Bypassing Full Disk Encryption with Virtual Machine Introspection

Full Disk Encryption (FDE) is a common practice today to reduce the risk of unauthorized access to personal data in public cloud environments. Some research works demonstrated that a malicious hypervisor employing Virtual Machine Introspection (VMI) can bypass FDE and perform unwanted file operations. However, these works provide restricted OS support, enable access only to user level files and may not support complex uses cases. In this paper, we present a new approach for bypassing FDE using VM kernel functions instrumentation. Our approach is portable over different FDE solutions, supports Linux and Windows OSes and provides fast access to user and system files on the VM disk. In addition it enables with no modification existing applications on the host OS to transparently bypass FDE and operate on the VM disk.