Verificationubuntutweak

VeraCrypt1.
18SecurityAssessmentTechnicalReportRef.
16-08-215-REPVersion1.
0Date17October,2016PreparedforOSTIFPerformedbyQuarkslabContents1Projectinformation32ExecutiveSummary42.
1Fixes42.
2NewProblems53ContextandScope64KnownVulnerabilitiesinTrueCrypt7.
1a74.
1VulnerabilitiesDetailedinOCAPPhase174.
2VulnerabilitiesDetailedinOCAPPhase2144.
3VulnerabilitiesReportedbyJamesForshaw175VeraCrypt'sModificationsAssessment195.
1TheLengthofthePasswordCanBeComputedWhenEncryptionIsActivated.
195.
2DataCompression:TooManyDifferentCriticalIssues205.
3IntegerOverflowWhenComputingtheNumberofIterationsforPBKDF2WhenPIMIsUsed225.
4PINCodeonCommandLine236NewCryptographicMechanismsAssessment246.
1GOST28147-89MustBeRemovedfromVeraCrypt246.
2LackofTestVectorsforNewlyAddedAlgorithms266.
3InputandOutputParametersAreSwappedinGOSTMagma276.
4NotesonthePBKDF2Implementation286.
5RandomByteGeneratorsinDCSShouldBeImproved307UEFISupportAssessment327.
1KeystrokesAreNotErasedAfterAuthentication327.
2SensitiveDataIsNotCorrectlyErased337.
3MemoryCorruptionCanOccurWhentheRecoveryDiskIsRead337.
4MistakesintheDCSCode348Recommendations388.
1UnfixedorPartiallyFixedVulnerabilitiesfromFormerAudits388.
2VeraCrypt'sModificationsAssessment398.
3NewCryptographicMechanismsAssessment398.
4UEFISupportAssessment409Conclusion42Bibliography431.
ProjectinformationDocumentChangeLogVersionDateChangeAuthors0.
118/08/2016CreationMarionVideau0.
209/09/2016FirstdraftJean-BaptisteBédrunesenttoVeraCryptMarionVideau0.
314/09/2016SeconddraftJean-BaptisteBédrunesenttoVeraCryptMarionVideau0.
816/09/2016DraftinternallyreviewedJean-BaptisteBédruneMarionVideau0.
920/09/2016ReviewedFredRaynal0.
930/09/2016ReviewedMounirIdrassi1.
005/10/2016DeliveredtoOSTIFJean-BaptisteBédruneMarionVideau1.
013/10/2016ReviewedDerekZimmer1.
017/10/2016PublishedQuarkslabQuarkslabSAS,13rueSaintAmbroise,75011Paris,FranceContactRoleContactinformationFrédéricRaynalCEOandFounderfraynal@quarkslab.
comJean-BaptisteBédruneR&DEngineerjbbedrune@quarkslab.
comMarionVideauR&DEngineermvideau@quarkslab.
comOpenSourceTechnologyImprovementFundContactRoleContactinformationDerekZimmerPresidentandFounderderek@ostif.
orgVeraCryptProjectContactRoleContactinformationMounirIdrassiMainDevelopermounir.
idrassi@idrix.
frRef.
:16-08-215-REPQuarkslabSAS32.
ExecutiveSummaryThisreportdescribestheresultsofthesecurityassessmentofVeraCrypt1.
18madebyQuarkslabbetweenAug.
16andSep.
14,2016andfundedbyOSTIF.
TwoQuarkslabengineersworkedonthisaudit,foratotalof32man-daysofstudy.
Theauditfollowedtwolinesofwork:TheanalysisofthefixesintroducedinVeraCryptaftertheresultsoftheOpenCryptoAuditProject'sauditofTrueCrypt7.
1ahavebeenpublished.
TheassessmentofVeraCrypt'sfeaturesthatwerenotpresentinTrueCrypt.
ThenewfeaturesofVeraCryptinclude:Supportfornonwesterncryptographicalgorithms,CompatibilitywithUEFIforsystemencryption,Abetterprotectionofthevolumeheaderkeys.
VeraCryptisahardtomaintainproject.
Deepknowledgeofseveraloperatingsystems,oftheWindowskernel,ofthesystembootchainandgoodconceptsincryptographyarerequired.
TheimprovementsmadebyIDRIXdemonstratethepossessionoftheseskills.
2.
1FixesAllthevulnerabilitiesthathavebeentakenintoaccounthavebeencorrectlyfixed(exceptaminormissingfixforoneofthem).
Inparticular,theproblemleadingtoaprivilegeescalationdiscoveredbyJamesForshawintheTrueCryptdriverjustaftertheOCAPaudithasbeensolved.
Vulnerabilitieswhichrequiresubstantialmodificationsofthecodeorthearchitectureoftheprojecthavenotbeenfixed.
Theseinclude:–TC_IOCTL_OPEN_TESTmultipleissues(needtochangetheapplicationbehavior),–EncryptDataUnits()lackserrorhandling(needtodesignanewlogictoretrieveerrors),–AESimplementationsusceptibletocache-timingattacks(needtofullyrewritetheAESimplementations).
VulnerabilitiesleadingtoincompatibilitieswithTrueCrypt,astheonesrelatedtocryp-tographicmechanisms,havenotbeenfixed.
Mostnotableare:–Keyfilemixingisnotcryptographicallysound,–Unauthenticatedciphertextinvolumeheaders.
Ref.
:16-08-215-REPQuarkslabSAS42.
2NewProblemsAmongtheproblemsfoundduringtheaudit,somemustbecorrectedquickly:TheavailabilityofGOST28147-89,asymmetricblockcipherwitha64-bitblocksize,isanissue.
Thisalgorithmmustnotbeusedinthiscontext.
Compressionlibrariesareoutdatedorpoorlywritten.
Theymustbeupdatedorreplaced.
Ifthesystemisencrypted,thebootpassword(inUEFImode)oritslength(inlegacymode)couldberetrievedbyanattacker.
Finally,theUEFIloaderisnotmatureyet.
However,itsusehasnotbeenfoundtocausesecurityproblemsfromacryptographicpointofview.
Ref.
:16-08-215-REPQuarkslabSAS53.
ContextandScopeThisreportdescribesthesecurityassessmentmadebyQuarkslabonVeraCrypt.
VeraCryptisadiskencryptionsoftwaredevelopedbyIDRIX.
ItisderivedfromthenowdefunctTrueCryptproject.
ThisaudithasbeencarriedoutattherequestoftheOpenSourceTechnologyImprove-mentFund.
ItsgoalwastoevaluatethesecurityofthefeaturesbroughtbyVeraCryptsincethepublicationoftheauditsonTrueCrypt7.
1aconductedbytheOpenCryptoAuditProject.
TwopeoplefromQuarkslabworkedonthisaudit,foratotalof32man-daysofstudy:Jean-BaptisteBédrune,SeniorSecurityResearcher,MarionVideau,SeniorCryptographerandChiefScientificOfficer.
Afirststepconsistedinverifyingthattheproblemsandvulnerabilitiesidentifiedby[OCAP1]and[OCAP2]inTrueCrypt7.
1ahadbeentakenintoaccountandfixed.
Then,theremainingstudywastoidentifypotentialsecurityproblemsinthecodespecifictoVeraCrypt.
ContrarytootherTrueCryptforks,thegoalofVeraCryptisnotonlytofixthepublicvulnerabilitiesofTrueCrypt,butalsotobringnewfeaturestothesoftware.
TheinnovationsintroducedbyVeraCryptinclude:ThesupportofUEFI,Theadditionofnon-occidentalcryptographicalgorithms(Camellia,Kuznyechik,GOST28147-89,Streebog),Avolumeexpander,A"PersonalIterationsMultiplier"impactingthesecurityofthederivationofthevolumeheaderencryptionkeys,ThesupportofUNICODEonWindows,andtheuseofStrSafefunctionsinsteadofstring.
h,Thegatheringofentropyonmousemovementsateachrandomnumbergenerationtoimproverandomnessandabetterestimateoftherandomness.
SomecomponentsofVeraCrypthavenotbeeninvestigated,astheywerealreadyoutofthescopeoftheOpenCryptoAuditProject.
ThatincludestheOSXandLinuxversionsofVeraCrypt.
Finally,ithasbeendecidedconjointlywithVeraCrypt'smaindeveloperthatthefeaturesavailableinthediagnostictooloftheUEFIloaderwerealsooutofthescopeofthisaudit.
ThisstudyfocusesonthesourcecodeofVeraCrypt1.
18andthesourcecodeoftheVeraCryptDCSEFIBootloader1.
18.
TheSHA-256fingerprintsofthesearchivesare:VeraCrypt_1.
18_Source.
zip:12c1438a9d2467dcfa9fa1440c3e4f9bd5e886a038231d7931aa2117fef3a5c5VeraCrypt-DCS-EFI-LGPL_1.
18_Source.
zip:2e8655b3b14ee427320891c08cc7f52239378ee650eb28bad9531371e7c64ae3Ref.
:16-08-215-REPQuarkslabSAS64.
KnownVulnerabilitiesinTrueCrypt7.
1aThispartinventoriesthevulnerabilitiesidentifiedinTrueCrypt7.
1a,whichisthecodebaseofVeraCrypt.
Then,itdetailsiftheyhavebeenfixedornotinVeraCrypt.
Thesetofvulnerabilitiesincludestheonesdetailedinthesethreesources:ThereportsoftheOpenCryptoAuditProject[OCAP1],[OCAP2].
TheauditreportoftheFraunhoferInstituteforSecureInformationTechnologyfortheBSI[FSIT],whichisgreatlybasedontheOCAPreports.
TwoproblemsintheTrueCryptdriveridentifiedbyJamesForshaw[P0-537],[P0-538].
VeraCrypt'scodehasbeenanalyzedtocheckifthevulnerabilitiesreportedinallthesesourceshavebeencorrectlyunderstoodandfixedbyVeraCrypt'sdevelopers.
Note:Whenpiecesofsourcecodearecited,thelayoutmightbechangedfromtheoriginalsourcecodeforreadabilitypurposes,tomakeitfitinthepagewidth.
4.
1VulnerabilitiesDetailedinOCAPPhase1ThispartlistsandcommentsthevulnerabilitiesdiscoveredduringthefirstphaseoftheauditorderedbyOCAP.
TheaudithasbeenperformedbyiSecPartners[OCAP1].
4.
1.
1WeakVolumeHeaderKeyDerivationAlgorithmTrueCrypt'svolumeheaderkeysarederivedfromtheusersuppliedpasswordwithPBKDF2.
Initsreport,iSecadvocatedtogreatlyincreasethenumberofiterationsofthehashfunctionand,eventually,tomigratethisderivationfunctiontowardsaneweralgorithmsuchasscrypt.
ThenumberofiterationshasbeenincreasedinVeraCrypt:itwascomprisedbetween1000and2000inTrueCrypt,dependingonthehashalgorithmanditsusecase.
Itisnowcomprisedbetween200,000and655,331.
Furthermore,itcanbemanuallyspecified.
NISTrecommendsusingamuchhighernumberofiterationsforcriticalkeys[SP800-132]:Forespeciallycriticalkeys,orforverypowerfulsystemsorsystemswhereuser-perceivedperformanceisnotcritical,aniterationcountof10,000,000maybeap-propriate.
Thislevelofsecuritycanbereachedsincetheintroductionofa"PersonalIterationsMultiplier"inVeraCrypt1.
12.
ThenumberofiterationswhenaPIMvalueisspecifiedis:Forsystemdriveencryption:Iterations=PIM*2048.
Fornon-systemdriveandcontainersencryption:15000+(PIM*1000).
TocomplywithNIST'srecommendations,aPIMvalueof4883forsystemencryptionandof9985forcontainersandnon-systempartitionscanbeused.
Ref.
