Protecting BitLocker From Pre-Boot Attacks

CountermeasuresProtecting BitLocker-encrypted devices from attacks

January 2014

Table of contents

3 Attacks3 Bootkit and rootkit attacks5 Brute-force sign-in attacks5 Direct memory access attacks7 Hyberfil.sysattacks8 Memory remanence attacks

10 Countermeasures10 Protection before startup14 Protection during pre-boot: pre-boot authentication16 Protection during startup17 Protection after startup: DMA attack protection

18 Choosing the right countermeasures

21 Summary

1PROTECTING BITLOCKER-ENCRYPTED DEVICES FROM ATTACKS

CountermeasuresProtecting BitLocker-encrypted devices from attacks

Full-volumeencryptionusingBitLockerDriveEncryptionisvitalforprotectingdataandsystemintegrityondevicesrunningtheWindows8.1,Windows8,orWindows7operatingsystem.ItisequallyimportanttoprotecttheBitLockerencryptionkey.OnWindows7devices,sufficientlyprotectingthatkeyoftenrequiredpre-bootauthentication,whichmanyusersfindinconvenientandcomplicatesdevicemanagement.

MicrosofthasmadeimprovementsinWindows8.1andworkedcloselywithhardwaremanufacturerstodeliverWindows8.1andWindows8devicesthatarefundamentallyresistanttoknownattacksagainsttheBitLockerencryptionkey.Asaresult,many organizations can now meet their security requirementswithoutusingpre-bootauthentication,reducingcomplexityandinconvenience.

Thispaperprovidesdetailedinformationthatwillhelpyou understand the circumstances under which the use of pre-boot authentication is recommended and when it canbesafelyomittedfromadevice’sconfiguration.

NOTE

Forthelatestinformation,pleaseseehttp://aka.ms/bitlockerinfo.

http://aka.ms/bitlockerinfo

http://aka.ms/bitlockerinfo


BitLockerusesencryptiontoprotectthedataonyourdrive,butBitLockersecurityisonlyeffectivewhentheencryptionkeyisprotected.Manyusershavereliedonpre-bootauthenticationtoprotecttheoperatingsystem’sintegrity,diskencryptionsolution(e.g.,encryptionkeys),andthePC’sdatafromofflineattacks.Withpre-bootauthentication,usersmustprovidesomeformofcredentialbeforeunlockingencryptedvolumesandstartingWindows.Typically,theyauthenticatethemselvesusingaPINoraUSBflashdriveasakey.

Pre-bootauthenticationprovidesexcellentstartupsecurity,butitinconveniencesusersandincreasesITmanagementcosts.EverytimethePCisunattended,thedevicemustbesettohibernate(i.e.,shutdownandpoweredoff);whenthecomputerrestarts,usersmustauthenticatebeforetheencryptedvolumesareunlocked.ThisrequirementincreasesrestarttimesandpreventsusersfromaccessingremotePCsuntiltheycanphysicallyaccessthecomputertoauthenticate,makingpre-bootauthenticationunacceptableinthemodernITworld,whereusersexpecttheirdevicestoturnoninstantlyandITrequiresPCstobeconstantlyconnectedtothenetwork.

IfuserslosetheirUSBkeyorforgettheirPIN,theycan’taccesstheirPCwithoutarecoverykey.Withaproperlyconfiguredinfrastructure,theorganization’ssupportwillbeabletoprovidetherecoverykey,butdoingsoincreasessupportcosts,andusersmightlosehoursofproductiveworktime.

Windows8andnewdevicesdesignedforWindows8changeeverything.TheUnifiedExtensibleFirmwareInterface(UEFI)SecureBoot and Windows Trusted Boot startup process ensures operating systemintegrity,allowingWindowstostartautomaticallywhileminimizingtheriskofmaliciousstartuptoolsandrootkits.Inaddition,manymodernmobiledevicesarefundamentallyphysicallyresistanttosophisticatedattacksagainstthecomputer’smemory,andnowWindowsauthenticatestheuserbeforemakingdevicesthatmayrepresentathreattothedeviceandencryptionkeysavailableforuse.

ThesectionsthatfollowhelpyouunderstandwhichPCsstillneed pre-boot authentication and which can meet your security requirementswithouttheinconvenienceofit.

TheUnifiedExtensibleFirmwareInterface(UEFI)SecureBootandWindows Trusted Boot startup process ensures operating system integrity,allowingWindows to start automaticallywhileminimizing the risk of maliciousstartuptoolsandrootkits.


AttacksThenextfewsectionsdescribeeachtypeofattackthatcouldbeusedtocompromiseavolumeencryptionkey,whetherforBitLockeroranon-Microsoftencryptionsolution.Afteranattackerhascompromisedavolumeencryptionkey,theattackercanreaddatafromyoursystemdriveoreveninstallmalwarewhileWindowsisoffline.Eachsectionbeginswithagraphicaloverviewoftheattack’sstrengthsandweaknessesaswellassuggestedmitigationsforWindows8–andWindows7–certifieddevices.

Bootkit and rootkit attacks

Rootkitsareasophisticatedanddangeroustypeofmalwarethatrunsinkernelmode,usingthesameprivilegesastheoperatingsystem.Becauserootkitshavethesameorpossiblyevenmorerightsthantheoperatingsystem,theycancompletelyhidethemselvesfromWindowsandevenanantimalwaresolution.Often,rootkitsarepartofanentiresuiteofmalwarethatcanbypasslocallogins,recordpasswords,transferprivatefiles,andcapturecryptographykeys.

Differenttypesofbootkitsandrootkitsloadatdifferentsoftwarelevels:

• Kernellevel Rootkitsrunningatthekernellevelhavethehighestprivilegeintheoperatingsystem.Theymaybeabletoinjectmaliciouscodeorreplaceportionsofthecoreoperatingsystem,includingboththekernelanddevicedrivers.

• Applicationlevel Theserootkitsareaimedtoreplaceapplicationbinarieswithmaliciouscode,suchasaTrojan,andcanevenmodifythebehaviorofexistingapplications.

