Uploads Contact
/
Login Upload
Presented by Lara Lazier Presented by Lara Lazier

Presented by Lara Lazier - PowerPoint Presentation

Muscleman
Muscleman . @Muscleman
Follow
342 views
Uploaded On 2022-08-04
About Share Download

Presented by Lara Lazier - PPT Presentation

ACM SIGSAC Conference on Computer and Communications Security 2017 1 Idea A Firmware solution FlashGuard 2 Defends data stored on SSD from Encryption Ransomware Leverages intrinsic Flash Properties ID: 935839

data ransomware page flash ransomware data flash page ssd block flashguard recovery read translation kernel layer table ppa files

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Presented by Lara Lazier" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Slide1

Presented by Lara Lazier

ACM SIGSAC Conference on Computer and Communications Security 2017

1

Slide2

IdeaA Firmware solution FlashGuard:

2Defends data stored on SSD from Encryption Ransomware

Leverages intrinsic Flash Properties Works also when Ransomware has kernel privileges

Slide3

What is a Ransomware?

Files are encrypted

Files are deleted

Ransom is asked for the key to decrypt files

3

Slide4

4

Slide5

From 2014 the number of ransomware in circulation increases significantly

Ransomware remains the key malware threat in both law enforcement and industry reporting.Wannacry attacks in mid-2017 affected more than 200 000 victims in 150 countries, with losses over USD 4 Billion5

Slide6

Ransomware Countermeasures

 Dynamic analysis that detects ransomware footprints by tracking how ransomware interacts with user data

 Does not provide proper cure for the damage that has already been caused

 Program can be stopped by a Ransomware with

kernel privileges

6

Ransomware

Detection Programs:

Slide7

Ransomware CountermeasuresBackup:

New files might not yet be saved and therefore lost Ransomware with kernel privileges can stop or delete backups Already affected data might be backed up (Maersk)

7

Both mechanism do not work when Ransomware obtains

kernel

privileges

Slide8

SSD Layout8

Flash Translation Layer

NAND Flash

Chip

Chip

Chip

Block

Page

The Flash Translation Layer can only write to free pages

Erase operation can only be performed on block granularity

Slide9

Out-of-place update

HOST

B

A

Flash Translation Layer

B

Garbage collection

Hardware Device

NAND Flash

9

Slide10

Which data should be retained?

HOST

A’

A

Flash Translation Layer

Hardware Device

NAND Flash

Read from A

Flash Translation Layer

PBA

Validity

Bitmap

PBA

Read

Bitmap

Write to A

Page Validity Table

Read Tracker Table

Added Table by

Flashguard

A

V

A

B

FlashGuard

only retains pages that have been read and then invalidated

10

Slide11

Garbage Collection

Valid Page

Invalid Page

Retained

invalid Page (RIP)

Block B

Block A

Block C

2. Move Valid

and

RIP

to

a

new

Block

1. Select Flash Block

3. Delete

old

Block

11

Free Page

Slide12

Ransomware Study12

Ransomware encrypts files fast to minimize the possibility of getting caught and to collect the ransom quickly

Slide13

Recovery Model13

After a threshold (20 days) the retained invalid pages are invalidated and can then be collected by the garbage collector.FlashGuard retains all the versions of a file, even if read and overwritten multiple times, and is able to restore all these versions

HOST

Flash Translation Layer

NAND Flash

Block

Page

Data   

Metadata

Page

Page

Page

When Ransomware is detected the SSD has to be inserted in a clean host and then

Flashguard

can start with the recovery

By using the Metadata (Timestamp, RIP flag, LPA…) we can easily restore the data.

Any existing Data recovery tool can be used

Help!

Slide14

Evaluation & Key Results14

Slide15

Evaluation

Implemented on a real SSD 1477 Ransomware samples tested Real World Workloads (from Florida International University and Microsoft Servers) and some I/O intensive Benchmarks

15

Slide16

Key Results Impact on Storage Performance

For most of the workloads latency and throughput is almost the same.For I/O intensive workloads, FlashGuard increases average latency up to

6.1% and the throughput drops by 0.6% Impact on SSD Lifetime

Impact on SSD

Lifetime is negligible

Write Amplification (WAF) increases up to 4% (reduction of ca.

2 Weeks

of lifetime ) in Microsoft/FIU workloads because of additional page movement

16

Slide17

Results

Efficiency on Data Recovery

Victim

Data Size

Recovery

Time

When

scanning

the

entire

Flash

device

Recovery

takes 707.7 seconds

17

Slide18

SummaryThe number of Ransomware

is increasing and the solution available to not guarantee reliable recovery of dataThe goal is to find a mechanism to reliably recover all data encrypted by ransomwareA Firmware solution FlashGuard:

Defends data stored on SSD from Encryption Ransomware Leverages intrinsic Flash Properties

Works also when Ransomware has

kernel privileges

18

Slide19

Strengths, weaknesses & key take-aways19

Slide20

Strengths

No false negatives  FlashGuard is able to recover all encrypted data from major families of Ransomware It is resistant to Ransomware with kernel privilege, because isolated from host 