:16-08-215-REPQuarkslabSAS7ThedefaultnumberofiterationsinVeraCryptisatrade-offbetweensecurityandbootormounttime.
EachusercantheninfluencetheseparametersusingthePIMparameter.
Thisvulnerabilityisconsideredfixed.
However,asaferderivationalgorithmlikescrypt(orArgon2)wouldbeaplus.
4.
1.
2SensitiveInformationMightBePagedOutfromKernelStacksInasituationwheretheamountofavailablememorybecomesverylow,kernelstackpagescanbepagedoutundercertainconditions.
ThevulnerabilityanditsremediationarecorrectlydocumentediniSec'sreport.
Thissituationhasconsequencesonlyifthesystempartitionisnotencryptedorifthepaginationfilesdonotresideonthispartition.
VeraCrypt'sdocumentationcorrectlyexplainstheproblem1:Topreventtheissuesdescribedabove,encryptthesystempartition/drive(forinfor-mationonhowtodoso,seethechapterSystemEncryption)andmakesurethatallpagingfilesarelocatedononeormoreofthepartitionswithinthekeyscopeofsystemencryption(forexample,onthepartitionwhereWindowsisinstalled).
Exceptfortheexplanation,nothingelsewasintendedbyVeraCrypttofixthevulnerability.
iSecrecommendsgatheringallsensitivepiecesofinformationatthesameplaceandtolockthecorrespondingmemoryarea.
However,itisverydifficulttodefinitelyexcludethepossibilityofasensitivepieceofinformationbeingpagedoutthisway.
WeratheradvisefollowingVeraCrypt'sdocumentationprincipleswhichdefinitelysolvetheproblem.
4.
1.
3MultipleIssuesintheBootloaderDecompressorIfthesystempartitionisencrypted,atboottime,TrueCrypt'scodeinthebootsectorloadsinmemoryadecompressionroutineandverifiesitschecksum.
Ifitsucceeds,thedecompressionroutineiscalledtodecompressabootloader.
Thedecompressionroutinesuffersfromseveralbugs.
Itscodeistakenfrompuff,animple-mentationofinflatewhichwasoptimizedformemoryconstrainedapplicationsandcanbefoundinthecontribdirectoryofzlib.
ThecodeisaforkandthebugfixeshavenotbeentakenintoaccountinTrueCrypt,notablyanoutofboundswrite.
AlltheproblemsmentionediniSec'sreporthavebeencorrectedinVeraCrypt.
Itshouldbenoticedthatinordertotriggeravulnerabilityinthedecompressionroutineofthebootloader,anattackerhastofirstmodifythecompressedpieceofcode,whichrequiresanadministratororaphysicalaccesstothesystem.
ThesetwoattacksettingsareexplicitlyexcludedfromtheprotectionrangeofTrueCrypt.
Modifyingcompresseddatarequiresasmanyrightsasmodifyingthedecompressionroutine.
Fixingthosebugsmakethecodemorerobustbutinouropinion,thebugswerenotreallythreateningtheapplicationsecurity.
1VeraCryptDocumentation-PagingFile.
https://veracrypt.
codeplex.
com/wikipagetitle=Paging%20FileRef.
:16-08-215-REPQuarkslabSAS84.
1.
4WindowsKernelDriverUsesmemset()toClearSensitiveDataSomesensitivepiecesofinformationaredeletedbycallingmemsetinTrueCrypt'sdriver.
Unfor-tunately,oneofthecompiler'soptimizationsconsistsinremovingmemsetcallsthatitconsidersuseless.
Therefore,thefunctionRtlSecureZeroMemoryneedstobecalledtosecurelyerasememory,whichiswhatthefunctionburndoesasawrapperofRtlSecureZeroMemoryinthekernel.
TwoexamplesofsensitivedatadeletionwithmemsetarepresentediniSec'sreport.
ThefirstoneisfixedinVeraCrypt:Listing4.
1:src/Driver/DriveFilter.
c:113BootArgs=*bootArguments;BootArgsValid=TRUE;burn(bootArguments,sizeof(*bootArguments));Asisthecasewiththesecondone:Listing4.
2:src/Driver/DriveFilter.
c:453//Erasebootloaderscheduledkeysif(mappedCryptoInfo){burn(mappedCryptoInfo,BootArgs.
CryptoInfoLength);MmUnmapIoSpace(mappedCryptoInfo,BootArgs.
CryptoInfoLength);BootArgs.
CryptoInfoLength=0;}However,codehasbeenaddedinthisfunctionbyVeraCrypt.
ThereisnowanexecutionpathwhereacheckonahiddenvolumecancallTC_THROW_FATAL_EXCEPTION,awrapperofKeBugCheckEx:Listing4.
3:src/Driver/DriveFilter.
c:391mappedCryptoInfo=MmMapIoSpace(cryptoInfoAddress,BootArgs.
CryptoInfoLength,MmCached);if(mappedCryptoInfo){.
.
.
}}pim=(int)(BootArgs.
Flags>>16);if(ReadVolumeHeader(!
hiddenVolume,header,password,pkcs5_prf,pim,FALSE,&Extension->Queue.
CryptoInfo,Extension->HeaderCryptoInfo)==0){//Headerdecryptedstatus=STATUS_SUCCESS;Dump("Headerdecrypted\n");//calculateFingerprintComputeBootLoaderFingerprint(Extension->LowerDeviceObject,header);if(Extension->Queue.
CryptoInfo->hiddenVolume)Ref.
:16-08-215-REPQuarkslabSAS9{Dump("Hiddenvolumestartoffset=%I64d\n",Extension->Queue.
CryptoInfo->EncryptedAreaStart.
Value+hiddenPartitionOffset);.
.
.
if(Extension->Queue.
CryptoInfo->VolumeSize.
Value>hiddenPartitionOffset-BootArgs.
DecoySystemPartitionStart)TC_THROW_FATAL_EXCEPTION;.
.
.
//Erasebootloaderscheduledkeysif(mappedCryptoInfo){burn(mappedCryptoInfo,BootArgs.
CryptoInfoLength);Ifanexceptionisraised,thecalltoburnwillneverbereachedandmappedCryptoInfowillnotbedeleted.
Thecorrespondingdatacouldpossiblybewritteninacrashdump.
Therefore,mappedCryptoInfomustbeerasedbeforeraisingtheexception.
However,itmustbementionedthatTrueCrypt'sdocumentationprescribesthedeactivationofcrashdumpscreationifthesystempartitionisnotencrypted.
Therefore,ifthesystemiscorrectlyconfigured,theunreachableburncallwillnotcauseasecurityproblem.
4.
1.
5TC_IOCTL_GET_SYSTEM_DRIVE_DUMP_CONFIGKernelPointerDisclosureTheTC_IOCTL_GET_SYSTEM_DRIVE_DUMP_CONFIGioctlreturnstheaddressofBootDriveFilterExtension,whichisapointertothebootdrive'sextensionobject.
Thefunctiondoesnotcheckifthecallcomesfromtheuserspace.
Anattackercanrecoverthepointer'saddressfromtheuserspace.
VeraCrypthasfixedthisproblem:Listing4.
4:src/Driver/Ntdriver.
c:1690caseTC_IOCTL_GET_SYSTEM_DRIVE_DUMP_CONFIG:if((ValidateIOBufferSize(Irp,sizeof(GetSystemDriveDumpConfigRequest),ValidateOutput))&&(Irp->RequestorMode==KernelMode)){Ifthecalldoesnotcomefromthekernelspace,theioctlreturnsSTATUS_INVALID_PARAMETERanddoesnotsatisfytherequest.
4.
1.
6IOCTL_DISK_VERIFYIntegerOverflowAnadditionofparameterscontrolledbytheuserandprocessedbytheIOCTL_DISK_VERIFYioctlleadstoanintegeroverflow.
Verificationcanbeavoidedthankstothisvulnerabilityandlargeamountsofmemorycanbeallocatedinthenon-pagedpool.
BycallingIOCTL_DISK_VERIFYseveraltimes,anattackerasksforlargeamountsofmemoryinordertofillthekernelmemoryspace.
Theconsequenceisadenialofserviceand,mostprobably,severalmalfunctionsrequiringasystemreboot.
Ref.
:16-08-215-REPQuarkslabSAS10Todetecttheoverflow,VeraCrypthasreplacedtheadditionwithafunctionfromIntSafe,ULongLongAdd:Listing4.
5:src/Driver/Ntdriver.
c:809ullStartingOffset=(ULONGLONG)pVerifyInformation->StartingOffset.
QuadPart;hResult=ULongLongAdd(ullStartingOffset,(ULONGLONG)Extension->cryptoInfo->hiddenVolumeExtension->cryptoInfo->hiddenVolumeOffset:Extension->cryptoInfo->volDataAreaOffset,&ullNewOffset);if(hResult!
=S_OK)Irp->IoStatus.
Status=STATUS_INVALID_PARAMETER;elseif(S_OK!
=ULongLongAdd(ullStartingOffset,(ULONGLONG)pVerifyInformation->Length,&ullEndOffset))Irp->IoStatus.
Status=STATUS_INVALID_PARAMETER;Note:Fraunhofer'sreportanalysisofthebug'soriginisnotaccurate:Thecontentofthevariablecomesfromthemethod''ExInterlockedRemoveHeadList'',whichispartofMicrosoft''Ntoskrnl.
lib''library.
Thus,thisvulnerabilitydependentsonwhetherthemethod''ExInterlockedRemoveHeadList()''interceptsanintegeroverflow.
Theclaimfeelslikeacompletenonsense.
4.
1.
7TC_IOCTL_OPEN_TESTMultipleIssuesTheTC_IOCTL_OPEN_TESTioctlopensauser-specifiedfilewiththefunctionZwCreateFilewithoutcheckingiftheuserhasthecorrectaccessrightsandthenreadsitscontent.
TrueCryptmadethischoiceinordertodetectwhetheritsbootloaderispresentonthediskwithouttheneedforadministrator'sprivileges.
Thisbehaviorallowsseveralkindsofinformationleakage,suchasthepossibilitytocheckforthepresenceofafilenormallynotaccessiblefortheuser.
VeraCryptdoesnotfixthisissue.
Itevenaddsanewinformationleakagesource:itisnowpossibletochecktheSHA-256hashofthefirst512bytesofafile.
AsimilarissuecanbefoundintheTC_IOCTL_GET_SYSTEM_DRIVE_CONFIGioctl.
Ithasnotbeenfixedeither.
VeraCryptshouldconsidertheseissuesandfixthem.
4.
1.
8MainThreadProc()IntegerOverflowTheMainThreadProcfunctionhandlesuserspace-controlleddata.
ItscodecontainsanintegeroverflowvulnerabilitywhichcanbetriggeredwhenhandlingrequestsfromIRP_MJ_READandIRP_MJ_WRITE.
Bychoosingcarefullycraftedvalues,datawhosesizesarecontrolledbytheuserarecopiedinabuffersentbacktotheuser.
Itisatypicalinformationleakage.
VeraCrypthasfixedthisvulnerabilitybymeansofanoverflowdetectionfunctionfromIntSafe.
Ref.
:16-08-215-REPQuarkslabSAS11Listing4.
6:src/Driver/EncryptedIoQueue.
c:571ULONGalignedLength;LARGE_INTEGERalignedOffset;hResult=ULongAdd(item->OriginalLength,ENCRYPTION_DATA_UNIT_SIZE,&alignedLength);if(hResult!
=S_OK){CompleteOriginalIrp(item,STATUS_INVALID_PARAMETER,0);continue;}4.
1.
9MountVolume()DeviceCheckBypassTheVolumeThreadProcfunctioninNtdriver.
cchecksthevalidityofavolume'sname,whichisauserspace-controlledvalue,bycomparingittothestring\Devicewithoutpriorcasechecks.
Thus,accordingtotheiSecreport,afilenamebeginningwith\device\isnotconsideredasade-vice.
