Security audit company Kudelski Security has published Shufflecake, a toolkit that allows you to create hidden file systems that are spread over the available free space on existing partitions and are indistinguishable from random residual data. Sections are created in such a way that without knowing the access key, it is problematic to prove their existence even when conducting a forensic analysis. The code for the utilities (shufflecake-userland) and the Linux kernel module (dm-sflc) is written in C and distributed under the GPLv3 license, which makes it impossible to include the published kernel module in the main Linux kernel due to incompatibility with the GPLv2 license under which the kernel is shipped .
The project is positioned as a more advanced solution than Truecrypt and Veracrypt for hiding sensitive data, which has native support for the Linux platform and allows you to place up to 15 hidden partitions on the device, nested inside each other to obfuscate parsing their existence. If the use of Shufflecake itself is not a secret, which can be judged, for example, by the presence of appropriate utilities in the system, then the total number of hidden partitions created cannot be determined. The created hidden partitions, at the discretion of the user, can be formatted to accommodate any file system, for example, ext4, xfs or btrfs. Each partition is treated as a separate virtual block device with its own unlock key.
To obfuscate the traces, it is proposed to use the βplausible deniabilityβ behavior model, the essence of which is that data of value is hidden as additional layers in encrypted sections with less valuable data, forming a kind of hidden hierarchy of sections. In case of pressure, the owner of the device can reveal the key to the encrypted section, but other sections (up to 15 nested levels) can be hidden in this section, and it is problematic to determine their presence and prove their existence.
Hiding is achieved by forming each partition as a set of encrypted slices placed at random positions on the storage device. Each slice is dynamically created when the partition needs additional storage space. To complicate the analysis, the slices of different sections are interleaved; Shufflecake sections are not linked to contiguous regions and slices from all sections are blended. Information about used and free slices is stored in the location map attached to each section, which is referenced by the encrypted header. The cards and header are encrypted and, without knowing the access key, are indistinguishable from random data.
The header is divided into slots, each of which defines its own section and its associated slices. The slots in the header are stacked and recursively linked - the current slot contains the key to decrypt the settings of the previous section in the hierarchy (less hidden), allowing a single password to be used to decrypt all less hidden sections associated with the selected section. Each less hidden section treats slices of nested sections as free.
By default, all nested Shufflecake sections have the same visible size as the top-level section. For example, if three partitions are used on a 1 GB device, each of them will be visible to the system as a 1 GB partition and the total available disk space will be shared across all partitions - if the amount of saved data in total exceeds the actual size of the device, it will start generate an I/O error.
Non-open nested sections do not participate in the allocation of space, i.e. attempting to populate a top-level section will overwrite data in nested sections, but will not reveal their presence through analysis of the size of the data that can be placed in the section before an error is generated (it is assumed that the upper sections contain immutable data for distraction and never separately are not used, and regular work is always carried out with the most recent nested section, the scheme itself implies that it is more important to keep the secret of the existence of data than to lose this data).
In fact, 15 Shufflecake sections are always created - the user's password is tied to the used sections, and the unused sections are supplied with a randomly generated password (it is impossible to understand how many sections are actually used). When Shufflecake partitions are initialized, the disk, partition, or virtual block device allocated for their placement is filled with random data, which makes it impossible to identify Shufflecake's metadata and data against the general background.
The Shufflecake implementation has a fairly high performance, but due to the presence of overhead costs, it is about two times behind in throughput compared to disk encryption based on the LUKS subsystem. The use of Shufflecake also leads to additional costs of RAM and space for storing service data on the disk. The memory cost is estimated at 60 MB per partition, and disk space is estimated at 1% of the total size. For comparison, the WORAM technique, similar in purpose, leads to a slowdown from 5 to 200 times with a 75% loss of useful disk space.
The toolkit and kernel module have only been tested on Debian and Ubuntu with 5.13 and 5.15 kernels (Ubuntu 22.04 is supported). It is noted that the project should still be considered as a working prototype, which should not be used to store important data. In the future, we plan to make additional optimizations for performance, reliability and security, as well as provide the ability to boot from Shufflecake partitions.
Source: opennet.ru