BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.troopers.de//tr26-cfp//talk//CLLDDN
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-tr26-cfp-CLLDDN@cfp.troopers.de
DTSTART;TZID=CET:20260624T120000
DTEND;TZID=CET:20260624T130000
DESCRIPTION:The Windows Recovery Environment (WinRE) is a foundational comp
 onent of the Windows stack\, embedded in over a billion devices worldwide.
  It plays a critical role in recovering systems from various types of seve
 re failures.\n\nA fundamental requirement for any recovery operation is id
 entifying its associated disk volume. To meet this requirement\, volume lo
 okup functionalities are implemented separately in both the WinRE boot pha
 se and the WinRE runtime phase. Historically\, maintaining two separate me
 chanisms for retrieving the same information has proven fragile and error 
 prone. This raises a critical question: what happens when these lookup mec
 hanisms fall out of sync?\n\nIn this talk\, we introduce a new and novel a
 ttack class on WinRE. Our exploration begins with an analysis of the vario
 us volume lookup logics and the inconsistencies between them. We then reve
 al 4 unique vulnerabilities that confuse WinRE to mistakenly recover an at
 tacker-controlled volume instead of the intended associated volume. Buildi
 ng on these confusion primitives\, we present 2 exploitation techniques th
 at escalate the impact to a full BitLocker bypass\, allowing extraction of
  all BitLocker-protected secrets in several different ways.\n\nTo conclude
  the presentation\, we will share how we collaborated with the engineering
  teams to develop a comprehensive\, end-to-end mitigation that addresses t
 he entire attack class.\nThis talk offers valuable insights into the inter
 section of BitLocker\, Windows Boot\, and Windows Recovery\, highlighting 
 how combining knowledge across these domains leads to impactful results.
DTSTAMP:20260510T030725Z
LOCATION:Track 1
SUMMARY:Confused Recovery: A New Attack Class on Windows Recovery - Alon Le
 viev
URL:https://cfp.troopers.de/tr26-cfp/talk/CLLDDN/
END:VEVENT
END:VCALENDAR