ThiswillresultinanunexpectedcodepathbeingfollowedinthefunctionTCOpenVolume().
VeraCrypthasfixedtheissuebyaddingafunctionIsDeviceNamewhichprovidesacase-insensitivecomparisontothestring\device:Listing4.
7:src/Driver/Ntdriver.
c:1921BOOLIsDeviceName(wchar_twszVolume[TC_MAX_PATH]){if((wszVolume[0]&&(wszVolume[1]==D||wszVolume[1]==d)&&(wszVolume[2]==E||wszVolume[2]==e)&&(wszVolume[3]==V||wszVolume[3]==v)&&(wszVolume[4]==I||wszVolume[4]==i)&&(wszVolume[5]==C||wszVolume[5]==c)&&(wszVolume[6]==E||wszVolume[6]==e)){returnTRUE;}elsereturnFALSE;}4.
1.
10GetWipePassCount()/WipeBuffer()CanCauseBSODTheGetWipePassCountfunctionreturnsthenumberofwipepassestoexecuteonagivenvolumefromawipealgorithmidentifier.
Iftheidentifierisunknown,TC_THROW_FATAL_EXCEPTIONiscalled.
Inthedriver'scode,thisfunctionisawrapperofKeBugCheckEx.
Thefunctioncanbereachedfromtwoioctlsusingacontrolledidentifiervalue.
Iftheidentifiervalueisnotintheexpectedcaselist,aBSODistriggered.
Handlingthecasedifferently,forexamplebyissuinganerrormessage,seemsmorereasonable.
VeraCrypthasfixedthisvulnerabilitybyreturninganinvalidvalue(-1).
AcallingfunctionchecksagainstthisvalueinsteadofcausingaBSOD.
Ref.
:16-08-215-REPQuarkslabSAS124.
1.
11EncryptDataUnits()LacksErrorHandlingTheEncryptDataUnitsisakeyfunctionoftheTrueCryptsecurity.
Indeed,itorchestratesalltheencryptionanddecryptionoperationsofthevolumesintheBIOSandthedriver.
Hereisitsprototype:voidEncryptDataUnits(unsigned__int8*buf,constUINT64_STRUCT*structUnitNo,uint32nbrUnits,PCRYPTO_INFOci);Thefunctionencryptsdatain-placeanddoesnotreturnanyvaluewhichwouldallowtodetectanerroroccurringduringencryption.
Iftheencryptionoperationfails,plaintextdataarewrittentodisk.
ThesamesituationoccursfortheDecryptDataUnitsfunction:ifitfails,corrupteddataareread.
iSecrecommendsredesigningthisfunctionalitytomakeitmorerobust.
Itisaveryrelevantrecommendationwhichwouldimplyheavymodificationsinthecurrentsourcecode.
VeraCrypthasnottakenthisrecommendationintoaccount.
4.
1.
12ConclusiononVulnerabilitiesDetailedinOCAPPhase1MostvulnerabilitiespresentediniSec'sreporthavebeenfixedinVeraCrypt.
Thefirstmediumseverityproblemthathasnotbeenfixedisrelatedtothekernelstackpagemechanism;itwasalreadyaknownproblemanditwasdocumentedbyTrueCrypttoallowuserstogetasecureconfiguration.
Theproblemrelatedtotheerasureofsensitivedatashouldbefixed,evenifitdoesnotlowerthesecurityoftheproductwhenusedaccordingtothedocumentation'srecommendations.
VulnerabilityClassSeverityStatusWeakVolumeHeaderkeyderivationalgorithmCryptogra-phyMediumFixedSensitiveinformationmightbepagedoutfromkernelstacksDataExposureMediumNotfixedMultipleissuesinthebootloaderdecompressorDataValidationMediumFixedWindowskerneldriverusesmemset()toclearsensitivedataDataExposureMediumPartiallyfixedTC_IOCTL_GET_SYSTEM_DRIVE_DUMP_CONFIGkernelpointerdisclosureDataExposureLowFixedIOCTL_DISK_VERIFYintegeroverflowDataValidationLowFixedTC_IOCTL_OPEN_TESTmultipleissuesDataExposureLowNotfixedMainThreadProc()integeroverflowDenialofServiceInforma-tionalFixedMountVolume()devicecheckbypassDataValidationInforma-tionalFixedGetWipePassCount()/WipeBuffer()cancauseBSODDenialofServiceInforma-tionalFixedEncryptDataUnits()lackserrorhandlingErrorReportingInforma-tionalNotfixedRef.
:16-08-215-REPQuarkslabSAS134.
2VulnerabilitiesDetailedinOCAPPhase2ThissectionlistsandcommentsonthevulnerabilitiesdiscoveredduringthesecondphaseoftheauditorderedbyOCAP.
TheaudithasbeenperformedbyCryptographyServicesofNCCGroup[OCAP2].
4.
2.
1CryptAcquireContextMaySilentlyFailinUnusualScenariosTheCryptAcquireContextfunctionbelongstoWindows'CryptoAPI.
ItisusedinconjunctionwithCryptoGenRandomtogeneraterandomnumbers.
TheCryptAcquireContextfunctionisusedtogetacontexttoauser'skeycontainer.
Thefunctioniscalledwithincorrectparameters.
Insomesituations,initializingakeycontainercanfailandthefunctioncallwillfail.
TrueCryptdoesnotuseakeycontainerandusestheCryptAcquireContextfunctionexclusivelytogetahandletoaCryptographicServiceProvidertogeneraterandomnumbers.
NCCGroup'sreportgivesasetofcorrectcallparameters.
TheyhavebeentakenintoaccountbyVeraCrypt.
Thevulnerabilityhasbeenfixedforallsensitiveoperations.
Thereremainsasinglecasewherethecodeisunchanged:therandomgenerationofcolorsinthedonationpage,neartheendoftheinstallationprogram,onWindows.
Weconsiderthevulnerabilityfixed.
4.
2.
2AESImplementationSusceptibletoCache-TimingAttacksNCCGroup'sreportclaimsthatsomeimplementationsofAESlocatedinthefilesAesSmall.
c,AesSmall_x86.
asm,Aes_x86.
asmandAes_x64.
asmaresusceptibletocache-timingattacks.
VeraCryptdidnotimplementanyoftheproposedcountermeasures.
TheimplementationslocatedinAesSmall.
candAesSmall_x86.
asmareonlyusedduringboottime,asdetailedinFraunhofer'sreport.
Theonlyattackscenariowhereitwouldbepossibletotakeadvantageofacache-timingisthecaseofphysicalmachinehostingtwovirtualmachines,onewithasystementirelyencryptedandtheothercontrolledbyanattacker.
IftheAES-NIinstructionsetisavailable,anAES-NIimplementationwillbeused.
Thisimplementationisnotsusceptibletocache-timingattacks.
Otherwise,thefunctionsfromAes_x86.
asmandAes_x64.
asmareused.
Weconsiderthatboththeseimplementationswouldneedbeingfixedfirst.
NCCGroup'sreportonlyfocusesonAES.
Wedidnotcheckifotherimplementationsaresusceptibletosuchattacks.
Theseverityofthisvulnerabilitywasjudged"High"inNCCGroup'sreport.
WewouldliketostressthefactthatVeraCrypt'ssecuritymodel2makesitclearthat:VeraCryptdoesnot:Secureanydataonacomputerifthecomputercontainsanymalware(e.
g.
avirus,Trojanhorse,spyware)oranyotherpieceofsoftware(in-cludingVeraCryptoranoperatingsystemcomponent)thathasbeenaltered,created,orcanbecontrolled,byanattacker.
Thedocumentationdoesnotspecifywhethertheterm"computer"islimitedtoaphysicalmachineorifitcanbeavirtualmachinesharingaphysicalmachinewithotherVM.
2VeraCryptDocumentation-SecurityModel.
https://veracrypt.
codeplex.
com/wikipagetitle=Security%20ModelRef.
:16-08-215-REPQuarkslabSAS144.
2.
3KeyfileMixingIsNotCryptographicallySoundKeyfilescanbeusedalongtheuserpassphrasetogeneratethekeyusedtomountavolume.
Thekeyderivationalgorithmusedtoprocessthekeyfilesandgeneratethevolumekeyisnotcryptographicallysound.
Asapreliminaryremark,noticethatforeachkeyfile,onlythefirstmegabyteisused.
Keyfiledataisusedtofilla64-bytecircularbuffernamedthekeyfilepool.
Whenstartingthekeyderivationprocess,acursorissetatthebeginningofthekeyfilepoolandwillbemovedaftereachupdate.
ThederivationprocessfromthekeyfilesreliesonaCRC-32function.
Foreachkeyfile,eachbyteisreadandsubmittedtotheCRC-32functiontoupdateitscurrentvalue.
The4-bytevalueisextractedandeachbyteisaddedtothecorrespondingbytelocatedatthecursor'spositioninthekeyfilepool.
Thecursorpositionisupdatedaccordingly.
Oncethisprocessisfinished,theresulting512bitsareXORedwiththepassphrasepaddedwithzeroeson512bits.
CRC-32isnotacryptographichashfunction.
Usingitinthiskeyderivationmechanismcreatesundesirableproperties:Fromasetofvalidkeyfiles,itispossibletocreateanotherdistinctone(i.
e.
allowingtomountavolume),Itispossibletocreatekeyfilesthatdonotmodifythekeyfilepool,Fromasetofkeyfiles,itispossibletocreateanewkeyfilewhichremovesthesecuritybroughtbytheformersetofkeyfiles(i.
e.
whichzeroesthekeyfilepool),Fromaknownpassphrase,itispossibletocreateakeyfilewhichremovesthesecuritybroughtbythispassphrase.
ThisproblemhasbeenpreviouslyreportedtoTrueCrypt'sauthorsbySogeti[SOGETI]in2008andbytheUbuntuPrivacyRemixTeam[UPR]in2011.
The[UPR]andthe[FSIT]reportsdescribeinterestingattackscenarios.
TrueCrypt'sdevelopersdeniedtheproblemsincetheattacksrequirethepriorknowledgeofasecretorthepriormanipulationofamachine.
HereisanexcerptoftheiranswertotheUbuntuPrivacyRemixTeam:Itisabasicsecurityrequirementthatcryptographickeys(whetherpasswords,keyfiles,ormasterkeys)mustbesecretandunknowntoattackers.
Yourattackviolatesthisrequirementandisthereforeinvalid/bogus.
NCCGroup'sreportrecommendstheuseofHMACwithacryptographichashfunction.
Weconcur.
Thisrecommendationshouldreallybeimplemented.
Forthemomenttheproblemhasnotbeencorrected,probablybecauseitwouldbreakbackwardcompatibility.
4.
2.
4UnauthenticatedCiphertextinVolumeHeadersToprovideintegrityforavolumeheaderinplaintext,twoCRC-32ondecryptedheaderdataanda4-byteASCIIstring("TRUE"inTrueCryptand"VERA"inVeraCrypt)areused.
Asmentionedearlier,CRC-32isnotacryptographicintegritymechanismbutratheranerrordetectionmechanism,whichismeanttopreventaccidentsbutnotattacks.
Thesamegoesforthecomparisonofthe4-bytedecryptedASCIIstringtoafixedstring.
ThisproblemwasalreadymentionedbySogetiin2008[SOGETI].
Ref.
:16-08-215-REPQuarkslabSAS15NCCGroup'sreportmentionsthatanexistentialforgeryispossiblewithapproximately232queries.
Forthesakeofclarityweprovideanideaofsuchanattack.
Anexistentialforgerydoesnotimplythattheheaderproducedandacceptedbytheintegrityverificationwillhaveallfieldscoherent,simplythataheaderwillbedeclaredlegitimatewhileproducedbytheattacker.
AVeraCryptheadercontains2CRCsandafewfieldsthataresubjectedtostrictchecks.
