to Defend Against Encryption Ransomware Jian Huang Jun Xu - - PowerPoint PPT Presentation

to defend against encryption ransomware
SMART_READER_LITE
LIVE PREVIEW

to Defend Against Encryption Ransomware Jian Huang Jun Xu - - PowerPoint PPT Presentation

Jan 10, 2024 22 likes •774 views

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi Encryption Ransomware Is Becoming More Aggressive May 12,

slide-1
SLIDE 1

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware

Jian Huang † ‡ Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi †

† ‡

slide-2
SLIDE 2

Encryption Ransomware Is Becoming More Aggressive

2

May 12, 2017

slide-3
SLIDE 3

Encryption Ransomware Is Becoming More Aggressive

2

May 12, 2017

230,000+ computers 150+ countries $300-$600 per ransom

slide-4
SLIDE 4

What Is Encryption Ransomware?

3

Destroy

  • riginal files

Encrypt files Ask for payments to decrypt files

slide-5
SLIDE 5

What Is Encryption Ransomware?

3

slide-6
SLIDE 6

What Is Encryption Ransomware?

3

A ransom notification: users files have been encrypted

slide-7
SLIDE 7

What Is Encryption Ransomware?

3

A ransom notification: users files have been encrypted Pay ransom to recover user files

slide-8
SLIDE 8

What Is Encryption Ransomware?

3

A ransom notification: users files have been encrypted Pay ransom to recover user files

slide-9
SLIDE 9

What Is Encryption Ransomware?

3

A ransom notification: users files have been encrypted Pay ransom to recover user files

More ransom required if the payment is delayed

slide-10
SLIDE 10

Characteristics of Encryption Ransomware

4

Family #Samples Attack Time (minutes) Backup Spoliation

Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 Mobef 7 16 Maktub 10 22 Stampado 42 27 Cerber 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 Total 1477

slide-11
SLIDE 11

Characteristics of Encryption Ransomware

4

Family #Samples Attack Time (minutes) Backup Spoliation

Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 Mobef 7 16 Maktub 10 22 Stampado 42 27 Cerber 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 Total 1477

How long does it take for ransomware to finish the attack?

slide-12
SLIDE 12

Characteristics of Encryption Ransomware

4

Family #Samples Attack Time (minutes) Backup Spoliation

Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 Mobef 7 16 Maktub 10 22 Stampado 42 27 Cerber 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 Total 1477

Ask for ransom quickly

slide-13
SLIDE 13

Characteristics of Encryption Ransomware

4

Family #Samples Attack Time (minutes) Backup Spoliation

Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 Mobef 7 16 Maktub 10 22 Stampado 42 27 Cerber 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 Total 1477

slide-14
SLIDE 14

Characteristics of Encryption Ransomware

4

Family #Samples Attack Time (minutes) Backup Spoliation

Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 Mobef 7 16 Maktub 10 22 Stampado 42 27 Cerber 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 Total 1477

Many ransomware attempt to delete backup files (and bypass User Access Control)

slide-15
SLIDE 15

Why Existing Solutions Are Not Good Enough?

5

Malware detection

slide-16
SLIDE 16

Why Existing Solutions Are Not Good Enough?

5

Malware detection

Damage has already happened when ransomware is detected

slide-17
SLIDE 17

Why Existing Solutions Are Not Good Enough?

5

Malware detection Journaling & log-structured FS

slide-18
SLIDE 18

Why Existing Solutions Are Not Good Enough?

5

Malware detection Journaling & log-structured FS

Ransomware with kernel privilege can destroy data backups

slide-19
SLIDE 19

Why Existing Solutions Are Not Good Enough?

5

Malware detection Journaling & log-structured FS Networked & Cloud Storage

slide-20
SLIDE 20

Why Existing Solutions Are Not Good Enough?