• Librarylevel Thepurposeoflibrary-levelrootkitsistohook,patch,orreplacesystemcallswithmaliciouscodethatcanhidethemalware’spresence.

• Hypervisorlevel Hypervisorrootkitstargetthebootsequence.Theirprimarypurposeistomodifythebootsequencetoloadthemselvesasahypervisor.

• Firmwarelevel TheserootkitsoverwritethePC’sBIOSfirmware,givingthemalwarelow-levelaccessandpotentiallytheabilitytoinstallorhidemalware,evenifit’scleanedorremovedfromtheharddisk.

Regardlessoftheoperatingsystemorencryptionmethod,rootkitshaveaccesstoconfidentialdataonceinstalled.Application-levelrootkitscanreadanyfilestheusercanaccess,bypassingvolume-levelencryption.Kernel-,library-,hypervisor-,andfirmware-levelrootkitshavedirectaccesstosystemfilesonencryptedvolumesandcanalsoretrieveanencryptionkeyfrommemory.


Windows7offerssubstantialprotectionfrombootkitsandrootkits,butitispossibletobypassoperatingsystemsecuritywhenanattackerhasphysicalaccesstothedeviceandcaninstallthemalwaretothedevicewhileWindowsisoffline.Forexample,anattackermightbootaPCfromaUSBflashdrivecontainingmalwarethatstartsbeforeWindows.ThemalwarecanreplacesystemfilesorthePC’sfirmwareorsimplystartWindowsunderitscontrol.

TosufficientlyprotectaPCfrombootandrootkits,devicesmustusepre-bootauthenticationorUEFI-basedSecureBoot,ortheencryptionsolutionmustusethedevice’sTrustedPlatformModule(TPM)asameansofmonitoringtheintegrityoftheend-to-endbootprocess.Pre-bootauthenticationisavailableforanydevice,regardlessofthehardware,butbecauseitisinconvenienttousers,itshouldbeusedonlytomitigatethreatsthatareapplicabletothedevice.UEFI-basedSecureBootisrequiredforallWindows8.1–andWindows8–certifieddevices.Onthosedevices,youdonotneedtousepre-bootauthenticationtoprotectagainstbootandrootkitattacks.

AlthoughpasswordprotectionoftheUEFIconfigurationisimportantforprotectingadevice’sconfigurationandpreventinganattackerfromdisablingUEFI’sSecureBootfeature,useofaTPManditsPlatformConfigurationRegister(PCR)measurements(PCR7)toensurethatthesystem’sbootloader(whetheraWindowsornon-Microsoftencryptionsolution)istamperfreeandthefirstcodetostartonthedeviceiscritical.Anencryptionsolutionthatdoesn’tuseadevice’sTPMtoprotectitscomponentsfromtamperingmaybeunabletoprotectitselffrombootkit-levelinfectionsthatcouldlogauser’spasswordoracquireencryptionkeys.Forthisreason,whenBitLockerisconfiguredonWindows8–andWindows7–certifieddevicesthatincludeaTPM,theTPManditsPCRsarealwaysusedtosecureandconfirmtheintegrityofthepre–operatingsystemenvironmentbeforemakingencryptedvolumesaccessible.

AnychangestotheUEFIconfigurationinvalidatesthePCR7andrequiretheusertoentertheBitLockerrecoverykey.Becauseofthisfeature,it’snotcriticaltopassword-protectyourUEFIconfiguration.IfanattackersuccessfullyturnsoffSecureBootorotherwisechangestheUEFIconfiguration,theywillneedtoentertheBitLockerrecovery

UEFI-basedSecureBootisrequiredforallWindows8.1–andWindows8–certifieddevices.Onthosedevices,youdonotneed to use pre-boot authentication to protect against boot androotkitattacks.


key,butUEFIpasswordprotectionisabestpracticeandisstillrequiredforsystemsnotusingaTPM(suchasnon-Microsoftalternatives).

Brute-force sign-in attacks

Attackerscanfindanypasswordifyouallowthemtoguessenoughtimes.Theprocessoftryingmillionsofdifferentpasswordsuntilyoufindtherightoneisknownasabrute-force sign-in attack. Intheory,anattackercouldobtainanypasswordbyusingthismethod.

Threeopportunitiesforbrute-forceattacksexist:

• Against the pre-boot authenticator Anattackercouldattackthedevicedirectlybyattemptingtoguesstheuser’sBitLockerPINoranequivalentauthenticator.TheTPMmitigatesthisapproachbyinvokinganantihammeringlockoutcapabilitythatrequirestheusertowaituntilthelockoutperiodendsorentertheBitLockerrecoverykey.

• Against the recovery key Anattackercouldattempttoguessthe48-digitBitLockerrecoverykey.Evenwithoutalockoutperiod,thekeyislongenoughtomakebrute-forceattacksimpractical.Specifically,theBitLockerrecoverykeyhas128bitsofentropy;thus,theaveragebrute-forceattackwouldsucceedafter18,446,744,073,709,551,616guesses.Ifanattackercouldguess1millionpasswordspersecond,theaveragebrute-forceattackwouldrequiremorethan580,000yearstobesuccessful.

• Against the operating system sign-in authenticator An attacker can attempt to guess a validusernameandpassword.Windowsimplementsadelaybetweenpasswordguesses,slowingdownbrute-forceattacks.Inaddition,allrecentversionsofWindowsallowadministratorstorequirecomplexpasswordsandpasswordlockouts.Similarly,administratorscanuseMicrosoftExchangeActiveSyncpolicyorGroupPolicytoconfigureWindows8.1andWindows8toautomaticallyrestartandrequiretheusertoentertheBitLocker48-digitrecoverykeyafteraspecifiednumberofinvalidpasswordattempts.Whenthesesettingsareenabledandusersfollowbestpracticesforcomplexpasswords,brute-forceattacksagainsttheoperatingsystemsign-inareimpractical.

Ingeneral,brute-forcesign-inattacksarenotpracticalagainstWindowswhenadministratorsenforcecomplexpasswordsandaccountlockouts.