Mostofthemarelocatedintheheader'sfirstencryptedblock.
ThefirstCRC,locatedinthefirstencryptedblock,isdependentontheencryptionkeysandiftheyareleftuntouched,thisCRCisalsountouched.
ThefourthencryptedblockcontainstheSectorSizefieldwhichissubjectedtoacheck.
Ifweleavethisblockuntouched,thefieldwillbevalid.
Thenthereremains10encryptedblocksthatcanbemanipulatedastheXTSmodeleavesalltheblocksindependentfromeachother.
Asthegoalfortheattackeristogeta32-bitvalueCRCrightfrommanipulatingten128-bitblocks,itcansucceedafter232queries.
NCCGroup'sreportrecommendsreplacingthesemechanismswithaMessageAuthenticationCode(MAC).
TheuserpassphrasecouldbeusedtoderiveaMACkeyinadditiontotheencryptionkeys.
TheMACoftheheaderwouldbecheckedbeforemountingthevolume.
ImplementingsuchamechanismshouldbedoneinVeraCrypt.
MechanismsusingCRC-32arestillpresentinTrueCryptaftermanyyearsofwarningsforobviouscompatibilityreasons.
Theyshouldnonethelessbereplacedbyrealup-to-dateauthenticationmechanisms.
AmajordifficultytoachievethisimprovementisduetothelackofspaceaftertheheadertostoreaMACvalueinthecaseofsystemencryptionwithMBR.
Apossibleideawouldbetousethe960zerobitslocatedintheheadertostoresuchaMACbutwhethertouseaMAC-then-encryptoranencrypt-then-MACconstructiontakingintoaccountalltheconstraintsoftheprojectmustbestudiedindetail.
4.
2.
5ConclusiononVulnerabilitiesDetailedinOCAPPhase2AsinglevulnerabilityfromthelistreportedbyOCAPPhase2analysishasbeencorrected.
Thefixwasthesimplestonetoimplement.
Re-designingandre-writingAESfunctionsimmuneagainstcache-timingattackswouldrequireamoresignificanteffort.
UsingVeraCryptonamachinewithaCPUprovidingAES-NIinstruc-tionsisanavailableworkaround.
Note:WedidnotchecktheimplementationsofothercryptographicalgorithmsinVeraCryptagainstcache-timingattacks.
Thelasttwovulnerabilitieshavebeenknownforalongtime.
Fixingthemwouldbreakbackwardcompatibilitywithexistingvolumesbutwouldbringabettersecuritytotheproduct.
Werecommendtofixthem.
VulnerabilityClassSeverityStatusCryptAcquireContextmaysilentlyfailinunusualscenariosCryptogra-phyHighFixedAESimplementationsusceptibletocache-timingattacksCryptogra-phyHighNotfixedKeyfilemixingisnotcryptographicallysoundCryptogra-phyLowNotfixedUnauthenticatedciphertextinvolumeheadersCryptogra-phyUndeter-minedNotfixedRef.
:16-08-215-REPQuarkslabSAS164.
3VulnerabilitiesReportedbyJamesForshawTwovulnerabilitieshavebeendiscoveredbyJamesForshawofGoogleProjectZero.
BotharelocatedinTrueCrypt'sdriver.
Theimpactofthefirstone(CVE-2015-7359)isratheranecdotal.
Thesecondone(CVE-2015-7358)leadstoaninterestingprivilegeescalation.
4.
3.
1IncorrectImpersonationTokenHandlingEoP(CVE-2015-7359)ThevulnerabilityanditsimpactaredocumentedindetailinProjectZero'sissuetracker[P0-537].
ItislocatedintheusertokenverificationroutineinTrueCrypt'sdriver.
Intwodifferentlocations,TrueCrypt'sdriveracquiresthesecuritycontextofthecurrentuserwithacalltoSeCaptureSubjectContextandextractstheactivetokenwithacalltoSeQuerySubjectContextToken.
Thedriverdoesnotapplyanyimpersonationlevelverifica-tion,whichcausestheproblem.
ByusingtheimpersonationlevelSecurityIdentification,ausercanimpersonateanotherone.
ThisshouldonlybepossiblefromthelevelSecurityImpersonation.
Theproblemispresentintwofunctionsofthedriver:IsVolumeAccessibleByCurrentUserandMountDevice.
InIsVolumeAccessibleByCurrentUser,thebugallowsanattackertounmountanotheruser'svolumesandtogetinformationonthemountedvolumes.
InMountDevice,thebugdoesnotleadtoanyattack.
AsstatedbyJamesForshaw,theproblemisanecdotalcomparedtotheproblemsalreadycomingfromlettingvolumesmountedonasharedmachine.
IthasbeenfixedbyVeraCrypt,followingForshaw'srecommendations:theimpersonationlevelisverified.
Anexampleofthefixisshownbelow.
Theotheroneisidentical.
Listing4.
8:src/Driver/Ntdriver.
c:2756SeCaptureSubjectContext(&subContext);SeLockSubjectContext(&subContext);if(subContext.
ClientToken&&subContext.
ImpersonationLevel>=SecurityImpersonation)accessToken=subContext.
ClientToken;elseaccessToken=subContext.
PrimaryToken;4.
3.
2DriveLetterSymbolicLinkCreationEoP(CVE-2015-7358)ThesecondvulnerabilityreportedbyJamesForshawallowsausertogetsystemprivilegesfromanapplicationrunningwithuserprivilegesorwithinalow-integritysandbox[P0-538].
Thebugoriginisverysimple.
Onthecontrary,itsconsequencesintermsofsecurityanditsexploitationarenot.
JamesForshawwroteadetailedblogarticleonhowtoexploitthisvulnerabilityandhowDosDevicesaremanagedsinceNT3.
1[P0-BLOG].
ThevulnerabilityislocatedintheIsDriveLetterAvailablefunctionoftheNtdriver.
cfile.
Ref.
:16-08-215-REPQuarkslabSAS17Listing4.
9:Driver/Ntdriver.
c:2881inTrueCrypt7.
1aBOOLIsDriveLetterAvailable(intnDosDriveNo){OBJECT_ATTRIBUTESobjectAttributes;UNICODE_STRINGobjectName;WCHARlink[128];HANDLEhandle;TCGetDosNameFromNumber(link,nDosDriveNo);RtlInitUnicodeString(&objectName,link);InitializeObjectAttributes(&objectAttributes,&objectName,OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE,NULL,NULL);if(NT_SUCCESS(ZwOpenSymbolicLinkObject(&handle,GENERIC_READ,&objectAttributes))){ZwClose(handle);returnFALSE;}returnTRUE;}ThevariablenDosDriveNoisanintegerrangingfrom0to25andrepresentsadrivelet-terfromAtoZ.
ThefunctionTCGetDosNameFromNumberbuildsapathtothesymboliclink\DosDevices\X:,whereXstandsforthedriveletterassociatedtonDosDriveNo.
IfZwOpenSymbolicLinkObjectfailsforanyreasons,thenthedriveletterpassedasaparameterisconsideredavailable,evenifitalreadyexists.
VeraCrypthasfixedthisissue,followingJamesForshaw'srecommendations:thefunctionre-turnsTRUEonlyiftheobject\DosDevices\X:doesnotexist.
Moreover,inordertoavoidanyfurtherproblemswith\DosDevices,theGlobalMS-DOSdevicenamesareused.
-#defineDOS_MOUNT_PREFIXDRIVER_STR("\\DosDevices\\")+#defineDOS_MOUNT_PREFIXDRIVER_STR("\\GLOBAL\\")//ExplicitelyuseGlobalMS-DOSdevicenamestoavoidsecurityissuesThismodificationhastriggeredsideeffectswithWindows'smountmanager.
Thusnewmodifi-cationshavebeenimplemented.
Inouropinion,theydonotbringvulnerabilities.
Weconsiderthisproblemfixed.
4.
3.
3ConclusiononVulnerabilitiesReportedbyJamesForshawBothvulnerabilitiesarecorrectedinVeraCrypt.
VulnerabilitySeverityStatusIncorrectImpersonationTokenHandlingEoPLowFixedDriveLetterSymbolicLinkCreationEoPHighFixedRef.
:16-08-215-REPQuarkslabSAS185.
VeraCrypt'sModificationsAssessment5.
1TheLengthofthePasswordCanBeComputedWhenEncryptionIsActivatedClassSeverityDifficultyDataExposureLowMediumVeraCryptcanencrypttheharddrivepartitionwheretheOperatingSystemisinstalled.
WedealherewiththestartupfromtheBIOSonly,nottheUEFI.
Theoriginalbootloaderisreplacedwithaspecificoneaskingforthepasswordofthepartitiontostarton.
Itthendecryptsthesystempartitionandtheusualbootgoeson.
Keystrokesaresavedina32-bytecircularbufferintheBIOSDataArea,locatedataddress0040:001Eh.
Eachkeystrokebeingstoredon2bytes,thefirstonebeingtheASCIIcodeandthesecondonetheBIOSscancode,16inputscanbesaved.
Oncethesystemisstarted,ifthisbufferhasnotbeencleared,itispossibletoretrievetheuserpassword.
VeraCryptpreventsthispotentialleakbyzeroingthebufferwiththeClearBiosKeystrokeBufferfunction.
Listing5.
1:src/Boot/Windows/BootConsoleIo.
cpp:291voidClearBiosKeystrokeBuffer(){__asm{pushesxorax,axmoves,axmovdi,0x41emovcx,32cldrepstosbpopes}}However,2pointersrelatedtothekeystrokebufferarelocatedjustbeforeitandarenoterased.
Thefirstonepointstothelastcharacterofthebuffer,theotheronetotheaddresswherethenextcharacterisgoingtobewritten.
Usingthevalueofthese2pointers,onecangaininformationonthelengthofthepassword.
Iftheuserproperlyenteredhispasswordwithnomistakeatboottime,followedby"Enter",thefirstpointervalueisthen001Eh+(2*(len(password)+1)mod32).
Sinceeachcharacterisstoredon2bytes,onecancomputethelengthofthepasswordmodulo16.
ThisinformationleakmightnotlookcriticalasthesystemneedstobebootedandaprivilegedaccessisrequiredtoreadBIOSmemory.
Nonetheless,thisshouldbefixedfor2reasons:Theriskhasbeenconsideredsincethepasswordiszeroed.
Iftherunningsystemiscompromised,recoveringthekeysencryptingthesystemisaknowndamage,butitshouldnotleakinformationabouttheuserpasswordsinceitcanRef.
:16-08-215-REPQuarkslabSAS19beusedtoquickenthepasswordbruteforce.
Andthesamepasswordcouldbeusedonothersystemstoo.
5.
2DataCompression:TooManyDifferentCriticalIssuesSomecompressionfunctionsareusedatseveralplacesintheproject'ssourcecode:Todecompressthebootloaderwhentheharddriveisencrypted.
TocreateandchecktherecoverydisksifthesystemisencryptedandusesUEFI.
Duringtheinstallationtoextractprograms.
Itappearsthatallcompressionfunctionshaveissues.
5.
2.
1Out-of-DateinflateanddeflateClassSeverityDifficultyPatchingHighHighTrueCryptforkedin2007aversionoftheinflatelibrarytodecompressdatawiththeformatspecifiedinRFC1951inordertocreateself-extractinginstallationpackages.
Compressionbeingmadewithgzip,inflateonlyisrequiredfordecompression.
Theinstallationpackageusesinflatetoextractfilesatinstalltime.
TheversionofinflateusedbyTrueCryptwasalreadyobsoleteandvulnerablebutthatwasnotasecurityissueastheuserhadtoexecutetheinstallertobecompromised.
VeraCryptnextaddedanothercopyofinflatecomingfromXUnzip.
XZipandXUnzipare2modulesallowingtocreateandextractZiparchives.
