Encryption programs open to kernel hack

January 15, 2009 – 11:24 AM

Many popular Windows encryption programs that hide files inside mounted volumes could be fatally compromised by a new type of attack uncovered by a German researcher.

According to a paper published by Bern Roellgen, who also works for encryption software outfit PMC Ciphers, such OTFE (on-the-fly-encryption) programs typically pass the password and file path information in the clear to a device driver through a Windows programming function called ‘DevicelOControl’.

Although it is impossible for a malicious program to get hold of this data directly – a competently-written encryption program will overwrite memory locations caching this data – it could be retrieved if the attacker has found a way to compromise the Windows kernel itself.

Dubbed, the Mount IOCTL (input output control) Attack by Roellgen, an attacker would need to substitute a modified version of the DevicelOControl function that is part of the kernel with one able to log I/O control codes in order to find the one used by an encryption driver. Once found, the plaintext passphrase used to encrypt and decrypt a mounted volume would be vulnerable.


  1. One Response to “Encryption programs open to kernel hack”

  2. So, while it is impossible to directly access the data with malware, the data can be made available by malware, which could then take it. Kind of a two stepper. I always wonder who is better off when stories like this get published, us or the hackers. This just means that we should choose our encryption software a bit more carefully, because even those programs can be given too much access.

    By Mitch on Dec 28, 2009

You must be logged in to post a comment.