In Windows, the cornerstone of data protection is BitLocker, a Full Volume Encryption technology designed to secure sensitive data on disk. This ensures that even if an adversary gains physical access to the device, the data remains secure and inaccessible. One of the critical aspects of any data protection feature is its ability to support recovery operations failure cases. To support BitLocker recovery, design changes were applied in the Windows Recovery Environment (WinRE). This led us to a pivotal question: did these changes introduce new attack surfaces impacting BitLocker? In this talk, we will share our journey of researching a fascinating and mysterious component: WinRE. Our exploration begins with an overview of the WinRE architecture, followed by a retrospective analysis of the attack surfaces exposed with the introduction of BitLocker. We will then discuss our methodology for effectively researching and exploiting these exposed attack surfaces. Our presentation will reveal how we identified multiple 0-day vulnerabilities and developed fully functional exploits, enabling us to bypass BitLocker and extract all protected data in several different ways. Finally, we will share the insights Microsoft gained from this research and explain our approach to hardening WinRE, which in turn strengthens BitLocker.

DEF CON 34 - DEF CON Policy Announcement - Katie Noble, Heather West
5.4K views

DEF CON 33 - DisguiseDelimit: Exploiting Synology NAS with Delimiters and Novel Tricks - Ryan Emmon
11.1K views

DEF CON 33 - Browser Extension Clickjacking: One Click and Your Credit Card Is Stolen - Marek Tóth
8.5K views

DEF CON 33 - Can't Stop the ROP: Automating Universal ASLR Bypasses - Bramwell Brizendine
3.6K views

DEF CON 33 Recon Village - Building Local Knowledge Graphs for OSINT - Donald Pellegrino
5.4K views

DEF CON 33 Recon Village - Mapping the Shadow War From Estonia to Ukraine - Evgueni Erchov
6.4K views