Theyembedinflateanddeflate,inmorethanobsoleteversionsaswecanreadfromXUnzipcopyright:externconstcharinflate_copyright[]="";//inflate1.
1.
3Copyright1995-1998MarkAdler";//Ifyouusethezliblibraryinaproduct,anacknowledgmentiswelcome//inthedocumentationofyourproduct.
Ifforsomereasonyoucannot//includesuchanacknowledgment,Iwouldappreciatethatyoukeepthis//copyrightstringintheexecutableofyourproduct.
TheusedversionisforinstancevulnerabletoCVE-2002-0059.
Thefunctionsinflateanddeflateshouldbemergedandreplacedbyup-to-dateversions,liketheonesincludedintheup-to-datezliblibrary.
TrueCryptdidforkthecode,butchosenottofixsecurityissuesaffectingit.
VeraCryptincludesazlibversionalreadyvulnerable.
Itseemsbettertoaddadependencytozlib,whichwouldatleastensureaproperup-to-datecodebase.
Thesametypeofissueaffectsthedecompressorforthebootloader.
Itscodecomesfrompuff,anoptimizedimplementationofinflateforapplicationswithlittlememorycapacity.
Itisavailableinthecontribdirectoryofzlib.
Aminorbughasbeenfixedinthelatestversionofpuff,distributedwithzlib1.
2.
5.
1,butnotinVeraCrypt's.
Also,callstolongjmpandsetjmphavebeenremovedfromtheoriginalcode,leadingtoanout-of-boundsreadduringbootloaderdecompression.
ThisisbecausethesefunctionsarenotsupportedbyVisualC++1.
52,andRef.
:16-08-215-REPQuarkslabSAS20noworkaroundhasbeenimplementedbyIDRIX.
Thesizeconstraintonthebootloader,whichforcesthedecompressortofiton4disksectorsof512byteseach,makestheproblemdifficulttofix.
Notethatitdoesnotleadtoavulnerability.
5.
2.
2XZipandXUnzipNeedtoBeCompletelyRe-WrittenClassSeverityDifficultyDataValidationHighHighSinceversion1.
18andUEFIsupport,VeraCryptcancreaterescuedisks.
TheyaredifferentfromtheonessupportedbyBIOS.
TheycontainUEFIloadersallowingtoreinstallthebootloaderforinstance.
TheformatfortheimageisZip.
ThelibraryusedtocreatethemisXZip,asmentionedearlier.
Itseemstocomefroma2007articlepublishedonCodeProject1.
Obviousbugsarepresentinthecode,asdemonstratedinthefollowingexample:Listing5.
2:src/Common/XZip.
cpp:3130BOOLAddFolderContent(HZIPhZip,TCHAR*AbsolutePath,TCHAR*DirToAdd){HANDLEhFind;//filehandleWIN32_FIND_DATAFindFileData;TCHARPathToSearchInto[MAX_PATH]={0};if(NULL!
=DirToAdd){ZipAdd(hZip,DirToAdd,0,0,ZIP_FOLDER);}//Constructthepathtosearchinto"C:\\Windows\\System32\\*"_tcscpy(PathToSearchInto,AbsolutePath);_tcscat(PathToSearchInto,_T("\\"));_tcscat(PathToSearchInto,DirToAdd);_tcscat(PathToSearchInto,_T(AddFolderContentisexportedbythelibrary.
ThelengthofAbsolutePathisnotcheckedbeforethecallto_tcscpy.
ItchecksthatDirToAddisnotnullbutwillcall_tcscatwithDirToAddasargumentallthetime.
Asexplainedearlier,knownvulnerabilitiesarepresentinthecopiedinflateanddeflate.
Westronglyrecommendtoeitherrewritethislibraryanduseanup-to-dateversionofzlib,orpreferably,useanothercomponenttohandleZipfiles.
SecurityconsequencesareexplainedinMemoryCorruptionCanOccurWhentheRecoveryDiskIsRead.
1XFile-ExtendingtheWin32FileAPIforServerApplications.
http://www.
codeproject.
com/Articles/4093/XFile-Extending-the-Win-File-API-for-Server-Appl.
Ref.
:16-08-215-REPQuarkslabSAS215.
3IntegerOverflowWhenComputingtheNumberofIterationsforPBKDF2WhenPIMIsUsedClassSeverityDifficultyDataValidationHighHighVeraCrypthasaddedanewsecurityparametercalledPIM(PersonalIterationsMultiplier)inordertochangethenumberofroundsinPBKDF2duringkeyderivationusedtoencrypttheheaderofavolume.
ThefunctioncomputingtheiterationcountforPBKDF2isget_pkcs5_iteration_count.
Inthefunctioncode,thecaseofeachsupportedhashfunctionistreatedseparately.
However,whenthePIMisused,thenumberofroundsforPBKDF2usesthesameformulaforallofthem,namely:15000+PIM*1000(computationisdifferentforthesystempartition).
Thecomputationmadeinfunctionget_pkcs5_iteration_countcanoverflowforalargenum-berofPIM,whichcanleadtoawrongfeelingaboutthesecuritystrength.
Theoverflowisquitestraightforward:Listing5.
3:src/Common/Pkcs5.
c:1158intget_pkcs5_iteration_count(intpkcs5_prf_id,intpim,BOOLtruecryptMode,BOOLbBoot){if((pim0)/*NoPIMforTrueCryptmode*/){return0;}switch(pkcs5_prf_id){.
.
.
caseSHA512:returntruecryptMode1000:((pim==0)500000:15000+pim*1000);WithaPIMvalueof8589920,thereturnvaluewillbe408,whichisobviouslyweakerthantheexpectedvalueof8589935000.
OnWindows,acheckisperformedontheGUIwhenthevolumeiscreated:amessageboxappearsifthePIMnumberisgreaterthan2147468,thelimitvaluefortheoverflow.
ThisisnottrueforLinuxandMacOSX.
OnecanthenspecifyaPIMinordertotriggertheoverflow.
Fortunately,theseversionsdonotallowtomountthesevolumesasanerrormessageisdisplayedwhentrying.
However,theycanbemountedonWindows,sincethereisnoverificationatmounttimeintheWindowsversion.
Aspecificusecouldweakenthesecurityofanencryptedcontainer,butisunlikelytooccur.
AusermustcreateavolumeunderLinuxorOSX,specifyaPIMtriggeringtheoverflow,andthenusethisvolumeunderWindows.
Theresultingnumberofiterationscanthenbeverysmall,whiletheuserkeepsfeelingsecure.
Weadviseunifyingtheapplicationbehavior.
ChecksonthePIMmustnotbeperformedinthecoderelatedtotheUI,butinthecorefunctionsoftheprogram.
Ref.
:16-08-215-REPQuarkslabSAS225.
4PINCodeonCommandLineClassSeverityDifficultyDataExposureInformationalLowAsmartcardorasecuritytokencanbeusedtounlockandmountavolume.
TheuserhastoprovideaPINcode.
VeraCryptaddedafeaturewhichwasnotavailableinTrueCrypt:passingthePINcodeonthecommandline,usingparameter--token-pin(or/tokenpinforWindows).
VeraCryptalreadyallowedtoprovidethepasswordonthecommandlineusingthe--passwordparameter.
Thisfeaturewasdocumentedaspotentiallyinsecure:Warning:Thismethodofenteringavolumepasswordmaybeinsecure,forexample,whenanunencryptedcommandprompthistorylogisbeingsavedtounencrypteddisk.
Thecurrentdocumentationdoesnotmentiontherisksforargument--token-pin.
Moregenerally,webelievesuchparametersshouldnotbeavailableandareabadpractice.
Ifthisfeatureshouldbekeptanyway,thesamesecuritywarningshouldbeprovided.
Ref.
:16-08-215-REPQuarkslabSAS236.
NewCryptographicMechanismsAssessmentNewcryptographicprimitivesforhashingandencryptionhavebeenaddedinVeraCrypt1.
18.
Thepurposeoftheseadditionsistoincludenon-westernalgorithmsintheproject.
Thenewlyaddedalgorithmsare:Camellia,asymmetricblockcipherwithablocksizeof128bits.
CamelliahasbeendevelopedbytwoJapanesecompanies,MitsubishiElectricandNTT.
ItisderivedfromtheAEScandidateE2.
VeraCryptusesCamelliawith256-bitkeysonly.
GOST8928147-89,alsoknownasMagma.
ItisaRussiansymmetricblockcipheralgo-rithmdesignedinthe70s.
Itusesa256-bitkeyandhasablocksizeof64bits.
ItusedtobetheSovietalternativetoDES.
Kuznyechik,asymmetricblockcipheralgorithmwithablocksizeof128bitsandakeysizeof256bits.
KuznyechikisaRussianalgorithmspecifiedinGOSTR34.
12-2015.
ItisthesuccessorofGOST28147-89.
Streebog-512,ahashfunctiondefinedinGOSTR34.
122012.
ItistheRussianalternativetoSHA-3.
Theimplementationofthesenewalgorithmshasbeenanalyzed.
Camellia,KuznyechikandStreebog-512arecorrectlyimplemented.
Nevertheless,severalproblemshavebeenidentified.
6.
1GOST28147-89MustBeRemovedfromVeraCryptClassSeverityDifficultyCryptographyHighHighTheXTSmodeisspecifiedin[IEEE07]1.
Itisonlyspecifiedfor128-bitblocks(andmorespecificallyintendedtobeusedwithAES)andisimplementedfor128-bitblocksinVeraCrypt.
ItisderivedfromtheXEXmode[Ro04].
GOST28147-89isa64-bitblockcipherspecifiedin[GOST89].
TofitinsidetheXTSmode,GOSTis"expanded"intoa128-bitblockcipherbyputtingitintoaCBCmodefortwoblockswithanullIV(seeFig.
6.
1).
Listing6.
1:VeraCrypt/src/Crypto/GostCipher.
c:234voidgost_encrypt(constbyte*in,byte*out,gost_kds*ks,intcount){#ifdefined(_M_AMD64)gost_encrypt_128_CBC_asm(in,out,ks,(uint64)count);#elsewhile(count>0){//encrypttwoblocksinCBCmodegost_encrypt_block(*((uint64*)in),(uint64*)out,ks);*((gst_udword*)(out+8))=*((gst_udword*)(in+8))^*((gst_udword*)(out));*((gst_udword*)(out+12))=*((gst_udword*)(in+12))^*((gst_udword*)(out+4));gost_encrypt_block(*((uint64*)(out+8)),(uint64*)(out+8),ks);count--;in+=16;1Itisalsospecifiedin[SP800-38E]whereanadditionalcompulsoryrequirementisthelimitonthenumberofblocksinadataunitencryptedunderthesamekey,setto220.
Ref.
:16-08-215-REPQuarkslabSAS24out+=16;}#endif}Listing6.
2:VeraCrypt/src/Crypto/GostCipher.
c:251voidgost_decrypt(constbyte*in,byte*out,gost_kds*ks,intcount)[.
.
.
]//decrypttwoblocksinCBCmodeThesefunctionsareusedinXTSthroughthecalltoEncipherBlock()orDecipherBlock()respectively.
Fig.
6.
1:XTSwithGOST-CBC-IV-NULLontheth128-bitblockofadataunit.
TherearesecurityproofswhichstatethattheadvantageanattackerhasindistinguishinganXTSmodeinstantiatedwithablockcipherfromaperfecttweakablepermutationisupper-boundedbyavalueproportionalto2/2,whereisthenumberofqueriesanattackermakesandistheblocksize,plustheadvantageindistinguishinginaCCA(ChosenCiphertextAttack)settingtheblockcipherfromarandompermutation(seeforexample[LM08]).
Unfortunately,whenusingGOST-CBC-IV-NULLasareplacementfora128-bitblockcipher,onelosestheapplicabilityofsecurityproofson128bits.