Direct memory access attacks

Directmemoryaccess(DMA)allowscertaintypesofhardwaredevicestocommunicatedirectlywithadevice’ssystemmemory.Forexample,ifyouuseThunderbolttoconnectanotherdeviceto


yourcomputer,theseconddeviceautomaticallyhasReadandWriteaccesstothetargetcomputer’smemory.

Unfortunately,DMAportsdon’tuseauthenticationandaccesscontroltoprotectthecontentsofthecomputer’smemory.WhereasWindowspreventssystemcomponentsandappsfromreadingandwritingtoprotectedpartsofmemory,adevicecanuseDMAtoreadanylocationinmemory,includingthelocationofanyencryptionkeys.

DMAattacksarerelativelyeasytoexecuteandrequirelittletechnicalskills.AnyonecandownloadatoolfromtheInternet,suchasthosemade by Passware,ElcomSoft,andothers,andthenuseaDMAattacktoreadconfidentialdatafromaPC’smemory.Becauseencryptionsolutionsstoretheirencryptionkeysinmemory,theycanbeaccessedbyaDMAattack.

ToperformaDMAattack,attackerstypicallyconnectasecondPCthatisrunningamemory-scanningtool(e.g.,Passware,ElcomSoft) totheFireWireorThunderboltportofthetargetcomputer.Whenconnected,thesoftwarescansthesystemmemoryofthetargetandlocatestheencryptionkey.Onceacquired,thekeycanbeusedtodecryptthedriveandreadormodifyitscontents.

Amuchmoreefficientformofthisattackexistsintheory:AnattackercraftsacustomFireWireorThunderboltdevicethathastheDMAattacklogicprogrammedonit.Now,theattackersimplyneedstophysicallyconnectthedevice.Iftheattackerdoesnothavephysicalaccess,theycoulddisguiseitasafreeUSBflashdriveanddistributeittoemployeesofatargetorganization.Whenconnected,theattackingdevicecoulduseaDMAattacktoscanthePC’smemoryfortheencryptionkey.Itcouldthentransmitthekey(oranydatainthePC’smemory)usingthePC’sInternetconnectionoritsownwirelessconnection.Thistypeofattackwouldrequireanextremelyhighlevelofsophistication,becauseitrequiresthattheattackercreateacustomdevice(devicesofthesetypesarenotreadilyavailableinthemarketplaceatthistime).

Themostcommon,legitimateuseforDMAportsisdeveloperdebugging,ataskthatsomedevelopersneedtoperformandonethatfewconsumerswilleverperform.BecauseUSB;DisplayPort;andother,moresecureporttypessatisfyconsumers,mostnewmobilePCsdonotincludeDMAports.Microsoft’sviewisthatbecauseof

NOTE

NotallporttypesarevulnerabletoDMAattacks.USBinparticulardoesnotallowDMA,butdevicesthathaveanyofthefollowingporttypesarevulnerable:

• FireWire

• Thunderbolt

• ExpressCard

• PCMCIA

• PCI

• PCI-X

• PCIExpress

http://www.lostpassword.com/

http://elcomsoft.com/


theinherentsecurityrisksofDMAports,theydonotbelongonmobiledevices,andMicrosofthasprohibitedtheirinclusiononanyInstantGo-certifieddevices.InstantGodevicesoffermobilephone–likepowermanagementandinstant-oncapabilities;atthetimeofwriting,theyareprimarilyfoundinWindowstablets.In2014,MicrosoftexpectstoseeInstantGotrickledownintomoremobiledevicetypes,suchasconvertiblesandtraditionallaptops.

DMA-basedexpansionslotsareanotheravenueofattack,buttheseslotsgenerallyappearonlyondesktopPCsthataredesignedforexpansion.OrganizationscanusephysicalsecuritytopreventoutsideattacksagainsttheirdesktopPCs.Inaddition,aDMAattackontheexpansionslotwouldrequireacustomdevice;asaresult,anattackerwouldmostlikelyinsertaninterfacewithatraditionalDMAport(forexample,FireWire)intotheslottoattackthePC.

NewtoWindows8.1isacapabilitybywhichWindowswon’tenablenewlyattachedDMAdevicesuntiltheoperatingsystemstartsandausersignsin.EverytimethePCswitchestosuspend,hibernation,orsleepmode,WindowswaitsfortheusertosigninbeforegrantingnewdevicesDMAaccess.ThisdelayhelpspreventDMAattackswhenanauthorizeduserisn’tpresent.ThisnewWindows8.1behaviorsuccessfullymitigatestheDMAattackvectorandeliminatestheneedforpre-bootauthenticationinmostscenarios.AnotheroptionisforadministratorstoconfigurepolicysettingstodisableFireWireandotherdevicetypesthathaveDMA;manyPCsallowthosedevicestobedisabledbyusingfirmwaresettings.Althoughtheneedforpre-bootauthenticationcanbeeliminatedatthedevicelevelorthroughWindowsconfiguration,theBitLockerpre-bootauthenticationfeatureisstillavailablewhenneeded.Whenused,itsuccessfullymitigatesalltypesofDMAportandexpansionslotattacksonanytypeofdevice.

Hyberfil.sys attacks

Thehyberfil.sysfileistheWindowshibernationfile.ItcontainsasnapshotofsystemmemorythatisgeneratedwhenadevicegoesintohibernationandincludestheencryptionkeyforBitLockerandotherencryptiontechnologies.Attackershaveclaimedthattheyhavesuccessfullyextractedencryptionkeysfromthehyberfil.sysfile.

Windows8.1waitsfor the user to sign in before granting new devicesDMAaccess.ThisnewbehaviorsuccessfullymitigatestheDMAattackvector.


LiketheDMAportattackdiscussedintheprevioussection,toolsareavailablethatcanscanthehyberfile.sysfileandlocatetheencryptionkey,includingatoolmadebyPassware.MicrosoftdoesnotconsiderWindowstobevulnerabletothistypeofattack,becauseWindowsstoresthehyberfil.sysfilewithintheencryptedsystemvolume.Asaresult,thefilewouldbeaccessibleonlyiftheattackerhadbothphysicalandsign-inaccesstothePC.Whenanattackerhassign-inaccesstothePC,therearefewreasonsfortheattackertodecryptthedrive,becausetheywouldalreadyhavefullaccesstothedatawithinit.

