TYPHOONCON 2020 SPEAKER

Seunghun Han

TyphoonCon 2020 Speaker

Seunghun Han | Senior security researcher at the Affiliated Institute of ETRI
Location: Courtyard by Marriott Seoul Namdaemun, Seoul, Korea
Title: BitLeaker: Subverting Microsoft’s BitLocker with One TPM Vulnerability
Date: June 18th, 2020

BIO

Seunghun Han is a security researcher at the Affiliated Institute of ETRI. Seunghun focuses on the root of trust, firmware, hypervisor, and kernel security, so he has made his own hypervisor and contributed various patches to the Linux kernel and TPM-based security software.

Seunghun was a speaker and an author at USENIX Security, Black Hat Asia/Europe, HITBSecConf, BlueHat Shanghai, TyphoonCon, beVX, Becks Japan, and KimchiCon. He also authored two books about building 64bit OS from scratch, “64-bit multi-core OS principles and structure, volume 1 (ISBN-13: 978-8979148367) and volume 2 (ISBN-13: 978-8979148374)”. Seunghun is a member of the Black Hat Asia Review Board and KIMCHICON Review Board.

LECTURE DETAILS

Trusted Platform Module (TPM) is a tamper-resistant security module. It has been widely deployed in commercial devices to protect secret data and ensure the trustworthiness of a system. There are two typical types of TPMs, hardware-based discrete TPM (dTPM) and firmware-based TPM (fTPM). Microsoft Windows has used both types of TPMs to protect the Volume Master Key (VMK) of their disk encryption software, BitLocker.

BitLocker’s TPM feature has not been analyzed in detail. It has hidden behind the TPMs because the TPM protected the VMK of BitLocker with sealing and unsealing functions. Most security researchers concluded the VMK sealed by the TPM was safe. Recent works also showed the only way to extract the VMK from the TPM was physical access like probing the Low Pin Count (LPC) bus or TPM pins. However, we found a novel way that can subvert BitLocker with only the software. So, free lunch for BitLocker is over.

In this talk, we introduce a sleep mode vulnerability of the dTPM and fTPM that can subvert BitLocker. We also present our new tool, BitLeaker, that can extract the VMK from the TPMs and decrypt a BitLocker-locked partition without physical access. Last year, we already introduced a dTPM vulnerability, CVE-2018-6622. However, we found another new vulnerability related to the fTPM this year, especially Intel Platform Trust Technology (PTT). The sleep mode vulnerability can subvert not only the fTPM but also the dTPM with system sleep mode, and it can forge Platform Configuration Registers (PCRs). PCRs are core parts of the sealing and unsealing functions to protect the VMK of BitLocker. By exploiting the vulnerability, we extracted the VMK from TPMs and decrypted a BitLocker-locked partition with our custom tool, BitLeaker. Additionally, we present detailed information on BitLocker’s VMK protection process related to the TPM and countermeasures.