Indeedtheuseofa64-bitblockcipherinCBC-IV-NULLmodemakesitstraightforwardtodistinguishitfroma128-bitrandompermutation.
Ifwedenoteby=(1‖2)a128-bitplaintextastheconcatenationoftwo64-bithalves,thentheresultingciphertextis=(64-bits(1)‖64-bits(2)).
Ifweconsiderasecondplaintext′=(1‖′2)withthesamefirsthalfanddifferentsecondone,then′=(64-bits(1)‖64-bits(′2))alsosharestheexactsamefirsthalfas.
Thisisnottheproperbehaviorofa128-bitrandompermutation,wherethewholeciphertextshouldchange.
ThispropertycouldhavehadastrongimpactontheuseofGOST-CBC-IV-NULLinXTSiftheindexofthedataunitwerenotencodedinlittleendianbeforebeingencrypted.
Indeed,theRef.
:16-08-215-REPQuarkslabSAS25indexofadataunitbeingsmallerthan264,themostsignificantbitswouldhaveconstantlybeenzerothroughouttheentireuseofthemodeforeveryfirstblockofeachdataunitwhoseindexdenotediszero.
Fortheseblocks,thebehaviorofthemodewouldhavealmostexactlybeentheoneofECB,includingthebadpropertiesofdistinguishabilityincaseofrepeatingplaintextblocks,asitisthecasewiththefillingoffreespacewithencryptionofzeroblocksinVeraCrypt.
Thecompositionisimmunefromthisdangerthankstotheencodingofthestandardbuttheencodingisnotperseasecuritymeasureandtheexampleshowsthatthesecurityproblemisavoidedratherbychance.
AsecondgeneralproblemarisesfromtheuseoftheCBCmode:itispossibleforanattackertoapplyselectivebitflipsonthesecondhalfofany128-bitplaintextblockbybitflippingthecorrespondingbitsinthefirsthalfofa128-bitciphertextblock.
ThisattackisnotpossiblewiththeusualXTSmodewitha128-bitblockcipher.
Thenathirdproblemisbroughtbytheuseofa64-bitblockcipher.
Itisdifficulttoavoidanyappearanceofabirthdayparadoxboundwhenusingablockciphermode.
Fora128-bitblockcipher,thebirthdayboundisaround264,whichmeansthattoremainsecure,onehastocalltheunderlyingblockciphersignificantlylessthan264times.
Examplesoflimitationsonthenumberofqueriestotheunderlyingblockcipherwiththesamekeyaregiveninthestandard,withthecorrespondingsuccessprobabilityforanattack.
For236calls,i.
e.
236128-bitblocksencryptedor1terabyteofdata,thesuccessprobabilityis253.
Whenusinga64-bitblockcipherintheCBC-IV-NULLsetting,after236calls,thebirthdayboundfor64-bitblocksisreachedandthesuccessprobabilityforanattackis1!
Thiscanbeseenwhenconsideringthefirsthalvesof128-bitciphertextswhichfollowakindofXTSmodeon64bits.
Toreachthesamelevelofsecurityasits128-bitcounterpart,theamountofdatatobeprocessedshouldbearound512byteswhichistoosmalltobeconsideredforadataatrestencryptionsystem.
Examplesofattacksareprovidedin[IEEE07].
Moregenerally,64-bitblockciphersarelessandlessadaptedfortheamountofdataprocessedonausualbasisnowadays.
TrueCryptswitchedto128-bitblockciphersonlyseveralyearsago,keepingthesupportfor64-bitciphers(Blowfish,TripleDES,CAST5)forcompatibilitywitholdervolumes.
Recentworkshaveshownthatwhatwasoncethoughtofastheoreticalattackscouldinfactbecarriedoutpractically,seee.
g.
theattackcalledSweet32[BL16]againstTLSconnectionsusing64-bitblockciphers.
ThereforewerecommendremovingGOST28147-89fromtheavailablecipherstobeusedwithXTSinVeraCrypt.
AswerecommendtoremoveGOSTfromthesetofavailableciphers,wedidnotproceedwiththecryptographicevaluationoftheintrinsicstrengthofthevariantimplementedwiththeso-calleddynamicS-boxes.
6.
2LackofTestVectorsforNewlyAddedAlgorithmsClassSeverityDifficultyCryptographyInformationalUndeterminedNotestvectorsareprovidedforKuznyechikandGOST28147-89.
Iftestvectorsarenotsufficienttoverifythecorrectnessofanimplementation,theycanbeusedtodetectsomeproblems,suchasbugsthatoccuronlyonsomearchitecturesoroperatingsystems(errorsonbig-endianarchitectures,on64-bitarchitectures,etc.
)Theuseoftestvectorsseemsnecessaryhere,especiallynottoinducetheuserinerror.
Indeed,an"Auto-TestAll"buttondisplays"Self-testsonallalgorithmspassed"incaseofsuccess.
Ref.
:16-08-215-REPQuarkslabSAS26Userbelievesallthealgorithmshavebeentested.
Thisiswrong.
Moreover,eachimplementedalgorithmcanhaveseveralimplementations.
IntheAEScase,aclassicCversion,ax86andax64version,aAES-NIandtwoversionswithasmallmemoryfootprint(oneinC,oneinassembly)existintheproject.
Asshownbelow,aproblemthatcouldbeeasilydetectedwithtestvectorshasbeenidenti-fiedinVeraCrypt.
Thisresultalonejustifiesthenecessitytoincludetestvectorsforallthecryptographicalgorithmsavailableinthesoftware.
6.
3InputandOutputParametersAreSwappedinGOSTMagmaClassSeverityDifficultyCryptographyInformationalUndeterminedGOSTMagmaisanencryptionalgorithmwhoseblocksizeis64bits,contrarilytoalltheotheralgorithmsinVeraCryptwhichprocessblocksof128bits.
InordertobenefitfromtheXTSimplementationusedbytheotheralgorithms,VeraCryptemulatesa128-bitblockcipherbyencryptingnotonebuttwo64-bitblockssimultaneouslyusingCBCmodeandanullinitializationvector.
Asseenpreviously,thisisnotagoodidea.
Twoimplementationsarepossible:For32-bitcode,thegost_encryptandgost_decryptprocesstwo64-bitblocksinCBCmodeandcalltheCfunctionsgost_encrypt_blockandgost_decrypt_block.
Thiscodeisalsousedfor64bitcodeunderLinuxandOSX.
UnderWindowsx64,thetwoassemblyfunctionsgost_encrypt_128_CBC_asmandgost_decrypt_128_CBC_asmareused.
Theinputsandoutputsofthegost_encrypt_128_CBC_asmandthegost_decrypt_128_CBC_asmareinterchanged:theorderoftheparametersisnotthesameinthedeclarationandinthedefinitionofthefunction.
TheCprototypeinthefunctiondefinitionis:Listing6.
3:src/Crypto/GostCipher.
c:230voidgost_encrypt_128_CBC_asm(constbyte*in,byte*out,gost_kds*ks,uint64count);voidgost_decrypt_128_CBC_asm(constbyte*in,byte*out,gost_kds*ks,uint64count);Hereisthebeginningoftheassemblerimplementation:Listing6.
4:src/Crypto/gost89_x64.
asm:294globalgost_encrypt_128_CBC_asm;gost_encrypt_128_CBC_asm(uint64*out,uint64*in,gost_kds*kds,uint64count);;rcx-&out;rdx-∈r8-&gost_kds;r9-countgost_encrypt_128_CBC_asm:Theinandoutparametershavebeenswapped.
Thesameinversionismadeingost_encrypt_128_CBC_asm:Ref.
:16-08-215-REPQuarkslabSAS27Listing6.
5:src/Crypto/gost89_x64.
asm:396globalgost_decrypt_128_CBC_asm;gost_decrypt_128_CBC_asm(uint64*out,uint64*in,constgost_kds*kds,uint64count);;rcx-&out;rdx-∈r8-&gost_kds;r9-countgost_decrypt_128_CBC_asm:SaveRegs;Savingsubrsp,32mov[rsp],rdx;Saveoutaddrmov[rsp+8],rcx;Saveinaddrmov[rsp+16],r8;keyaddrHowever,inthisfunction,inandoutparametersareswappedasecondtime:contrarytowhatiswritteninthecomments,rcxpointstoinandrdxpointstoout.
Thisdoubleinversionactuallymakesthegost_decrypt_128_CBC_asmcorrect.
Thecodeofgost_encrypt_128_CBC_asmremainsinvalid:theinputandtheoutputareindeedswapped.
However,asalltheencryptionoperationsareperformedin-place,asshownbelow(codehasbeensimplifiedtomakeitmorereadable),theresultingcodeisfunctionallycorrect.
Listing6.
6:src/Common/Crypto.
c:177voidEncipherBlock(intcipher,void*data,void*ks){switch(cipher){caseAES:aes_encrypt(data,data,ks);break;caseTWOFISH:twofish_encrypt(ks,data,data);break;caseSERPENT:serpent_encrypt(data,data,ks);break;caseCAMELLIA:camellia_encrypt(data,data,ks);break;caseGOST89:gost_encrypt(data,data,ks,1);break;caseKUZNYECHIK:kuznyechik_encrypt_block(data,data,ks);break;default:TC_THROW_FATAL_EXCEPTION;//Unknown/wrongID}}Eveniftheresultingcodeworks,wethinkthisproblemshouldbeimmediatelyfixed.
Theinsertionofanewencryptionoperationthatisnotperformedin-placemighthaveseriouscon-sequences.
Suchaproblemwouldhavebeenquicklydetectediftestvectorsforalltheencryptionprimitiveswerepresent.
Infact,wespotteditbycheckingifourtestvectorswereverified.
6.
4NotesonthePBKDF2ImplementationClassSeverityDifficultyCryptographyInformationalUndeterminedTheVeraCryptvolumeheaderkeysarederivedfromtheuserpasswordwithPBKDF2.
Theiterationcountofthepseudo-randomfunctionhasbeengreatlyincreasedaccordingtotheRef.
:16-08-215-REPQuarkslabSAS28recommendationsintheiSecreport.
Aproblemoccurred:thekeyderivationwasslow,andmountingthevolumetooktoomuchtime.
ThePBKDF2implementationhasbeenrewrittenandoptimized2,makingthekeyderivationtwicefaster.
Afewminorproblemshavebeenidentifiedinthisimplementation.
OneofthemwasalreadyinTrueCrypt,theotheronesarespecifictoVeraCrypt.
Theseareactuallybadpracticesratherthanrealproblems.
6.
4.
1ThePBKDF2ImplementationDoesNotFullyComplyWiththeStandardDuringthekeygeneration,a32-bit"blockindex"isstoredinbig-endian[RFC2898].
IntheVeraCryptimplementation,onlytheleastsignificantbyteofthisindexisused,alltheotheronesbeingsettozero:Listing6.
7:src/Common/Pkcs5.
c:175/*big-endianblocknumber*/memset(&k[salt_len],0,3);k[salt_len+3]=(char)b;Cyclescanbespottedinthedatageneratedbythisimplementationwhenevertheoutputislongerthan256timestheunderlyinghashfunctionusedbyPKBDF2:5120bytesforRIPEMD-160;8192bytesforSHA-256;16394bytesforSHA-512,WhirlpoolandStreebog.
Thishasabsolutelynoimpactonthesecurityoftheproduct:allthedatacomingfromthePBKDF2implementationisatmost192byteslong(6keysof256bits).
Thisbehaviorcouldbefixedinordertoavoidabadusageofthesefunctionsinthefuture,iflongerkeymaterialmightbegeneratedforsomereason.
6.
4.
2BadCodingPracticeintheHMAC-SHA512ComputationDuringHMACcomputations,a"context",whichisastructurecontaininginformationaboutthecurrentstateofthecomputation,isused.
Thiscontextispassedtothefunctionsperformingthehashingoperations:Listing6.