Inpractice,theonlyreasonanattackonhyberfil.syswouldgrantanattackeradditionalaccessisifanadministratorhadchangedthedefaultWindowsconfigurationandstoredthehyberfil.sysfileonanunencrypteddrive.Bydefault,bothWindows8andWindows7aredesignedtobesecureagainstthistypeofattack.

Memory remanence attacks

A memory remanence attackisaside-channelattackthatreadstheencryptionkeyfrommemoryafterrestartingaPC.AlthoughaPC’smemoryisoftenconsideredtobeclearedwhenthePCisrestarted,memorychipsdon’timmediatelylosetheirmemorywhenyoudisconnectpower.Therefore,anattackerwhohasphysicalaccesstothePC’smemorymightbeabletoreaddatadirectlyfromthememory—includingtheencryptionkey.

Whenperformingthistypeofcoldbootattack,theattackeraccessesthePC’sphysicalmemoryandrecoverstheencryptionkeywithinafewsecondsorminutesofdisconnectingpower.Thistypeof attack was demonstrated by researchers at PrincetonUniversity.Withtheencryptionkey,theattackerwouldbeabletodecryptthedriveandaccessitsfiles.

Toacquirethekeys,attackersfollowthisprocess:

1. FreezethePC’smemory.Forexample,anattackercanfreezethememoryto−50°Cbysprayingitwithaerosolairdusterspray.

2.RestartthePC.

3. InsteadofrestartingWindows,boottoanotheroperatingsystem.Typically,thisisdonebyconnectingabootableflashdriveorloadingabootableDVD.

4.Thebootablemedialoadsthememoryremanenceattacktools,whichtheattackerusestoscanthesystemmemoryandlocatetheencryptionkeys.

5.Theattackerusestheencryptionkeystoaccessthedrive’sdata.

http://www.lostpassword.com/

http://www.youtube.com/watch?v=JDaicPIgn9U


Iftheattackerisunabletobootthedevicetoanotheroperatingsystem(forexample,ifbootableflashdriveshavebeendisabledorUEFISecureBootisenabled),theattackercanattempttophysicallyremovethefrozenmemoryfromthedeviceandattachittoadifferent,possiblyidenticaldevice.Fortunately,thisprocesshasprovenextremelyunreliable,asevidencedbytheDefenceResearchandDevelopmentCanada(DRDC)Valcartiergroup’sanalysis(see“Anin-depthanalysisofthecoldbootattack”athttp://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078).Onanincreasingportionofmoderndevices,thistypeofattackisnotevenpossible,becausememoryissoldereddirectlytothemotherboard.

AlthoughPrinceton’sresearchprovedthatthistypeofattackwaspossibleondevicesthathaveremovablememory,devicehardwarehaschangedsincetheresearchwaspublishedin2008:

• Windows8–certifieddevicesincludeUEFI-basedSecureBoot,whichpreventsthemalicioustoolsthatthePrincetonattackdependsonfromrunningonthetargetdevice.

• Windows8andWindows7systemswithBIOSorUEFIcanbelockeddownwithapassword,andbootingtoaUSBdrivecanbeprevented.

• IfbootingtoUSBisrequiredonthedevice,itcanbelimitedtostartingtrustedoperatingsystemsonWindows8–certifieddevices(UEFI-basedSecureBoot).

• Thedischargeratesofmemoryarehighlyvariableamongdevices,andmanydeviceshavememorythatiscompletelyimmunetomemoryremanenceattacks.

• Increaseddensityofmemorydiminishestheirremanencepropertiesandreducesthelikelihoodthattheattackcanbesuccessfullyexecuted,evenwhenmemoryisphysicallyremovedandplacedinanidenticalsystemwherethesystem’sconfigurationmayenablebootingtothemalicioustools.

Becauseofthesefactors,thistypeofattackisrarelypossibleonmoderndevices.Evenincaseswheretheriskfactorsexistonlegacydevices,attackerswillfindtheattackunreliable.Fordetailedinformationaboutthepracticalusesforforensicmemoryacquisitionandthefactorsthatmakeacomputervulnerableorresistanttomemoryremanenceattacks,read“Anin-depthanalysisofthecoldbootattack”athttp://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078.

TheBitLockerpre-bootauthenticationfeaturecansuccessfullymitigatememoryremanenceattacksonmostdevices,butyoucanalsomitigatesuchattacksbyprotectingthesystemUEFIorBIOSandpreventthePCfrombootingfromexternalmedia(suchasaUSBflashdriveorDVD).Thelatteroptionisoftenabetterchoice,becauseitprovidessufficientprotectionwithoutinconveniencinguserswithpre-bootauthentication.

http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078



CountermeasuresBitLockerwasintroducedintheWindowsVistaoperatingsystemaspartofastrategicapproachtosecuringmobiledatathroughencryptiontechnology.Dataonalostorstolencomputerisvulnerabletounauthorizedaccess,eitherbyrunningasoftwareattacktoolagainstitorbytransferringthecomputer’sharddisktoadifferentcomputer.Today,BitLockerhelpsmitigateunauthorizeddataaccessonlostorstolencomputersbeforetheoperatingsystemisstartedby:

• Encrypting the hard drives on your computer Forexample,youcanturnonBitLockerforyouroperatingsystemdrive(thedriveonwhichWindowsisinstalled),afixeddatadrive(suchasadifferentvolumeonthesystemdriveoraseparateinternalharddrive),oraremovabledatadrive(suchasaUSBflashdrive).TurningonBitLockerforyouroperatingsystemdriveencryptsallsystemfilesontheoperatingsystemdrive,includingtheswapfilesandhibernationfiles.

