Over the timeframe of about six months, together with other colleagues from Fraunhofer SIT, our group has performed a comprehensive security analysis of the encryption software TrueCrypt. The study was conducted for the German Federal Office for Information Security (BSI), who is releasing the report today on its website. (English version here.)

In June 2014, the open-source disk-encryption solution TrueCrypt was abandoned by its anonymous developers, while at the same time hinting the many users of the solution at potential vulnerabilities. On behalf of the BSI, we examined TrueCrypt for vulnerabilities, both conceptually and on the level of program code. As part of this task, we also considered and reviewed the results of previous security assessments.

On previously reported vulnerabilities in the driver component

Our general conclusion is that TrueCrypt is safer than previous examinations suggest. About a month ago, for instance, Google’s Project Zero had discovered two previously unknown vulnerabilities in TrueCrypt, one of them classified as critical. The error allows such malicious code that already has access to the running computer system to acquire expanded system rights. The vulnerability should be fixed, as privilege escalation opens the door for other attacks. But similar problems could arise with any kernel-level driver. Importantly, the problem found does not provide an attacker simplified access to encrypted data. To exploit the vulnerability, the attacker would have to have far-reaching access to the system anyway, for example, via a Trojan Horse or some other form of remote or direct access.

It does not seem apparent to many people that TrueCrypt is inherently not suitable to protect encrypted data against attackers who can repeatedly access the running system. This is because when a TrueCrypt volume is mounted its data is generally accessible through the file system, and with repeated access one can install key loggers etc. to get hold of the key material in many situations. Only when unmounted, and no key is kept in memory, can a TrueCrypt volume really be secure. In result, TrueCrypt provides good protection mostly when storing encrypted data offline. If keeping a backup stored offline on a hard drive, for example, or keeping encrypted data on a USB flash drive to be sent via a human carrier, then this can be considered relatively secure.

On buffer overflows reported by OCAP

The Open Crypto Audit Project (OCAP) has carefully examined TrueCrypt in the past. We have analyzed the report and also conducted a brief email exchange with the people behind OCAP. We examined closely a number of buffer overflows their study had revealed. Using the usage of static-analysis tools such as the KLEE virtual machine we were able to prove, though, that these buffer overflows cannot actually occur at runtime, and thus cannot possibly be exploited. It’s great to see that tools such as KLEE can nowadays cope with such practical problems – a manual analysis would have been too complicated since many complex path conditions needed to be considered.

Weak retrieval of random numbers

If you look more closely at our report you will see that we did find some weaknesses in the way TrueCrypt retrieves the random numbers it uses for encryption. With a lack of randomness, an attacker can theoretically guess your encryption key more easily. This problem only occurs in non-interactive mode, though, or when using certain access-control policies on Windows. In result, it is unlikely that this problem has actually affected users in he wild. The problem is that if volumes were created with a weak key then afterwards there is no way to tell. To be on the safe side it would therefore be advisable to re-encrypt volumes with a version of TrueCrypt in which this flaw has been fixed.

Conclusion

In conclusion, I would say that the TrueCrypt code base is probably alright for the most parts. The flaws we found were minor, and similar flaws can occur also in any other implementation of cryptographic functions. In that sense TrueCrypt seems not better or worse than its alternatives. Code quality could be improved, though, as there are some places that call for a refactoring and certainly for better documentation. But generally the software does what it was designed for.

Note that the original designers documented all along a threat model stating that TrueCrypt cannot actually properly protect data on a running system. This matches our findings. If such protection is desired, one cannot get around solutions that use smartcards or other hardware-based key storage such that the encryption key can be better kept a secret. Also such systems can be broken, but they raise the bar significantly.

We hope that folks find our report useful. Thanks to everyone who supported our study, in particular to the BSI for funding it! We hope to be able to conduct further similar analyses in the future.