8:src/Common/Pkcs5.
c:278typedefstructhmac_sha512_ctx_struct{sha512_ctxctx;sha512_ctxinner_digest_ctx;/*pre-computedinnerdigestcontext*/sha512_ctxouter_digest_ctx;/*pre-computedouterdigestcontext*/chark[PKCS5_SALT_SIZE+4];/*enoughtohold(salt_len+4)andalsotheSHA512hash*/2CommitontheVeraCryptrepository:Cryptography:Dividemountandboottimesby2usingapre-computationofvaluesusedinPRFHMaccalculation(thankstoXavierdeCarnédeCarnavaletforfindingthisoptimization).
https://github.
com/veracrypt/VeraCrypt/commit/59afc2c4d9704476bdaf8c4c8b45684a80781a06Ref.
:16-08-215-REPQuarkslabSAS29charu[SHA512_DIGESTSIZE];}hmac_sha512_ctx;Whenthederivationfunctionshavebeenrewritten,astackbuffercontainingtemporarydatahasbeensuppressed.
Thenew,fasterimplementationusesthekfieldoftheHMACcontexttostoreintermediatevalues.
Thisfieldisfollowedbytheufield,whichcontainsthefinalHMACvalue.
Thehmac_sha512writesSHA512_BLOCKSIZE=128bytesink,whosesizeisonly68bytes.
Hence,60bytesarewritteninu:Listing6.
9:src/Common/Pkcs5.
c:325char*buf=hmac.
k;/*thereisenoughspacetoholdSHA512_BLOCKSIZE(128)bytes*becausekisfollowedbyuinhmac_sha512_ctx*/.
.
.
/*Padthekeyforinnerdigest*/for(b=0;bWaitForEvent(1,&gST->ConIn->WaitForKey,&EventIndex);gST->ConIn->ReadKeyStroke(gST->ConIn,&key);returnkey;}Itisdifficulttomakesurethedriverimplementationwillerasethebuffercontainingthekeystrokes.
Forexample,thefileIntelFrameworkModulePkg/Csm/BiosThunk/KeyboardDxe/BiosKeyboard.
cinEDKIIshowsthatstrokesareretrievedfromtheBIOSkeyboardbufferthroughINT16h.
ThemoduleneverdirectlyaccessestheBIOSDataArea.
Hence,itwillneverbeerased.
Ourrecommendationis,whateverthedriverused,toalwayscalltheReset()methodofgST->ConIntoresetthebuffersmanipulatedbythekeyboardmodule.
Onehastoremem-berthatthereisnoguaranteethattheywillbecorrectlyerased.
7.
2SensitiveDataIsNotCorrectlyErasedClassSeverityDifficultyDataExposureHighHighThedatahandledbythebootloaderarerarelyerased.
Theuserpasswordisproperlyclearedatstartup.
However,whenauserchangeshispassword,thePasswordstructurescontain-ingthenewpasswordwillnotbeerased(seetheSecRegionChangePwdfunctioninDcsInt/DcsInt.
c).
TrueCrypt'sdevelopersandVeraCrypt'shavecarefullycheckedifsensitivedatawascorrectlyclearedinmemory.
ThislevelofcarehasnotbeentakenintoDCSyet.
7.
3MemoryCorruptionCanOccurWhentheRecoveryDiskIsReadClassSeverityDifficultyDataValidationHighHighVeraCryptproposestocreatearescuediskabletorecoveravolumeincaseofcrash.
ThisdiskrestorestheEFIloadersettings,restorestheloaderitself,orbootsthesystemwithitsowncopyoftheloader.
This"RecoveryDisk"isactuallyaZiparchivecontainingtherecoveryapplication,relatedmodules,andabackupoftheVeraCryptsystemvolumeheader.
Allthedataaddedtothisarchivecanbeconsideredastrusted:TheEFIapplicationandmodulesareextractedfromtheVeraCrypt.
exeresources.
Readingthesystemvolumeheaderrequiresadministratorprivileges.
Readingtheconfigurationrequiresadministratorprivileges.
Ref.
:16-08-215-REPQuarkslabSAS33Configurationiscreatedbytheapplication.
ThevulnerabilitiesidentifiedinXZipandXUnzipcouldthereforenotbetriggered.
However,itispossibletoverifythecreatedimage,throughthe"System"→"VerifyRescueDiskImage"menu.
Inthatcase,VeraCryptwillopenandparsetheZip.
ItwillthenbepossibletotriggerthevulnerabilitiesidentifiedininflateandXUnzip.
JustbeforereadingthisZip,VeraCryptmustperformaprivilegedaction.
Toperformit,itlaunchesanelevatedinstanceofVeraCrypt.
exewithadministratorprivileges,whichactsasaCOMserver.
Thisserverexposesfunctionsabletocopyordeletefilesontheentirediskwithadministratorrights,ortorewritetheEFIloader.
Theseveritywasranked"High"inpartbecauseofit.
Theoperatingconditionsarequiteunrealistic:anattackeraltersthevictim'srescuedisk,whohastoverifyittobecompromised.
Notethattherescuediskisnotasecretdata(itdoesnothavetheencryptionkeys).
7.
4MistakesintheDCSCode7.
4.
1ANullPointerCanBeDereferencedWhenEncryptedBlocksAreWrittenClassSeverityDifficultyDataValidationLowUndeterminedThefunctionresponsiblefortheon-the-flyencryptionofdataduringdiskwriteoperationsdoesnotreturncorrectlyincaseoferrors.
Thiscanleadtoanullpointerdereference.
IntBlockIO_WriteisthewritefunctionregisteredbythedriverinstalledbyDcsInt.
Ittakesthesizeofthedatatoencryptasaparameter.
Abufferofthecorrespondingsizeisallocated.
Iftheallocationfails,EFI_BAD_BUFFER_SIZEisassignedtothereturnvalueStatus.
Thefunctionmightthenreturn.
However,thereturnStatus;lineseemstohavebeendeletedinadvertentlyfromthesourcecode.
Listing7.
2:DcsInt/DcsInt.
c:262writeCrypted=MEM_ALLOC(BufferSize);if(writeCrypted==NULL){Status=EFI_BAD_BUFFER_SIZE;}CopyMem(writeCrypted,Buffer,BufferSize);//Print(L"*");UpdateDataBuffer(writeCrypted,(UINT32)BufferSize,startSector);EncryptDataUnits(writeCrypted,(UINT64_STRUCT*)&startSector,(UINT32)(BufferSize>>9),DcsIntBlockIo->CryptInfo);Status=DcsIntBlockIo->LowWrite(This,MediaId,startSector,BufferSize,writeCrypted);Iftheallocationfails,thecontentofBufferwillbecopiedataddress0.
Ref.
:16-08-215-REPQuarkslabSAS347.
4.
2DeadCodeinDcsIntClassSeverityDifficultyUndeterminedInformationalUndeterminedThefunctionIntBlockIo_HookinDcsInt/DcsInt.
ccontainsdeadcode.
Thiscodeseemstocomefromarewritingofthefunction.
Listing7.
3:DcsInt/DcsInt.
c:345if(!
EFI_ERROR(Status)){//CheckisthisprotocolalreadyhookedDcsIntBlockIo=(DCSINT_BLOCK_IO*)MEM_ALLOC(sizeof(DCSINT_BLOCK_IO));if(DcsIntBlockIo==NULL){returnEFI_OUT_OF_RESOURCES;}//constructnewDcsIntBlockIoDcsIntBlockIo->Sign=DCSINT_BLOCK_IO_SIGN;DcsIntBlockIo->Controller=DeviceHandle;DcsIntBlockIo->BlockIo=BlockIo;DcsIntBlockIo->IsReinstalled=0;if(EFI_ERROR(Status)){gBS->CloseProtocol(DeviceHandle,&gEfiBlockIoProtocolGuid,This->DriverBindingHandle,DeviceHandle);MEM_FREE(DcsIntBlockIo);returnEFI_UNSUPPORTED;}ThefirstconditioncheckswhetherStatusisnotanerrorcode,whileitchecksjustbelowifitisanerrorcode.
TheCloseProtocolmethodwillneverbecalled.
Incidentally,thefirstcommentismisleadingbecausenocheckisdoneonthehookhere.
7.
4.
3TheFunctionReadingtheConfigurationMayReadInconsistentDataClassSeverityDifficultyDataValidationInformationalUndeterminedTheconfigurationfileoftheloader,DcsProp,isreadintheConfigReadfunction.
ThisfunctioncallsFileLoadtoloadit,butdoesnotcheckthevaluereturnedbyFileLoad:Listing7.
4:Library/VeraCryptLib/DcsVeraCrypt.
c:36BOOLConfigRead(char*configKey,char*configValue,intmaxValueSize){char*xml;if(ConfigBuffer==NULL)FileLoad(NULL,L"\\EFI\\VeraCrypt\\DcsProp",&ConfigBuffer,&ConfigBufferSize);Ref.
:16-08-215-REPQuarkslabSAS35xml=ConfigBuffer;if(xml!
=NULL){xml=XmlFindElementByAttributeValue(xml,"config","key",configKey);.
.
.
}TheconfigurationwillbeparsedifConfigBufferisnotnull.
However,FileLoadmaywellreturnanerrorwhilereturninganon-nullConfigBufferfilledwithzeros:Listing7.
5:Library/CommonLib/EfiFile.
c:200EFI_STATUSFileLoad(INEFI_FILE*root,INCHAR16*name,OUTVOID**data,OUTUINTN*size).
.
.
*data=MEM_ALLOC(sz);if(*data==NULL){.
.
.
}res=FileRead(file,*data,&sz,NULL);if(EFI_ERROR(res)){FileClose(file);MEM_FREE(*data);returnres;}Thisdoesnotleadtoasecurityissue,butmightbefixed.
Incidentally,thememoryallocatedtoreadtheconfigurationfileisneverfreed.
7.
4.
4BadPointerCheckinEfiGetHandlesClassSeverityDifficultyDataValidationInformationalUndeterminedEfiGetHandlescallstheLocateHandleservicetoretrieveallthehandlesthatimplementagivenprotocol.
Ifseveralhandlesarepresent,theallocatedspacetoretrievethislistwillbetoosmall.
HenceEfiGetHandlesallocatesmorememory.
Thepointerreturnedbytheallocatorisnotcorrectlychecked.
Theconsequenceisthatthefunctioncandereferenceanullpointer.
Thecauseofthisbugisatypoerror,asonecanseebelow.
Listing7.
6:Library/CommonLib/EfiBio.
c:76*Buffer=(EFI_HANDLE*)MEM_ALLOC(sizeof(EFI_HANDLE));if(*Buffer){BufferSize=sizeof(EFI_HANDLE);res=gBS->LocateHandle(SearchType,Protocol,SearchKey,&BufferSize,*Buffer);if(res==RETURN_BUFFER_TOO_SMALL){MEM_FREE(*Buffer);*Buffer=(EFI_HANDLE*)MEM_ALLOC(BufferSize);Ref.
:16-08-215-REPQuarkslabSAS36if(!
Buffer){//Typoerror:Bufferischeckedinsteadof*BufferreturnEFI_OUT_OF_RESOURCES;}7.
4.
5PotentialDereferenceofaNullPointerintheGraphicLibraryClassSeverityDifficultyDataValidationInformationalUndeterminedTwofunctionsofthegraphiclibrary,BltLineandBltCircle,whichrespectivelyprintalineandacircle,takeagraphicalcontextdrawasaparameter.
ThetypeofdrawisPDRAW_CONTEXT.
Thisvariableischeckedatthebeginningofbothfunctionsinordertoassignavariabletothemaskvalue:Listing7.
7:Library/GraphLib/EfiGraph.
c:300mask=drawdraw->DashLine:gDrawContext.