• Ensuring the integrity of early boot components and boot configuration data OnWindows7–certifieddevicesthathaveaTPMversion2.0or1.2,BitLockerusestheenhancedsecuritycapabilitiesoftheTPMtohelpensurethatyourdataisaccessibleonlyifthecomputer’sbootcomponentsappearunalteredandtheencrypteddiskislocatedintheoriginalcomputer.OnWindows8–certifieddevices,acombinationofUEFIandTPMhelpsensureintegrity.

ThesectionsthatfollowprovidemoredetailedinformationaboutthedifferenttechnologiesthatWindowsusestoprotectagainstattacksontheBitLockerencryptionkeyinfourdifferentbootphases:beforestartup,duringpre-boot,duringstartup,andfinallyafterstartup.

Protection before startup

BeforeWindowsstarts,youmustrelyonsecurityfeaturesimplementedaspartofthedevicehardware,includingTPMandUEFISecureBoot.Fortunately,manymoderncomputersfeatureTPM,andallWindows8.1–andWindows8–certifieddevicessupportallofthesefeatures.

Trusted Platform Module

Softwarealoneisn’tsufficienttoprotectasystem.Afteranattackerhascompromisedsoftware,thesoftwaremightbeunabletodetectthecompromise.Therefore,asinglesuccessfulsoftwarecompromiseresultsinanuntrustedsystemthatmightneverbedetected.Hardware,however,ismuchmoredifficulttomodify.


A TPMisamicrochipdesignedtoprovidebasicsecurity-relatedfunctions,primarilyinvolvingencryptionkeys.TheTPMisusuallyinstalledonthemotherboardofacomputerand communicates with the rest of the system through a hardwarebus.Physically,TPMsaredesignedtobetamper-proof.Ifanattackertriestophysicallyretrievedatadirectlyfromthechip,they’llprobablydestroythechipintheprocess.

BybindingtheBitLockerencryptionkeywiththeTPMandproperlyconfiguringthedevice,it’snearlyimpossibleforanattackertogainaccesstotheBitLocker-encrypteddatawithoutobtaininganauthorizeduser’scredentials.Therefore,computerswithaTPMcanprovideahighlevelofprotectionagainstattacksthatattempttodirectlyretrievetheBitLockerencryptionkey.

OndevicesrunningWindows8,thecombinationofaTPMandUEFISecureBootprovidessufficientdeviceintegrity–relatedsecurity.OndevicesrunningWindows8orWindows7withoutUEFI-basedSecureBoot,theTPMwillbeusedtoprotectthesystem’sboot-relatedcomponents.

UEFI and Secure Boot

Nooperatingsystemcanprotectadevicewhentheoperatingsystemisoffline.Forthatreason,Microsoftworkedcloselywithhardwarevendorstorequirefirmware-levelprotectionagainstbootandrootkitsthatmightcompromiseanencryptionsolution’sencryptionkeysinallWindows8–certifieddevices.

TheUEFIisaprogrammablebootenvironmentintroducedasareplacementforBIOS,whichhasforthemostpartremainedunchangedforthepast30years.LikeBIOS,PCsstartUEFIbeforeanyothersoftware;itinitializesdevices,andUEFIthenstartstheoperatingsystem’sbootloader.Aspartofitsintroductionintothepre–operatingsystemenvironment,UEFIservesanumberofpurposes,butoneofthekeybenefitsistoprotectnewerdevicesagainstasophisticatedtypeofmalwarecalledabootkit through the useofitsSecureBootfeature.

RecentimplementationsofUEFI(startingwithversion2.3.1,whichisinallWindows8–certifieddevices)canverifythedigitalsignatures

By binding the BitLockerencryptionkey with the TPM and properlyconfiguringthedevice,it’snearlyimpossibleforanattacker to gain access totheBitLocker-encrypted data without obtaining anauthorizeduser’scredentials.


ofthedevice’sfirmwarebeforerunningit.BecauseonlythePC’shardwaremanufacturerhasaccesstothedigitalcertificaterequiredtocreateavalidfirmwaresignature,UEFIcanpreventfirmware-basedbootkits.Thus,UEFIisthefirstlinkinthechainoftrust.

TheUEFI-basedSecureBootfeatureisthefoundationofplatformandfirmwaresecurityandwascreatedtoenhancesecurityinthepre-bootenvironmentregardlessofdevicearchitecture.Usingsignaturestovalidatetheintegrityoffirmwareimagesbeforetheyareallowedtoexecute,SecureBoothelpsreducetheriskofbootloaderattacks.ThepurposeofSecureBootistoblockuntrustedfirmwareandbootloaders(signedorunsigned)frombeingabletostartonthesystem.

WiththelegacyBIOSbootprocess,thepre–operatingsystemenvironmentisvulnerabletoattacksbyredirectingbootloaderhandofftopossiblemaliciousloaders.Theseloaderscouldremainundetectedtooperatingsystemandantimalwaresoftware.Thediagram in Figure 1contraststheBIOSandUEFIstartupprocesses.

WithSecureBootenabled,UEFI,incoordinationwiththeTPM,canexaminethebootloaderanddeterminewhetherit’strustworthy.Todeterminewhetherthebootloaderistrustworthy,UEFIexaminesthebootloader’sdigitalsignature.Usingthedigitalsignature,theUEFI:

• Verifiesthatthebootloaderhasn’tbeenmodifiedsinceitwassigned

• Verifiesthatthebootloaderwassignedusingatrustedcertificate(inthecaseofWindows8,Microsoft’scertificate)

Ifthebootloaderpassesthesetwotests,theUEFIknowsthatthebootloaderisn’tabootkitandstarts

FigurE 1 The BIOS and UEFI startup processesBIOS

UEFI VerifiedOS loader

Any OS loader(including malware)

OS Start

OS Start


it.Atthispoint,Windows8.1’sTrustedBootfeaturetakesover,andtheWindows8bootloader,usingthesamecryptographictechnologiesthatUEFIusedtoverifythebootloader,thenverifiesthattheWindowssystemfileshaven’tbeenchanged.

AllWindows8–certifieddevicesmustmeetseveralrequirementsrelatedtoUEFI-basedSecureBoot:

• TheymusthaveSecureBootenabledbydefault.