Update: First press coverage

Ars Technica: TrueCrypt is safer than previously reported, detailed analysis concludes
Threatpost: German Government Audits TrueCrypt
Digital Trends: Why TrueCrypt might not be so insecure after all

ZDNet: Fraunhofer-Institut: TrueCrypt ist „nur in sehr seltenen Fällen angreifbar“
MacLife: Truecrypt-Verschlüsselungssoftware sicherer als erwartet

Update: Cloudwards has a nice article about TrueCrypt alternatives

To be presented at Black Hat Europe next week:

Smartphone applications frequently need to store data remotely. From a developer’s point of view, setting up and maintaining back-ends, however, is time-consuming and error-prone. Therefore, commercial cloud-based data storage solutions from Backend-As-A-Service (BaaS) providers such as the ones from Amazon, Google, and Facebook have become omnipresent. They provide simple APIs for common tasks such as managing database records or files. Adding a few library classes and writing three or four lines of code is sufficient to make an interaction between the cloud and the app, and, e.g., store credit card data. While this model is convenient, one might wonder whether it’s really secure in practice (spoiler: it’s not).
In this study, we will show that many BaaS solutions are completely insecure and attackers have no difficulties in breaking into the developer’s backend. We investigated about two million Android apps and the results were quite shocking. We were able to access more than 56 million sensitive user records stored in the cloud by heavily misconfigured BaaS solutions. These records contained all sorts of sensitive data processed by Android apps: medical information, credit card data, photos, voice-, audio- and video-records, money transaction records, etc. Some apps even contained credentials that gave us full control over the remote storage. Adversaries could hijack Amazon S3-Buckets which gives them the ability to modify sensitive customer databases, add malicious code to well-known websites or directly run malware on the cloud at the app developer’s expense. In order to find and verify these insecure BaaS solutions in Android applications, we developed an automatic exploit generator that extracts credentials from the app, even if they are obfuscated, and provides access to the respective BaaS backend.

Proposals for both tutorials and workshops to be co-located with ESSOS’16 are welcome and can be sent to essos [at] cs [dot] kuleuven [dot] be by October 23, 2015 (1-2 pages).

While the paper submission deadline (October 2) for ESSOS 2016 will not be extended, due to several requests, paper submissions for which no abstract has been received yet are still allowed. Authors are encouraged to submit an abstract as soon as possible, but a paper can be submitted until the paper submission deadline even if no abstract was submitted first.

Yesterday I have informed the people involved that effective January 1st I will be starting a new job as a full professor for “Softwaretechnik” at the University of Paderborn. In this position I plan to continue the research my group and I have been pursuing in the area of software security, but also want to broaden my research into the direction of the secure design of cyber-physical systems. In my new function I will be able to do so nicely, as at the same time I will be a member of the leadership team of the Fraunhofer-Group for Design-Methodologies of Mechatronic systems. In addition, I will be contributing to the collaborative research center On-the-fly Computing and the Software Innovation Campus Paderborn. I am very much looking forward to my new responsibilities and colleagues.

At the same time, I plan to continue the close collaborations with my dear colleagues at Darmstadt. I wish to thank everyone in Darmstadt who has contributed to making my past six years there as happy and successful as they were!

All join me in congratulating my Ph.D. student Kevin Falzon for receiving the Best Student Paper Award at ISC this year! His paper Dynamically Provisioning Isolation in Hierarchical Architectures describes how live migration may be used to dynamically isolate process, for instance to hinder them from forming side channels or covert channels.

ESSOS is accepting submissions of abstracts until the 25th and of research papers until October 2nd. We are happy to announce that both David Basin and Karsten Nohl will be presenting as invited speakers! Also, for the first time in the security community, ESSOS this year will offer a voluntary artifact evaluation! Read more in the full CFP below.

Continue reading →

I was just able to confirm Karsten Nohl as an invited speaker for ESSOS 2016. Thanks a lot for accepting! We hope to see you all there. The submission deadline is just about a month away.

Yesterday our center was visited by the two federal ministers Wanka (minister of education and research) and De Maiziere (minister of the interior). They spent a few hours, discussing IT-security research in Darmstadt’s – as they coined it – “security valley”, and also educated themselves through a range of exhibits we had prepared on the security of the Internet of Things, but also mobile security, encryption etc. More information is available in German here.