DashLine;dmask=mask;cmask=32;for(;;){/*loop*///Dashif((dmask&1)==1){//alwaystrueifdrawisNULL,asgDrawContext.
DashLineis0xffffffffBltPoint(blt,draw,x0,y0);}Hencethedrawvalueispotentiallynull.
Inthatcase,theglobalcontextgDrawContextisusedinsteadofdraw->DashLine.
ThecircleorthelineareprintedpointafterpointwiththeBltPointfunction.
ThisfunctionalsotakesaparameteroftypePDRAW_CONTEXT.
However,inbothcases,thedrawvariableispassedasaparametertoBltPointinsteadoftheglobalcontextgDrawContext.
BltPointdereferencesthispointerwithoutcheckingit:Listing7.
8:Library/GraphLib/EfiGraph.
c:231EFI_STATUSBltPoint(INBLT_HEADER*blt,INPDRAW_CONTEXTdraw,INUINTNx,INUINTNy){if(draw->Brush==NULL)returnBltPointSingle(blt,draw,x,y);elseAnanalysisofthecallingfunctionsofBltLineandBltCircleshowsthatthedrawparametercanactuallyneverbenull.
Thebugmustbefixed,however.
Ref.
:16-08-215-REPQuarkslabSAS378.
RecommendationsInthissection,wesumupallvulnerabilitiesandrelatedrecommendations.
8.
1UnfixedorPartiallyFixedVulnerabilitiesfromFormerAudits8.
1.
1OCAPPhase1Audit(iSecPartners,NCCGroup)SensitiveinformationmightbepagedoutfromkernelstacksMakesuretheuserfollowVeraCrypt'sdocumentationbyencryptingthesystemparti-tion/driveandmakingsurethatallpagingfilesarelocatedonpartitionswithinthekeyscopeofthesystemencryption.
ClassDataExposureSeverityMediumStatusNotFixedWindowskerneldriverusesmemset()toclearsensitivedataThestructuremappedCryptoInfomustbeerasedwithburn()beforeraisingtheexceptionTC_THROW_FATAL_EXCEPTIONinsrc/Driver/DriveFilter.
c.
ClassDataExposureSeverityMediumStatusPartiallyfixedTC_IOCTL_OPEN_TESTmultipleissuesTobefoundiniSec'sreport.
Warning:asimilarissuecanbefoundintheTC_IOCTL_GET_SYSTEM_DRIVE_CONFIGioctl.
ClassDataExposureSeverityLowStatusNotfixedEncryptDataUnits()lackserrorhandlingTobefoundiniSec'sreport.
ClassErrorReportingSeverityInformationalStatusNotfixed8.
1.
2OCAPPhase2Audit(CryptographyServices,NCCGroup)AESimplementationsusceptibletocache-timingattacksFixAes_x86.
asmandAes_x64.
asmfirst.
ClassCryptographySeverityHighStatusNotfixedKeyfilemixingisnotcryptographicallysoundTobefoundinNCCGroup'sreport.
Weemphasizetheneedtoimplementtherecommen-dation.
ClassCryptographySeverityLowStatusNotfixedUnauthenticatedciphertextinvolumeheadersImplementacryptographicauthenticationmechanism.
ClassCryptographySeverityUndeterminedStatusNotfixedRef.
:16-08-215-REPQuarkslabSAS388.
2VeraCrypt'sModificationsAssessmentThelengthofthepasswordcanbecomputedwhenencryptionisactivatedErasepointerstolastandnextpasswordcharacterpositioninthekeystrokebuffer.
ClassDataExposureSeverityLowDifficultyMediumOut-of-dateinflateanddeflateAddadependencyonzlibtobenefitfromanup-to-datecodebase.
ClassPatchingSeverityHighDifficultyHighXZipandXUnzipneedtobecompletelyre-writtenUseanothercomponenttohandleZipfiles.
ClassDataValidationSeverityHighDifficultyHighIntegeroverflowwhencomputingthenumberofiterationsforPBKDF2whenPIMisusedUnifytheapplicationbehaviorsothatthechecksonthePIMwillbeperformedinthecorefunctionsoftheprogram.
ClassDataValidationSeverityHighDifficultyHighPINcodeoncommandlineRemovethefeatureoratleastattachaclearsecuritywarningtoit.
ClassDataExposureSeverityInformationalDifficultyLow8.
3NewCryptographicMechanismsAssessmentGOST28147-89MustBeRemovedfromVeraCryptRemoveGOST28147-89andmoregenerallyany64-bitblockcipherfromthelistofavailableblockciphers.
ClassCryptographySeverityHighDifficultyHighLackoftestvectorsfornewlyaddedalgorithmsAddrelevanttestvectors.
ClassCryptographySeverityInformationalDifficultyUndeterminedInputandoutputparametersareswappedinGOSTMagmaFixtheimplementation.
ClassCryptographySeverityInformationalDifficultyUndeterminedThePBKDF2implementationdoesnotfullycomplywiththestandardMaketheimplementationcompliantwiththestandard.
ClassCryptographySeverityInformationalDifficultyUndeterminedRef.
:16-08-215-REPQuarkslabSAS39BadcodingpracticeintheHMAC-SHA512ComputationFixtheimplementation.
ClassCryptographySeverityInformationalDifficultyUndeterminedUnusedparametersinkeyderivationsub-functionsFixtheimplementation.
ClassCryptographySeverityInformationalDifficultyUndeterminedRandomByteGeneratorsinDCSShouldBeImprovedThegenerationofrandomdataatstartupisanarduoustask.
Theimplementationshouldbecarefullystudied.
Itisdifficulttogather"good"sourcesofentropywhenthecomputerstarts.
Westronglyrecommendusingsuchmechanismsjustincaseofabsolutenecessity.
ClassCryptographySeverityInformationalDifficultyUndetermined8.
4UEFISupportAssessmentKeystrokesarenoterasedafterauthenticationAlwayscalltheReset()methodofgST->ConIntoresetthebuffersmanipulatedbythekeyboardmodule.
ClassDataExposureSeverityHighDifficultyHighSensitivedataisnotcorrectlyerasedSecurelyclearsensitivedatafrommemory.
ClassDataExposureSeverityHighDifficultyHighMemorycorruptioncanoccurwhentherecoverydiskisreadUseanothercomponenttohandleZipfiles.
ClassDataValidationSeverityHighDifficultyHighAnullpointercanbedereferencedwhenencryptedblocksarewrittenFixtheimplementation.
ClassDataValidationSeverityLowDifficultyUndeterminedDeadcodeinDcsIntFixtheimplementation.
ClassUndeterminedSeverityInformationalDifficultyUndeterminedThefunctionreadingtheconfigurationmayreadinconsistentdataFixtheimplementation.
ClassDataValidationSeverityInformationalDifficultyUndeterminedRef.
:16-08-215-REPQuarkslabSAS40BadpointercheckinEfiGetHandlesFixtheimplementation.
ClassDataValidationSeverityInformationalDifficultyUndeterminedPotentialdereferenceofanullpointerinthegraphiclibraryFixtheimplementation.
ClassDataValidationSeverityInformationalDifficultyUndeterminedRef.
:16-08-215-REPQuarkslabSAS419.
ConclusionThisaudit,fundedbyOSTIF,required32man-daysofstudy.
Itshowsthatthisfollow-upofTrueCryptisverymuchaliveandevolveswithnewfunctionalitieslikethesupportofUEFI.
Theresultsshowsthatevaluationsatregularintervalsofsuchdifficultsecurityprojectsarenotanoption.
Whenwellreceivedbytheproject'sdevelopers,theyprovideusefulfeedbackstohelptheprojectmature.
Theopenessoftheevaluationresultshelpbuildconfidenceintheproductforthefinalusers.
Ref.
:16-08-215-REPQuarkslabSAS429.
Bibliography[OCAP1]iSecPartners,partofNCCGroup.
OpenCryptoAu-ditProject-TrueCrypt,SecurityAssessment.
2014.
Availableathttps://opencryptoaudit.
org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_A[OCAP2]CryptographyServicesofNCCGroup.
OpenCryptoAu-ditProject-TrueCrypt,CryptographicReview.
2015Availableathttps://opencryptoaudit.
org/reports/TrueCrypt_Phase_II_NCC_OCAP_final.
pdf[FSIT]FraunhoferInstituteforSecureInformationTechnol-ogy.
SecurityAnalysisofTrueCrypt.
2015.
Availableathttps://www.
bsi.
bund.
de/DE/Publikationen/Studien/TrueCrypt/truecrypt.
html[SP800-132]NISTSpecialPublication800-132.
RecommendationforPassword-BasedKeyDerivation.
December2010.
Availableathttp://nvlpubs.
nist.
gov/nistpubs/Legacy/SP/nistspecialpublication800-132.
pdf[SOGETI]SogetiESECLab.
SecurityassessmentofTrueCrypt.
2008.
Availableathttp://esec-lab.
sogeti.
com/posts/2008/12/08/security-assessment-of-truecrypt-english.
html[UPR]UbuntuPrivacyRemixTeam.
SecurityAnalysisofTrueCrypt7.
0awithanAttackontheKeyfileAlgorithm.
2011.
Availableathttps://www.
privacy-cd.
org/en/tutorials/analysis-of-truecrypt[P0-537]GoogleProjectZero.
Truecrypt7DerivedCode/Windows:IncorrectImper-sonationTokenHandlingEoP.
Availableathttps://bugs.
chromium.
org/p/project-zero/issues/detailid=537[P0-538]GoogleProjectZero.
Truecrypt7DerivedCode/Windows:DriveLetterSymbolicLinkCreationEoP.
Availableathttps://bugs.
chromium.
org/p/project-zero/issues/detailid=538[P0-BLOG]GoogleProjectZero.
WindowsDriversareTrue'lyTricky.
AvailableonGoogleProjectZero'sBlogathttps://googleprojectzero.
blogspot.
fr/2015/10/windows-drivers-are-truely-tricky.
html[GOST89]GovernmentCommitteeoftheUSSRforStandards.
CryptographicProtectionforDataProcessingSystem,GOST28147-89,GosudarstvennyiStandardofUSSR,1989.
(InRussian)[IEEE07]IEEEP1619/D16.
StandardforCryptographicProtectionofDataonBlock-OrientedStorageDevices.
2007.
[SP800-38E]NISTSpecialPublication800-38E.
RecommendationforBlockCipherModesofOperation:TheXTS-AESModeforConfidentialityonStorageDevices.
January2010.
[Ro04]PhillipRogaway.
EfficientInstantiationsofTweakableBlockciphersandRefinementstoModesOCBandPMAC.
Asiacrypt2004.
LNCSvol.
3329.
Springer,2004.
Availableathttp://web.
cs.
ucdavis.
edu/~rogaway/papers/offsets.
pdf[LM08]MosesLiskovandKazuhikoMinematsu.
CommentsonXTS-AES,inre-sponsetoNISTPublicRequestforCommentsonXTS.
2008.
AvailableatRef.
:16-08-215-REPQuarkslabSAS43http://csrc.
nist.
gov/groups/ST/toolkit/BCM/documents/comments/XTS/XTS_comments-Liskov_Minematsu.
pdf[BL16]KarthikeyanBhargavanandGatanLeurent.
OnthePractical(In-)Securityof64-bitBlockCiphers—CollisionAttacksonHTTPoverTLSandOpenVPN.
TobepublishedatACMCCS2016.
[RFC2898]PKCS#5:Password-BasedCryptographySpecificationVersion2.
0.
Availableathttps://tools.
ietf.
org/html/rfc2898#section-5.
2[SP800-90A]NISTSpecialPublication800-90ARevision1.
RecommendationforRandomNumberGenerationUsingDeterministicRandomBitGenerators.
June2015.
Availableathttp://dx.
doi.
org/10.
6028/NIST.
SP.
800-131Ar1Ref.
:16-08-215-REPQuarkslabSAS44