 Little to no overhead in storage operations and SSD lifetime

 Takes advantage of the intrinsic flash properties

 Intuitive and easy to understand

20

Slide21

Weaknesses

High False Positive rateDesign contradicts secure deletionOnly in Flash Memory Some explanation are very superficial

 Manual investigation for recovery 5718 lines of code

21

Slide22

Key Take-aways

 FlashGuard is the first firmware-level defense system against encryption Ransomware It can efficiently reinstate the damaged files

 FlashGuard is naturally resistant to the ransomware with kernel privileges Negligible performance overhead (up to 6%)

 Trivial impact (less than 4%) on SSD lifetime

22

Slide23

Follow-up works

"SSD-Insider: Internal Defense of Solid-State Drive against Ransomware with Perfect Data Recovery", SungHa Baek, Youndon Jung, Aziz Mohaisen

, Sungjin Lee, DaeHun Nyang

"

RansomBlocker

: a Low-Overhead Ransomware-Proof SSD",

Jisung

Park,

Youngdon

Jung,

Jonghoom

Won, Minji Kang, Sungjin Lee,

Jihong

Kim 

"Amoeba: An Autononomous Backup and recovery SSD for Ransomware Attack Defense",Donghyun

Min, Donggyu Park, Jinwoo Ahn, Ryan Walker, Junghee Lee, Sungyong Park, Youngjae

Kim

"MimosaFTL: adding Secure and Practical Ransomware Defense Strategy to Flash Translation Layer", Peiying

Wang, Shijie Jia, Bo Chen, Luning Xia, Peng Liu

23

Slide24

Questions?24

Slide25

Discussion Starter

 Can you think of a way to trick FlashGuard?  Do you have any idea how one could decrease the number false positives?

 Would you buy a SSD with FlashGuard

?

 What could be done for secure deletion?

 For what else could out-of-place update be used for?

 What are your main take away?

25

Slide26

Backup Slides26

Slide27

Average Latency 

27

Slide28

Average Throughput

28

Slide29

Normalized Wear Balance

29

Slide30

I/O Pattern

30

Slide31

Ransom-Aware FTL

RAM in Firmware

……

X

Y

Flash

LPA PPA

Z

W

Y

Address Mapping (LRU Cache)

W

VPA PPA

PBA Counter

V

B

V

PBA Validity Bitmap

Data Blocks

Translation Blocks

Validity Blocks

Global Mapping Directory (GMD)

Blocks Validity Table (BVT)

Cached Page Validity Table (PVT)

1

2

3

4

Table for RFTL

R

B

R

PBA Read Bitmap

5

Cached Read Tracker Table (RTT)

Read Tracker Blocks

31

Slide32

Tracking Invalid Data

Physical

Block

Data

Out-

of

-band (OOB)

Metadata

LPA (Logical Page address)

P-PPA (previous physical page address)

Timestamp

RIP (

retained

invalid

page

)

Physical Page

4 Bytes

4 Bytes

4 Bytes

1 Bit

Page

32

Slide33

Data Recovery

Data

P-PPA

Data

P-PPA

Data 

P-PPA

Block C

Block B

Block A

Using

OOB Metadata

to retrieve index formation for recovery

Use internal parallelism of SSD

Use P-PPA stored in OOB to build logical connections among retained invalid pages

33

Related Contents


L. Lazier MD FRCPC
L. Lazier MD FRCPC PowerPoint Presentation
375 views
Welcome
Welcome PowerPoint Presentation
365 views
DOCUMENT RESUMEED 415 978PS 026 162AUTHORWeinberg, Serena; Lazier, Rau
DOCUMENT RESUMEED 415 978PS 026 162AUTHORWeinberg, Serena; Lazier, Rau PowerPoint Presentation
404 views
Body Zest   Lara Slogrove
Body Zest   Lara Slogrove PowerPoint Presentation
376 views
Voulez-vous
Voulez-vous PowerPoint Presentation
397 views
Window-Shopping
Window-Shopping PowerPoint Presentation
395 views
GENERALGYNECOLOGY Surgical treatment of clitoral phimo
GENERALGYNECOLOGY Surgical treatment of clitoral phimo PowerPoint Presentation
728 views
Spending Money on Others Promotes Happiness Elizabeth W
Spending Money on Others Promotes Happiness Elizabeth W PowerPoint Presentation
475 views
LARA’S BRIDALS & FORMALS
LARA’S BRIDALS & FORMALS PowerPoint Presentation
429 views
Cre ativeness is the key to success Lara Aragno Gigli
Cre ativeness is the key to success Lara Aragno Gigli PowerPoint Presentation
414 views
The Influence of Sad Mood on Cognition Lara G
The Influence of Sad Mood on Cognition Lara G PowerPoint Presentation
457 views
Business and Administration in Primary Care Lara Bloom
Business and Administration in Primary Care Lara Bloom PowerPoint Presentation
430 views
nova paper on biobased economy Food or nonfood Which
nova paper on biobased economy Food or nonfood Which PowerPoint Presentation
426 views
Next Show more