ACM SIGSAC Conference on Computer and Communications Security 2017 1 Idea A Firmware solution FlashGuard 2 Defends data stored on SSD from Encryption Ransomware Leverages intrinsic Flash Properties ID: 935839
Download Presentation The PPT/PDF document "Presented by Lara Lazier" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Presented by Lara Lazier
ACM SIGSAC Conference on Computer and Communications Security 2017
1
Slide2IdeaA Firmware solution FlashGuard:
2Defends data stored on SSD from Encryption Ransomware
Leverages intrinsic Flash Properties Works also when Ransomware has kernel privileges
Slide3What is a Ransomware?
Files are encrypted
Files are deleted
Ransom is asked for the key to decrypt files
3
Slide44
Slide5From 2014 the number of ransomware in circulation increases significantly
Ransomware remains the key malware threat in both law enforcement and industry reporting.Wannacry attacks in mid-2017 affected more than 200 000 victims in 150 countries, with losses over USD 4 Billion5
Slide6Ransomware Countermeasures
Dynamic analysis that detects ransomware footprints by tracking how ransomware interacts with user data
Does not provide proper cure for the damage that has already been caused
Program can be stopped by a Ransomware with
kernel privileges
6
Ransomware
Detection Programs:
Slide7Ransomware CountermeasuresBackup:
New files might not yet be saved and therefore lost Ransomware with kernel privileges can stop or delete backups Already affected data might be backed up (Maersk)
7
Both mechanism do not work when Ransomware obtains
kernel
privileges
Slide8SSD Layout8
Flash Translation Layer
NAND Flash
Chip
Chip
Chip
Block
Page
The Flash Translation Layer can only write to free pages
Erase operation can only be performed on block granularity
Slide9Out-of-place update
HOST
B
A
Flash Translation Layer
B
Garbage collection
Hardware Device
NAND Flash
9
Slide10Which data should be retained?
HOST
A’
A
Flash Translation Layer
Hardware Device
NAND Flash
Read from A
Flash Translation Layer
PBA
Validity
Bitmap
…
…
PBA
Read
Bitmap
…
…
Write to A
Page Validity Table
Read Tracker Table
Added Table by
Flashguard
A
V
A
B
FlashGuard
only retains pages that have been read and then invalidated
10
Slide11Garbage Collection
Valid Page
Invalid Page
Retained
invalid Page (RIP)
Block B
Block A
Block C
2. Move Valid
and
RIP
to
a
new
Block
1. Select Flash Block
3. Delete
old
Block
11
Free Page
Slide12Ransomware Study12
Ransomware encrypts files fast to minimize the possibility of getting caught and to collect the ransom quickly
Slide13Recovery Model13
After a threshold (20 days) the retained invalid pages are invalidated and can then be collected by the garbage collector.FlashGuard retains all the versions of a file, even if read and overwritten multiple times, and is able to restore all these versions
HOST
Flash Translation Layer
NAND Flash
Block
Page
Data
Metadata
Page
Page
Page
When Ransomware is detected the SSD has to be inserted in a clean host and then
Flashguard
can start with the recovery
By using the Metadata (Timestamp, RIP flag, LPA…) we can easily restore the data.
Any existing Data recovery tool can be used
Help!
Slide14Evaluation & Key Results14
Slide15Evaluation
Implemented on a real SSD 1477 Ransomware samples tested Real World Workloads (from Florida International University and Microsoft Servers) and some I/O intensive Benchmarks
15
Slide16Key Results Impact on Storage Performance
For most of the workloads latency and throughput is almost the same.For I/O intensive workloads, FlashGuard increases average latency up to
6.1% and the throughput drops by 0.6% Impact on SSD Lifetime
Impact on SSD
Lifetime is negligible
Write Amplification (WAF) increases up to 4% (reduction of ca.
