulnerable.”

Such “findings” occur often when the security model of a security system is ignored.

Continue reading "Right, the kernel can access your encrypted volume keys. So what?"