SGX-SSD: A Policy-based Versioning SSD with Intel SGX Jinwoo Ahn , - - PowerPoint PPT Presentation

SGX-SSD: A Policy-based Versioning SSD with Intel SGX

†Sogang University, Republic of Korea, ‡Korea University, Republic of Korea Jinwoo Ahn†, Seungjin Lee†, Jinhoon Lee†, Yungwoo Ko†, Donghyun Min†, Junghee Lee‡, Youngjae Kim†

2

Motivation: Malware’s Data Tampering Attack

Victim Server OS Kernel Local Backup Remote Backup Ethernet

Problem: Ring-0 level rootkit malware’s data tampering attack

§ It enhances the privilege of victim, and compromises software-based backup system. § It finds and destroys victim's local or remote backup data.

Backup System Ransomware

3

Motivation: Malware’s Data Tampering Attack

Existing Solution: Versioning SSD [BVSSD, Systor 12], [Project Almanac, Eurosys 19]

§ Versioning SSD implements versioning system in SSD firmware. § SSD firmware is isolated from host server. § Even if OS is compromised, it is impossible to destroy backup data.

Versioning System BVSSD / Project Almanac Victim Server OS Kernel Backup System Ransomware

Backup data is safe from malware!

4

Motivation: Integrity vulnerability of Versioning SSD

Versioning SSD preserves all file data for a fixed retention time(RT).

§ Space overhead extremely increases as all files are backed up regardless of the importance. § To free up space, Versioning SSD aggressively erases old backup data in a way that limits RT.

secure.txt temp.txt 3/3 V1 Files are created V1

Integrity vulnerability occurs when:

Malware Dwell Time (DT) > Versioning SSD Retention Time (RT)

3/4 V1 V2 Malware encrypts files V1 V2 3/7 V1 V2 V1 is removed V1 V2 3/11 Recovery failed V2 V2 RT : 3 days DT : 7 days Versioning SSD Dwell Time: A period that the malware stays undetected in victim system

5

7 30 60 150 300 1000 2000 5 10 15 20 25

Dwell Time Dist.(%) Dwell Time (days)

22% 18% 11% 14% 9% 15% 7% RT: 3-56 days 1%

Motivation: Integrity vulnerability of Versioning SSD

Malware's average DT is longer than the RT of Versioning SSDs.

§ Project Almanac provides 3-56 days of RT depending on the workload’s write intensity. § However, more than 50% of malware has a DT of 60 days or more. Existing Versioning SSD is vulnerable from at least 50% of malware’s attack.

6

Motivation: Keeping deeper history for important files

SGX-SSD: Policy-based per-file versioning SSD

§ Each file version is maintained according to policy set by users. § We defined 3 types of policy a user can set. § SGX-SSD minimizes the space consumption for versions to keep deeper history for important files.

foo.txt RT: 3days secure.txt RT: 365 days temp.txt RT: 0 day

Retention Time

foo.txt #V : 5 secure.txt #V : INF temp.txt #V : 0

Number of Versions

foo.txt BC : 30day secure.txt BC : 1day temp.txt BC : NULL

Backup Cycle

7

Motivation: Keeping deeper history for important files

SGX-SSD guarantees integrity from malware with long DT.

§ Malware DT: 7days, RT of secure.txt: 30days, RT of temp.txt: 0day

3/3 Files are created secure.txt V1 temp.txt V1 3/4 Malware encrypts files V1 V2 V1 V2 temp.txt secure.txt 3/11 Recovery Success V2 V1 V2 secure.txt temp.txt SGX- SSD

8

Design Challenge: SGX-SSD

Challenge 1: Secure Host Interface on Compromised OS

§ How can the policy request entered by a user be safely delivered to the SSD?

User I/O Device Host Server SGX-SSD OS Kernel Policy Policy

Challenge 2: Per-file versioning management by SSD

§ How can SSD recognize the file semantics corresponding to each block?

SGX-SSD write(LBA, size) temp.txt RT 0day secure.txt RT 30 days

App File System

File Data Data

?

9

Summary

§ We defined the integrity vulnerability of the existing Versioning SSD. § To solve this, we proposed a per-file versioning implementation in SSD firmware. § By solving the aforementioned two challenges, the integrity of the file can be selectively guaranteed even if the OS is compromised. § Detail of SGX-SSD can be found at [https://arxiv.org/abs/2004.13354].

Jinwoo Ahn

jinu37@sogang.ac.kr

SGX-SSD: A Policy-based Versioning SSD with Intel SGX