• TheymusttrustMicrosoft’scertificate(andthusanybootloaderMicrosofthassigned).

• TheymustallowtheusertoconfigureSecureBoottotrustothersignedbootloaders.

• ExceptforWindowsRTdevices,theymustallowtheusertocompletelydisableSecureBoot.

Theserequirementshelpprotectyoufromrootkitswhileallowingyoutorunanyoperatingsystemyouwant.Youhavethreeoptionsforrunningnon-Microsoftoperatingsystems:

• Use an operating system with a certified bootloader BecauseallCertifiedforWindows8PCsmusttrustMicrosoft’scertificate,Microsoftoffersaservicetoanalyzeandsignnon-MicrosoftbootloaderssothattheycanbetrustedbyallCertifiedforWindows8PCs.TheLinuxcommunityisusingthisprocesstoenableLinuxtotakeadvantageofUEFISecureBootonWindows-certifieddevices.

• Configure UEFI to trust your custom bootloader AllCertifiedforWindows8PCsallowyoutotrustasigned,noncertifiedbootloaderthatyouspecifyintheUEFIdatabase,allowingyoutorunanyoperatingsystem,includinghomemadeoperatingsystems.

• Turn off Secure Boot AllCertifiedforWindows8PCsallowyoutoturnoffSecureBootsoyoucanrunanysoftware.Thisdoesnothelpprotectyoufrombootkits,however.

Topreventmalwarefromabusingtheseoptions,theuserhastomanuallyconfiguretheUEFIfirmwaretotrustanoncertifiedbootloaderortoturnoffSecureBoot.SoftwarecannotchangetheSecureBootsettings.

Anydevicethatdoesn’trequireSecureBootorasimilarbootloader-verificationtechnology,regardlessofthearchitectureoroperatingsystem,isvulnerabletobootkits,whichcanbeusedtocompromisetheencryptionsolution.Bydefault,allWindows8–certifieddeviceshaveUEFI-basedSecureBootenabled.

UEFIissecurebydesign,butit’scriticaltoprotecttheSecureBootconfigurationbyusingpasswordprotection.Inaddition,althoughseveralwell-publicizedattacksagainstUEFIhaveoccurred,


theywereexploitingfaultyUEFIimplementations.ThoseattacksareineffectivewhenUEFIisimplementedproperly.

FormoreinformationaboutSecureBoot,referto“SecuringtheWindows8BootProcess”athttp://technet.microsoft.com/en-US/windows/dn168167.aspx.

Protection during pre-boot: pre-boot authentication

Pre-bootauthenticationwithfull-diskencryptionproducts(includingBitLocker)isaprocessthatrequiresausertoauthenticatepriortomakingthecontentsofthesystemdriveaccessible.InthecaseofBitLocker,BitLockerencryptstheentiredrive,includingallsystemfiles.BitLockeraccessesandstorestheencryptionkeyinmemoryonlyafterauserprovidesaspecificPINorUSBstartupkey.

IfWindowscan’taccesstheencryptionkey,thedevicecan’treadoreditthefilesonthesystemdrive.EvenifanattackertakesthediskoutofthePCorstealstheentirePC,theywon’tbeabletoreadoreditthefileswithouttheencryptionkey.Theonlyoptionforbypassingpre-bootauthenticationisenteringthehighlycomplex,48-digitrecoverykey.

TheBitLockerpre-bootauthenticationcapabilityisnotspecificallydesignedtopreventtheoperatingsystemfromstarting:That’smerelyasideeffectofhowBitLockerprotectsdataconfidentialityandsystemintegrity.Pre-bootauthenticationisdesignedtopreventtheencryptionkeyfrombeingloadedtosystemmemoryondevicesthatarevulnerabletocertaintypesofcoldbootattacks.Manymoderndevicespreventanattackerfromeasilyremovingthememory,andMicrosoftexpectsthosedevicestobecomeevenmorecommoninthefuture.

OncomputerswithacompatibleTPM,operatingsystemdrivesthatareBitLocker-protectedcanbeunlockedinfourways:

• TPM-only UsingTPM-onlyvalidationdoesnotrequireanyinteractionwiththeusertodecryptandprovideaccesstothedrive.IftheTPMvalidationsucceeds,theuserlogonexperienceisthesameasastandardlogon.IftheTPMismissingorchangedoriftheTPMdetectschangestocriticaloperatingsystemstartupfiles,BitLockerentersitsrecoverymode,andtheusermustenterarecoverypasswordtoregainaccesstothedata.

• TPM with startup key InadditiontotheprotectionthattheTPMprovides,partoftheencryptionkeyisstoredonaUSBflashdrive,referredtoasastartup key. Data on the encryptedvolumecannotbeaccessedwithoutthestartupkey.

• TPM with PiN InadditiontotheprotectionthattheTPMprovides,BitLockerrequiresthattheuserenteraPIN.DataontheencryptedvolumecannotbeaccessedwithoutenteringthePIN.

http://technet.microsoft.com/en-US/windows/dn168167.aspx

http://technet.microsoft.com/en-US/windows/dn168167.aspx


• TPM with startup key and PiN InadditiontothecorecomponentprotectionthattheTPMprovides,partoftheencryptionkeyisstoredonaUSBflashdrive,andaPINisrequiredtoauthenticatetheusertotheTPM.ThisconfigurationprovidesMultifactorAuthenticationsothatiftheUSBkeyislostorstolen,itcannotbeusedforaccesstothedrive,becausethecorrectPINisalsorequired.

Formanyyears,Microsofthasrecommendedusingpre-bootauthenticationtoprotectagainstDMAandmemoryremanenceattacks.Today,Microsoftrecommendsusingpre-bootauthenticationonlyonPCsrunningWindows7thathaveanenabledDMAportoranydevicethatissusceptibletomemoryremanenceattacks.

