BitLocker

Introduction

BitLocker is Microsoft’s full disk encryption (FDE) solution. It encrypts the entire file system transparently to the user and the applications. This is a defense against attackers with physical access, but since the file system is decrypted automatically once the system boots up, this doesn’t provide any defense against malware or attackers with access to the machine via stolen creds or that are exploiting vulnerable software running on the box.

Without an FDE solution in place, an attacker with physical access can just pull the hard drive out of the victim’s computer, copy it to an external drive, and take the external drive away for investigation. While an attacker has the hard drive removed from the computer, they can also attach it to a computer owned by the attacker, copy malware onto the victim’s hard drive, then put the hard drive back in the victim’s computer. Additionally, an attacker can carry out the “Sticky Keys attack.” The Sticky Keys attack has been known since at least 2009, but there doesn’t appear to be a definitive attribution for it.

Sticky keys attack

The Sticky Keys functionality is an accessibility feature of Windows. It allows people who can’t physically press multiple keys on a keyboard at once to interact with their keyboard as though they could. One of the most common uses of this is to make use of the Shift key more accessible. Instead of requiring a user to physically press both the Shift key and a letter key at the same time in order to make a capital letter, when Sticky Keys is enabled, the system considers the Shift key to be held down until it is pressed a second time. It means more keystrokes, but none of them have to happen at the same time. In Windows, a small program called c:\windows\system32\sethc.exe configures whether or not Sticky Keys is enabled for the user currently logged in. The user runs this program by hitting the Shift key five times in a row.

It’s nice that this feature exists, but why do we care about esoteric accessibility features in a security course?

We care because c:\windows\system32\sethc.exe runs as the SYSTEM user, not a regular user. You can trigger Sticky Keys for use during the login process before you’ve authenticated yourself. Because it runs before login, it can’t run as a regular user; the computer doesn’t know who you are yet. We can combine this with a lack of full disk encryption to launch the Sticky Keys attack.

The Sticky Keys attack assumes an attacker has physical access to a Windows workstation. To perform the attack, the attacker powers down the workstation and boots up via a bootable device such as a USB drive that contains a small bootable Linux disk image. Once the system has booted up into Linux, the attacker overwrites c:\windows\system32\sethc.exe with a copy of c:\windows\system32\cmd.exe. (Recall that running cmd.exe is the same as opening a new Command Prompt window.) Then the attacker reboots normally into Windows. When the attacker sees the login screen, the attacker hits Shift five times. When this happens, Windows thinks that the user wants to configure the Sticky Keys settings, and so it runs c:\windows\system32\sethc.exe. But the attacker has previously overwritten this file with c:\windows\system32\cmd.exe! So Windows will present the attacker with a Command Prompt running as the SYSTEM user. This attacker has full control of the machine at this point and can install or run any software they want. The attacker also has full control of the registry and the file system.

These two attacks illustrate the problems that arise when a computer’s hard drive is accessible to an attacker with physical access when the computer is powered down. When an attacker bypasses the operating system’s permissions by accessing the hard drive directly, the attacker is able to launch significant attacks.

The defense against these attacks is full disk encryption. When full disk encryption is enabled, the attacker is no longer able to bypass the operating system’s defenses. Until the operating system boots, the file system is encrypted, and an attacker cannot trivially read from or write to the hard drive.

                                                 Q U I Z