FlashGuard: Leveraing Intrinsic Flash Properties to Defend...

FlashGuard: Leveraging Intrinsic Flash Properties

to Defend Against Encryption Ransomware

Jian Huang † ‡

Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi †

† ‡

Encryption Ransomware Is Becoming More Aggressive

2

May 12, 2017

Encryption Ransomware Is Becoming More Aggressive

2

May 12, 2017230,000+ computers

150+ countries

$300-$600 per ransom

What Is Encryption Ransomware?

3

Destroy

original filesEncrypt files

Ask for payments

to decrypt files


3


3

A ransom notification:

users files have been

encrypted


3



encrypted

Pay ransom to recover

user files


3



encrypted

Pay ransom to recover

user filesMore ransom

required if the

payment is delayed

Characteristics of Encryption Ransomware

4

Family #Samples Attack Time (minutes) Backup Spoliation

Petya 14 2

CTB-Locker 119 14

Jigsaw 5 16

Mobef 7 16

Maktub 10 22

Stampado 42 27

Cerber 29 37

Locky 344 43

7ev3n 16 44

TeslaCrypt 75 44

HydraCrypt 13 70

CryptoFortree 4 75

CrytoWall 799 75

Total 1477


4


Petya 14 2

CTB-Locker 119 14

Jigsaw 5 16

Mobef 7 16

Maktub 10 22

Stampado 42 27

Cerber 29 37

Locky 344 43

7ev3n 16 44

TeslaCrypt 75 44

HydraCrypt 13 70

CryptoFortree 4 75

CrytoWall 799 75

Total 1477

How long does it take for

ransomware to finish the attack?


4


Petya 14 2

CTB-Locker 119 14

Jigsaw 5 16

Mobef 7 16

Maktub 10 22

Stampado 42 27

Cerber 29 37

Locky 344 43

7ev3n 16 44

TeslaCrypt 75 44

HydraCrypt 13 70

CryptoFortree 4 75

CrytoWall 799 75

Total 1477

Ask for ransom quickly


4


Petya 14 2

CTB-Locker 119 14

Jigsaw 5 16

Mobef 7 16

Maktub 10 22

Stampado 42 27

Cerber 29 37

Locky 344 43

7ev3n 16 44

TeslaCrypt 75 44

HydraCrypt 13 70

CryptoFortree 4 75

CrytoWall 799 75

Total 1477


4


Petya 14 2

CTB-Locker 119 14

Jigsaw 5 16

Mobef 7 16

Maktub 10 22

Stampado 42 27

Cerber 29 37

Locky 344 43

7ev3n 16 44

TeslaCrypt 75 44

HydraCrypt 13 70

CryptoFortree 4 75

CrytoWall 799 75

Total 1477

Many ransomware attempt

to delete backup files

(and bypass User Access Control)

Why Existing Solutions Are Not Good Enough?

5

Malware detection


5

Malware detection

Damage has already happened when ransomware is detected


5

Malware detectionJournaling &

log-structured FS


5


log-structured FS

Ransomware with kernel privilege can destroy data backups


5


log-structured FSNetworked &

Cloud Storage


5


log-structured FSNetworked &

Cloud Storage

Increased storage cost & can be stopped by ransomware

Threat Model of Encryption Ransomware

6

Block Driver

Application

kernel

userspace

read/write

Block I/O Interface

Flash Translation Layer

NAND Flash

Disk


6

Block Driver

Application

kernel

userspace

read/write

Block I/O Interface


NAND Flash

Disk

Our Goal: defend against encryption ransomware

without relying on software-based solutions &

without explicit data backups


6

Block Driver

Application

kernel

userspace

read/write

Block I/O Interface


NAND Flash

Disk

Hard Disk Drive Flash-based SSD

Flash Performs Better Than Hard Disk Drive

7

No Seek

Latency

40x lower latency


7

No Seek

Latency

40x lower latency

Increased

Parallelism

Dozens of

parallel chips


7

No Seek

Latency

40x lower latency

Increased

Parallelism

Dozens of

parallel chips

Became

Commodity

Less than $0.2/GB


7

No Seek

Latency

40x lower latency

Increased

Parallelism

Dozens of

parallel chips

Became

Commodity

Less than $0.2/GB

Significant improvements on Flash

How Flash Is Used Today?