Althougheffective,pre-bootauthenticationisinconvenienttousers.Inaddition,ifauserforgetstheirPINorlosestheirstartupkey,they’redeniedaccesstotheirdatauntiltheycancontacttheirorganization’ssupportteamtoobtainarecoverykey.Today,mostnewPCsrunningWindows8.1orWindows8providesufficientprotectionagainstDMAattackswithoutrequiringpre-bootauthentication.Forexample,mostmodernPCsincludeUSBportoptions(whicharenotvulnerabletoDMAattacks)butdonotincludeFireWireorThunderboltports(whicharevulnerabletoDMAattacks).

Infact,toachieveaWindows8InstantGo(formerlyConnectedStandby)certificationfromMicrosoft,newdevicescan’tincludeaDMAport,eliminatingtheneedforpre-bootauthenticationtomitigateagainstaDMAportattackinmosttabletsandotherWindows8–certifieddevices.Althoughthiscertificationiscurrentlyimplementedonlyontabletdevices,startingin2014,MicrosoftexpectstoseedevicessuchasconvertiblesandlaptopscertifiedforInstantGo.

BitLocker-encrypteddeviceswithDMAportsenabled,includingFireWireorThunderboltports,shouldbeconfiguredwithpre-bootauthenticationiftheyarerunningWindows7.Windows8.1devicesdonotneedpre-bootauthenticationtoprotectagainstthemostcommonlyusedDMAattackvectorsbecausenewlyattachedDMAdevicesgetDMAaccessonlyafterauserauthenticatesandsignsintoWindows.ManycustomersfindthattheDMAportsontheirdevicesareneverused,andtheychoosetoeliminatethepossibilityofanattackbydisablingtheDMAportsthemselves,eitheratthehardwarelevelorthroughGroupPolicy.

Manynewmobiledeviceshavethesystemmemorysolderedtothemotherboard,whichhelpspreventthecoldboot–styleattack,wherethesystemmemoryisfrozen,removed,andthenplacedintoanotherdevice.Thosedevices,andmostPCs,canstillbevulnerablewhenbootingtoamaliciousoperatingsystem,however.


Youcanmitigatetheriskofbootingtoamaliciousoperatingsystem:

• Windows 8.1 (without Secure Boot), Windows 8 (without uEFi-based Secure Boot), or Windows 7 (with or without a TPM) Disablebootingfromexternalmedia,andrequireafirmwarepasswordtopreventtheattackerfromchangingthatoption.

• Windows 8.1 or Windows 8 (certified or with Secure Boot) Passwordprotectthefirmware,anddonotdisableSecureBoot.

Protection during startup

Duringthestartupprocess,Windows8.1andWindows8useTrustedBootandEarlyLaunchAnti-Malware(ELAM)toexaminetheintegrityofeverycomponent.Thesectionsthatfollowdescribethesetechnologiesinmoredetail.

Trusted Boot

TrustedBoottakesoverwhereUEFI-basedSecureBootleavesoff—duringtheoperatingsysteminitializationphase.ThebootloaderverifiesthedigitalsignatureoftheWindows8kernelbeforeloadingit.TheWindows8kernel,inturn,verifieseveryothercomponentoftheWindowsstartupprocess,includingthebootdrivers,startupfiles,andELAMdriver.IfafilehasbeenmodifiedorisnotproperlysignedwithaMicrosoftsignature,Windowsdetectstheproblemandrefusestoloadthecorruptedcomponent.Often,Windows8canautomaticallyrepairthecorruptedcomponent,restoringtheintegrityofWindowsandallowingthePCtostartnormally.

Windows8usesTrustedBootonanyhardwareplatform:ItrequiresneitherUEFInoraTPM.However,withoutSecureBoot,it’spossibleformalwaretocompromisethestartupprocesspriortoWindowsstarting,atwhichpointTrustedBootprotectionscouldbebypassedorpotentiallydisabled.

Early Launch Anti-Malware

BecauseUEFI-basedSecureBoothasprotectedthebootloaderandTrustedBoothasprotectedtheWindowskernelorotherWindowsstartupcomponents,thenextopportunityformalwaretostartisbyinfectinganon-Microsoftboot-relateddriver.Traditionalantimalwareappsdon’tstartuntilaftertheboot-relateddrivershavebeenloaded,givingarootkitdisguisedasadrivertheopportunitytowork.

ThepurposeofELAMistoloadanantimalwaredriverbeforedriversthatareflaggedasboot-startcanbeexecuted.Thisapproachprovidestheabilityforanantimalwaredrivertoregisterasa


trustedboot-criticaldriver.ItislaunchedduringtheTrustedBootprocess,andwiththat,Windowsensuresthatitisloadedbeforeanyothernon-Microsoftsoftware.

Withthissolutioninplace,bootdriversareinitializedbasedontheclassificationthattheELAMdriverreturnsaccordingtoaninitializationpolicy.ITproshavetheabilitytochangethispolicythroughGroupPolicy.

ELAMclassifiesdriversasfollows:

• good Thedriverhasbeensignedandhasnotbeentamperedwith.

• Bad Thedriverhasbeenidentifiedasmalware.Itisrecommendedthatyounotallowknownbaddriverstobeinitialized.

• Bad but required for boot Thedriverhasbeenidentifiedasmalware,butthecomputercannotsuccessfullybootwithoutloadingthisdriver.

• unknown Thisdriverhasnotbeenattestedtobyyourmalware-detectionapplicationorclassifiedbytheELAMboot-startdriver.

Protection after startup: DMA attack protection

Windows8.1minimizestheriskofDMAattacksbypreventingnewlyattachedDMAdevicesfromgainingDMAuntilauserauthenticatesbysigning-in.Thisdoesn’teliminatetherisk,butitdoesreducetheriskofanattackerconnectingaDMAdevicetoaPCandretrievingtheencryptionkeywhiletheuserisawayfromthePC.

TosuccessfullyperformaDMAattackonaWindows8.1device,theattackerwouldneedamaliciousDMAdeviceconnectedtothePCwhiletheuserwasloggedon.TheattackerwouldnotsimplybeabletoattachaDMAdevicewhentheuserwasatthePC,retrievetheencryptionkey,andthenleavewiththedevice.Theattackerwouldeitherneedto:

• Attachthedevicewhiletheuserwasloggedon

• Attachthedeviceatanytime,waitfortheusertologon,andthenreturntoretrievethedevice

Windows8InstantGo–certifieddevicesdonothaveDMAports,eliminatingtheriskofDMAattacks.Onotherdevices,youmightbeabletodisableFireWire,Thunderbolt,orotherportsthatsupportDMA.


