Mount IOCTL (input/output control) attack led Windows encryption programs to kernel hack

According to a paper published by Bern Roellgen, a new type of attack that could target on-the-fly-encryption programs if the attacker finds a way to compromise the Windows kernel is uncovered. OTFE (on-the-fly-encryption) programs typically pass the password and file path information in the clear to a device driver through a Windows programming function called 'DevicelOControl'. Dubbed, […]

According to a paper published by Bern Roellgen, a new type of attack that could target on-the-fly-encryption programs if the attacker finds a way to compromise the Windows kernel is uncovered. OTFE (on-the-fly-encryption) programs typically pass the password and file path information in the clear to a device driver through a Windows programming function called 'DevicelOControl'.

Dubbed, the Mount IOCTL (input/output control) Attack by Roellgen, an attacker would need to substitute a modified version of the DevicelOControl function that is part of the kernel with one able to log I/O control codes in order to find the one used by an encryption driver. Once found, the plaintext passphrase used to encrypt and decrypt a mounted volume would be vulnerable.

Full Article