2 Weeks
of lifetime ) in Microsoft/FIU workloads because of additional page movement
16
Slide17Results
Efficiency on Data Recovery
Victim
Data Size
Recovery
Time
When
scanning
the
entire
Flash
device
Recovery
takes 707.7 seconds
17
Slide18SummaryThe number of Ransomware
is increasing and the solution available to not guarantee reliable recovery of dataThe goal is to find a mechanism to reliably recover all data encrypted by ransomwareA Firmware solution FlashGuard:
Defends data stored on SSD from Encryption Ransomware Leverages intrinsic Flash Properties
Works also when Ransomware has
kernel privileges
18
Slide19Strengths, weaknesses & key take-aways19
Slide20Strengths
No false negatives FlashGuard is able to recover all encrypted data from major families of Ransomware It is resistant to Ransomware with kernel privilege, because isolated from host
Little to no overhead in storage operations and SSD lifetime
Takes advantage of the intrinsic flash properties
Intuitive and easy to understand
20
Slide21Weaknesses
High False Positive rateDesign contradicts secure deletionOnly in Flash Memory Some explanation are very superficial
Manual investigation for recovery 5718 lines of code
21
Slide22Key Take-aways
FlashGuard is the first firmware-level defense system against encryption Ransomware It can efficiently reinstate the damaged files
FlashGuard is naturally resistant to the ransomware with kernel privileges Negligible performance overhead (up to 6%)
Trivial impact (less than 4%) on SSD lifetime
22
Slide23Follow-up works
"SSD-Insider: Internal Defense of Solid-State Drive against Ransomware with Perfect Data Recovery", SungHa Baek, Youndon Jung, Aziz Mohaisen
, Sungjin Lee, DaeHun Nyang
"
RansomBlocker
: a Low-Overhead Ransomware-Proof SSD",
Jisung
Park,
Youngdon
Jung,
Jonghoom
Won, Minji Kang, Sungjin Lee,
Jihong
Kim
"Amoeba: An Autononomous Backup and recovery SSD for Ransomware Attack Defense",Donghyun
Min, Donggyu Park, Jinwoo Ahn, Ryan Walker, Junghee Lee, Sungyong Park, Youngjae
Kim
"MimosaFTL: adding Secure and Practical Ransomware Defense Strategy to Flash Translation Layer", Peiying
Wang, Shijie Jia, Bo Chen, Luning Xia, Peng Liu
23
Slide24Questions?24
Slide25Discussion Starter
Can you think of a way to trick FlashGuard? Do you have any idea how one could decrease the number false positives?
Would you buy a SSD with FlashGuard
?
What could be done for secure deletion?
For what else could out-of-place update be used for?
What are your main take away?
25
Slide26Backup Slides26
Slide27Average Latency
27
Slide28Average Throughput
28
Slide29Normalized Wear Balance
29
Slide30I/O Pattern
30
Slide31Ransom-Aware FTL
RAM in Firmware
……
X
Y
…
…
…
…
Flash
LPA PPA
…
…
Z
W
…
…
…
…
…
…
Y
Address Mapping (LRU Cache)
W
VPA PPA
PBA Counter
V
…
…
B
V
…
…
…
…
PBA Validity Bitmap
Data Blocks
Translation Blocks
Validity Blocks
Global Mapping Directory (GMD)
Blocks Validity Table (BVT)
Cached Page Validity Table (PVT)
1
2
3
4
Table for RFTL
R
…
…
B
R
…
…
…
…
PBA Read Bitmap
5
Cached Read Tracker Table (RTT)
Read Tracker Blocks
31
Slide32Tracking Invalid Data
Physical
Block
Data
Out-
of
-band (OOB)
Metadata
LPA (Logical Page address)
P-PPA (previous physical page address)
Timestamp
RIP (
retained
invalid
page
)
Physical Page
4 Bytes
4 Bytes
4 Bytes
1 Bit
Page
32
Slide33Data Recovery
Data
P-PPA
Data
P-PPA
Data
P-PPA
Block C
Block B
Block A
Using
OOB Metadata
to retrieve index formation for recovery
Use internal parallelism of SSD
Use P-PPA stored in OOB to build logical connections among retained invalid pages
33