8

Application

Flash-based Disk

File System


8

Application

File System


Flash


8

Application

File System


Flash

Out-of-Place Update

A


8

Application

File System


Flash

Out-of-Place Update

Write

A


8

Application

File System


Flash

Out-of-Place Update

AA

Write

B


8

Application

File System


Flash

Out-of-Place Update

AA

Write

B

Garbage

Collection


9

Block Driver

Application

kernel

userspace

read/write

Block I/O Interface


Flash

Flash-based SSD


9

Block Driver

Application

kernel

userspace

read/write

Block I/O Interface


Flash

A

Retaining Data in SSDs without Hardware Modification

10

Overwrite a block

Overwrite on SSD

Overwrite

B

A


10

Overwrite a block

Overwrite on SSD

Overwrite A

B

A


10

Overwrite a block

Overwrite on SSD

Overwrite A A

Overwrite on HDD

B

A


10

Overwrite a block

Overwrite on SSD

Overwrite A A

Overwrite on HDD

B Overwrite

B

A


10

Overwrite a block

Overwrite on SSD

Overwrite A A

Overwrite on HDD

B Overwrite

Retaining all the invalid pages

(stale data) is expensive

B

A


10

Overwrite a block

Overwrite on SSD

Overwrite A A

Overwrite on HDD

B Overwrite

Retaining all the invalid pages

(stale data) is expensive

Only retain the invalid pages caused by encryption ransomware

FlashGuard: A Ransomware-Aware SSD

11

File Read Encrypt Overwrite

File Read Encrypt Write new files Delete/Overwrite


11



Read Overwrite

Read Overwrite


11



Read Overwrite

Read Overwrite

FlashGuard only retains invalid pages that have been read

for a certain period of time


11

0%

20%

40%

60%

80%

100%

Rat

io o

f diffe

rent

IO o

pera

tions

Read Write Read-Overwrite

University computers (20 days) Enterprise servers (6-10 days)


11

0%

20%

40%

60%

80%

100%

Rat

io o

f diffe

rent

IO o

pera

tions

Read Write Read-Overwrite

University computers (20 days) Enterprise servers (6-10 days)

The data size is

relatively small (a few GBs)

Tracking Invalid Data with Out-of-Band Metadata

12

Data OOB Metadata

Flash Block

Flash Page

LPA RIPTimestampP-PPA

4 Bytes 1 bit4 Bytes 4 Bytes

The logical page address

mapped to the physical page


12

Data OOB Metadata

Flash Block

Flash Page



Previous physical page address

for tracking all invalid pages


12

Data OOB Metadata

Flash Block

Flash Page



Check how long the page has

been retained


12

Data OOB Metadata

Flash Block

Flash Page



Identify whether this page

is a retained invalid page

Ransomware-Award Garbage Collection in FlashGuard

13

Block A Block B Block C

valid page invalid page retained invalid page

select flash lock (greedy algorithm)


13




Block C


13




Block A


13




copy valid and retained invalid pages to a new block

Block A


13




copy valid and retained invalid pages to a new block

erase old flash block

Block A

Data Recovery in FlashGuard

14

Data OOB Metadata

Flash Block

Flash Page




14

Data OOB Metadata

Flash Block

Flash Page



Leveraging OOB metadata to retrieve index information for recovery


14

Data Recovery


14

Data Recovery

Checking flash block one by one is slow

Building the logical connections among

retained invalid pages is challenging


14

Data Recovery

Building the logical connections among

retained invalid pages is challenging

Chip

…

Chip

…

Chip

…

Leveraging internal parallelism of SSDs


14

Data Recovery

Chip

…

Chip

…

Chip

…

Leveraging internal parallelism of SSDs

Leveraging previous-PPA stored in OOB metadata

data P-PPA

data P-PPA

data P-PPA

FlashGuardExperimental Setup

15

1 TB

64 pages/block

4 KB/page

over-provisioning ratio: 15%

Programmable SSD


15

1 TB

64 pages/block

4 KB/page


Programmable SSD

Ransomware Samples1,477 ransomware samples (VirusTotal)


15

1 TB

64 pages/block

4 KB/page


Storage WorkloadsEnterprise servers (11 workloads)

University machines (6 workloads)

Storage benchmarks: IOZone/Postmark

Database workloads (TPCC/TPCE)

Programmable SSD

Ransomware Samples1,477 ransomware samples (VirusTotal)

Recovery Time of Ransomware Samples

16

0

1

2

3

4

5

Vic

tim

Dat

a Si

ze (

GB

)

Victim Data Size

Recovery Time of Ransomware Samples

16

0

1

2

3

4

5

Vic

tim

Dat

a Si

ze (

GB

)

Victim Data Size

0

10

20

30

40

50

60

Reco

very

Tim

e (

secs

)

Recovery Time

Impact on Regular Storage Operations

17

0

200

400

600

800

1000

1200

1400

Lat

ency

(m

icro

seco

nds)

Unmodifed SSD FlashGuard

FlashGuard decreases the storage performance by 6% for

I/O-intensive workloads

1

10

100

1000

10000

100000

Lat

ency

(m

icro

seco

nds)

Impact on SSD Lifetime

18

0

0.2

0.4

0.6

0.8

1

1.2

Norm

aliz

ed

Wri

te A

mplif

icat

ion F

acto

r

Unmodifed SSD FlashGuard

FlashGuard increases the WAF by 4%

due to the additional page movements in GC

Potential Attacks and Future Work

19

GC Attack


19

GC Attack Timing Attack


19

GC Attack Timing Attack Secure Deletion

FlashGuardSummary

20

Hardware-assisted Defense Against Encryption Ransomware

Negligible Impact on

SSD performance & lifetime

21

Thanks!

Jian Huang† ‡

[email protected]

Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi †

†

Q&A

‡

mailto:[email protected]

FlashGuard: Leveraing Intrinsic Flash Properties to Defend...

Documents

Transcript of FlashGuard: Leveraing Intrinsic Flash Properties to Defend...