Choosing the right countermeasuresFigure 2,Figure3onpage19,andFigure 4 on page 20 summarize the recommended mitigationsfordifferenttypesofattacksagainstPCsrunningrecentversionsofWindows.Theorangeblocksindicatethatthesystemrequiresadditionalconfigurationfromthedefaultsettings.

FigurE 2 How to choose the best countermeasures for Windows 7

Windows 7without TPM

Bootkits and Rootkits

Without TPM, bootintegrity checking isnot available

Secure by default, and canbe improved with accountlockout Group Policy

Check devices for DMAports. Consider disablingports if not in use or requireBitLocker with pre-boot authentication

Secure by default,hyberfil.sys secured onencrypted volume

Require a BIOS password and disable booting from external media. If an attack is viable, consider pre-boot authentication

Secure by default. RequireBitLocker with TPM for bootintegrity validation



Require a BIOS password and disable booting from external media. If an attack is viable, consider pre-boot authentication

Brute ForceSign-in

DMA Attacks

Hyberfil.sys Attacks

Memory Remanence Attacks

Windows 7with TPM



FigurE 3 How to choose the best countermeasures for Windows 8






Require a BIOS passwordand disable booting fromexternal media. If an attack is viable, consider pre-boot authentication

Secure by default whenUEFI-based Secure Bootis enabled and a password is required to change settings

Secure by default, and canbe improved with accountlockout and device lockoutGroup Policy settings



Password protect thefirmware and ensureSecure Boot is enabled. If an attack is viable, consider pre-boot authentication

Brute ForceSign-in

DMA Attacks



Windows 8 without TPM

Windows 8 Certified


FigurE 4 How to choose the best countermeasures for Windows 8.1



Secure by default for all lostor stolen devices becausenew DMA devices aregranted access only when anauthorized user is signed in


Require a BIOS passwordand disable booting fromexternal media. If an attack is viable, consider pre-boot authentication

Secure by default, and canbe improved with accountlockout and device lockoutGroup Policy settings

Secure by default for all lostor stolen devices becausenew DMA devices aregranted access only when anauthorized user is signed in


Password protect thefirmware and ensureSecure Boot is enabled. If an attack is viable, consider pre-boot authentication

Brute ForceSign-in

DMA Attacks



Windows 8.1 without TPM

Windows 8.1 Certified


Secure by default whenUEFI-based Secure Bootis enabled and a password is required to change settings


SummaryYoucanuseBitLockertoprotectyourWindows8.1,Windows8,andWindows6clientPCs.Whicheveroperatingsystemyou’reusing,MicrosoftandWindows-certifieddevicesprovidecountermeasurestoaddressattacksandimproveyourdatasecurity.Inmostcases,particularlyonWindows8devices,thisprotectioncanbeimplementedwithouttheneedforpre-bootauthentication.

ThelatestWindows8.1InstantGodevices,primarilytablets,aredesignedtobesecurebydefaultagainstallattacksthatmightcompromisetheBitLockerencryptionkey.OtherWindows8.1devicescanbe,too.DMAport–basedattacks,whichrepresenttheattackvectorofchoice,arenotpossibleonInstantGodevices,onwhichtheseporttypesareprohibited.DMAportsonevennon-InstantGodevicesisincreasinglyrare,particularlyonmobiledevices.Regardlessofthehardwareconfiguration,theriskofDMAattackshasbeenaddressedinWindows8.1itself,whichhasbeenupdatedtopreventnewDMAdevicesthathavebeenattachedtoadevicefromgainingDMAuntilanauthorizedusersigns-in.DMAportscanevenbedisabledentirely,whichisincreasinglypopularoptionbecausetheuseofDMAportsisrareinthenon-developerspace.

Memoryremanenceattackscanbemitigatedwithproperconfiguration;incaseswherethesystemmemoryisfixedandnon-removable,theyarenotpossibleusingpublishedtechniques.Evenincaseswheresystemmemorycanberemovedandloadedintoanotherdevice,attackerswillfindtheattackvectorextremelyunreliable,ashasbeenshownintheDRDCValcartiergroup’sanalysis(see“Anin-depthanalysisofthecoldbootattack”athttp://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078).

Windows7PCssharethesamesecurityrisksasWindows8devicesbutarefarmorevulnerabletoDMAandmemoryremanenceattacks,becauseWindows7devicesaremorelikelytoincludeDMAports,lacksupportforUEFI-basedSecureBoot,andrarelyhavefixedmemory.Toeliminatetheneedforpre-bootauthenticationonWindows7devices,disabletheabilitytoboottoexternalmedia,password-protecttheBIOSconfiguration,anddisabletheDMAports.Ifyoubelievethatyourdevicesmaybeatargetofamemoryremanenceattack,wherethesystemmemorymayberemovedandputintoanothermachinetogainaccesstoitscontents,considertestingyourdevicestodeterminewhethertheyaresusceptibletothistypeofattack.

Intheend,manycustomerswillfindthatpre-bootauthenticationimprovessecurityonlyforashrinkingsubsetofdeviceswithintheirorganization.Microsoftrecommendsacarefulexaminationoftheattackvectorsandmitigationsoutlinedinthisdocumentalongwithanevaluationofyourdevicesbeforechoosingtoimplementpre-bootauthentication,whichmaynotenhancethesecurityofyourdevicesandinsteadwillonlycompromisetheuserexperienceandaddtosupportcosts.



©2014MicrosoftCorporation.Allrightsreserved.

Thisdocumentisforinformationalpurposesonlyandisprovided“asis.”Viewsexpressedinthisdocument,includingURLandanyotherInternetWebsitereferences,maychangewithoutnotice.MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,INTHISDOCUMENT.

Documents

Protecting BitLocker From Pre-Boot Attacks