[ :: mainpage :: register :: conference :: training :: call for papers (CFP) :: the venue ]
[ :: capture the flag (CTF) :: press/media :: conference agenda :: contact us ]
[ :: forum :: sponsors :: past conferences :: conference kit (PDF) ]

Douglas MacIver (Penetration Engineer, Microsoft Penetration Team, Microsoft Corporation)

Filed under: Main Page — Administrator @ 11:44 am

May 29, 2006

Presentation Title: Pen Testing Windows Vista BitLocker Drive Encryption from the Inside
Presentation Details:

This insider’s candid perspective on the threat analysis and penetration of BitLocker Drive Encryption will be a forthright review of its threats, vulnerabilities, and their mitigations — significant since the talk is in advance of the products release date. The presentation will bring together known device attacks such as DMA exploits with “not-widely-discussed” platform vulnerabilities to show how they affect BitLocker Drive Encryption and device security in general. The presentation will also include the penetration team’s best crack-finding practices, the BitLocker team’s use of Microsoft’s Security Development Lifecycle, threat-modeling, threat-storming, queer views, and other practical tips. Along with DMA exploits, some of the other BitLocker and device attacks to be discussed are: PIN-hammering, key-wear analysis, ciphertext manipulation, physical memory attacks, Trusted Computing Base subversion, LPC bus attacks, and others.

Other threat analysis and penetration insights from the team will include: the poison of conventional wisdom, avoiding paranoia-induced burnout, pros and cons of external security review, security code review best practices, how to avoid analysis paralysis, leveraging dream states, adversary modeling, forensics, and cryptographic validation. The presenter is a member of the penetration team. This presentation will not be a marketing or sales presentation. It will contain a (very) brief overview of BitLocker Drive Encryption, limited to its security elements. For general BitLocker information, please go to www.microsoft.com.

Why this talk rocks

Reason 1: This presentation is an insider’s candid perspective on the threat analysis and penetration of a significant data protection feature in Microsoft Windows Vista. The presenter is a member of the penetration team. This is not a marketing or sales presentation.

Reason 2: This will be a forthright discussion of threats and mitigations — in advance of the products release. The presentation will bring together known device attacks such as DMA exploits with “not-widely-discussed” platform vulnerabilities to show how they affect BitLocker Drive Encryption and device security in general.

Reason 3: Microsoft has staffed a formidable security team and implemented new security engineering processes which are state-of-the-art. Sharing the BitLocker team’s experiences with these processes will help the threat analysis and penetration community.

Detailed Outline:
1. Brief Technical Intro to BitLocker

Trusted Platform Module (TPM)
Pre-OS Architecture
Secure Startup
OS Architecture
Key Architecture
Modes: Usability & TCO vs. Security

2. Attacks against the CRTM and TCB

Core Root of Trust for Measurement (CRTM)
Trusted Computing Base
CRTM Immutability
Pre-OS component Attacks (bootmgr, winload, winresume)
Mitigations: BIOS Secure Upgrade

3. Defining the Threat Domain

Defining the target of evaluation
How the device has become the new attack frontier
Attack / defense asymmetry: Every stone in the castle wall must be checked
Modeling the adversary: profiling and serial criminals
Why we assume adversaries have oracle knowledge of the system

4. DMA Attacks

References David Maynor and David Hulton previous USB and PCCard bus work
Describes how these threats affect BitLocker

5. Ciphertext Manipulation Attacks

Attacks against the CRTM and the security posture of the system

6. Brief Intro to BitLocker Cryptographic Components

Elephant / Diffusion

7. BitLocker Cryptographic Validation

Implementation bugs
Internal review
External review

8. Brief Intro to Microsoft’s Security Development Lifecycle

List the 13 stages
Discuss how BitLocker exceeds SDL requirements and why
What did and didn’t work for the BitLocker team

9. TPM PIN Dictionary Attacks

Related attacks

10. Brief Intro to Threat Modeling at Microsoft

Component Diagrams
Entry Points
Trust Levels
Protected Assets
Data Flow Diagrams
Threat Trees vs. Threat Graphs
Queer views
What did and didn’t work for the BitLocker team

11. Why Code Review is Fruitful

Static analysis
1000’s of APIs
100,000’s Lines of Code
Examples of vulnerabilities found and fixed

12. Analysis Paralysis and the Data Flood

Condensing the threats: Top Ten
Threat classes

13. Pentest Tool Development

Manual vs. Automated pentesting
Negative testing vs. pentesting
Dumb and smart fuzzing
Demoing the Exploit: An (expensive) communication medium to management

14. External Security Review:

Pro and cons

15. Physical Memory Attacks

Warm ghost
DIMM Extraction

16. Avoiding Paranoia Burnout

Finding the threat edge
Fear of the unknown
Postcards from Lu-Lu land

17. Forensics

Front doors only
No secret sauce

18. Crack-finding summary

Top ten habits of successful penetrators
The insider threat

19. A short description of the BitLocker penteam

Top ten desirable characteristics of penetrators
Why it pays to have in-team threat analysis and penetration

20. Security work at Microsoft is hot

Microsoft has built a world-class security team.
Our experience, talent, knowledge base, tools, and resources are a formidable asset.
If you want to take part in security that will positively affect millions of people, this is an excellent place to be.

21. BitLocker crack-finding is an on-going effort
The crack-finding work will continue indefinitely

About Douglas

Douglas MacIver joined Microsoft in 2004 as a penetration engineer, hell-bent on helping to build data privacy tools for the citizens of world. He has worked on security projects at Intel, PassEdge, InterTrust, and Microsoft.

Event Organizer

Hack In The Box (M) Sdn. Bhd.

Supported & Endorsed By

Malaysian Communications and Multimedia Commission (MCMC)

Malaysian Administrative Modernisation & Management Planning Unit

Platinum Sponsors

Foundstone - A division of McAfee Inc.

Microsoft Corporation

Main Sponsors

Cisco Systems

Lucent Technologies - Bell Labs Innovations

Official Airline Partner

Internet Bandwidth Sponsor

AIMS - Malaysia's Telecommunications Hub

Official Hotel

Westin Kuala Lumpur

CTF Sponsor


CTF Prize Sponsor

Scan Associates Berhad.

Our Speakers Are Supported By:

Bellua Asia Pacific

Core Security Technologies

Media Partners:

InfoSec News

(ISN) InfoSec News

Virus Bulletin online magazine is dedicated exclusively to reporting and analysing malicious computer programs and spam. The annual Virus Bulletin conference is cited by many in the industry as the anti-malware event of the year.

Insecure Magazine

Phrack Magazine

Hakin9 Magazine

Supporting Organizations


ISECOM - Insititue for Security and Open Methodologies

IT Underground

Chaos Computer Club (Germany)

X-Focus China

Zone-H Defacement Mirror

Xatrix Security


Special Interest Group in Security & Information InteGrity Singapore