5

Malware detection Journaling & log-structured FS Networked & Cloud Storage

Increased storage cost & can be stopped by ransomware

slide-21
SLIDE 21

Threat Model of Encryption Ransomware

6

Block Driver Application kernel userspace

read/write

Block I/O Interface Flash Translation Layer NAND Flash Disk

slide-22
SLIDE 22

Threat Model of Encryption Ransomware

6

Block Driver Application kernel userspace

read/write

Block I/O Interface Flash Translation Layer NAND Flash Disk

slide-23
SLIDE 23

Threat Model of Encryption Ransomware

6

Block Driver Application kernel userspace

read/write

Block I/O Interface Flash Translation Layer NAND Flash Disk

Our Goal: defend against encryption ransomware without relying on software-based solutions & without explicit data backups

slide-24
SLIDE 24

Threat Model of Encryption Ransomware

6

Block Driver Application kernel userspace

read/write

Block I/O Interface Flash Translation Layer NAND Flash Disk

Hard Disk Drive Flash-based SSD

slide-25
SLIDE 25

Flash Performs Better Than Hard Disk Drive

7

No Seek Latency

40x lower latency

slide-26
SLIDE 26

Flash Performs Better Than Hard Disk Drive

7

No Seek Latency

40x lower latency

Increased Parallelism

Dozens of

parallel chips

slide-27
SLIDE 27

Flash Performs Better Than Hard Disk Drive

7

No Seek Latency

40x lower latency

Increased Parallelism

Dozens of

parallel chips

Became Commodity

Less than $0.2/GB

slide-28
SLIDE 28

Flash Performs Better Than Hard Disk Drive

7

No Seek Latency

40x lower latency

Increased Parallelism

Dozens of

parallel chips

Became Commodity

Less than $0.2/GB

Significant improvements on Flash

slide-29
SLIDE 29

How Flash Is Used Today?

8

Application Flash-based Disk File System

slide-30
SLIDE 30

How Flash Is Used Today?

8

Application File System Flash Translation Layer Flash

slide-31
SLIDE 31

How Flash Is Used Today?

8

Application File System Flash Translation Layer Flash

Out-of-Place Update

A

slide-32
SLIDE 32

How Flash Is Used Today?

8

Application File System Flash Translation Layer Flash

Out-of-Place Update

Write A

slide-33
SLIDE 33

How Flash Is Used Today?

8

Application File System Flash Translation Layer Flash

Out-of-Place Update

A A Write B

slide-34
SLIDE 34

How Flash Is Used Today?

8

Application File System Flash Translation Layer Flash

Out-of-Place Update

A A Write B

Garbage Collection

slide-35
SLIDE 35

FlashGuard: Leveraging Intrinsic Flash Properties

9

Block Driver Application kernel userspace

read/write

Block I/O Interface Flash Translation Layer Flash Flash-based SSD

slide-36
SLIDE 36

FlashGuard: Leveraging Intrinsic Flash Properties

9

Block Driver Application kernel userspace

read/write

Block I/O Interface Flash Translation Layer Flash

slide-37
SLIDE 37

A

Retaining Data in SSDs without Hardware Modification

10

Overwrite a block Overwrite on SSD

Overwrite

slide-38
SLIDE 38

B A

Retaining Data in SSDs without Hardware Modification

10

Overwrite a block Overwrite on SSD

Overwrite

A

slide-39
SLIDE 39

B A

Retaining Data in SSDs without Hardware Modification

10

Overwrite a block Overwrite on SSD

Overwrite

A A

Overwrite on HDD

slide-40
SLIDE 40

B A

Retaining Data in SSDs without Hardware Modification

10

Overwrite a block Overwrite on SSD

Overwrite

A A

Overwrite on HDD

B

Overwrite

slide-41
SLIDE 41

B A

Retaining Data in SSDs without Hardware Modification

10

Overwrite a block Overwrite on SSD

Overwrite

A A

Overwrite on HDD

B

Overwrite

Retaining all the invalid pages (stale data) is expensive

slide-42
SLIDE 42

B A

Retaining Data in SSDs without Hardware Modification

10

Overwrite a block Overwrite on SSD

Overwrite

A A

Overwrite on HDD

B

Overwrite

Retaining all the invalid pages (stale data) is expensive

Only retain the invalid pages caused by encryption ransomware

slide-43
SLIDE 43

FlashGuard: A Ransomware-Aware SSD

11

File Read Encrypt Overwrite File Read Encrypt Write new files Delete/Overwrite

slide-44
SLIDE 44

FlashGuard: A Ransomware-Aware SSD

11

File Read Encrypt Overwrite File Read Encrypt Write new files Delete/Overwrite

Read Overwrite Read Overwrite

slide-45
SLIDE 45

FlashGuard: A Ransomware-Aware SSD

11

File Read Encrypt Overwrite File Read Encrypt Write new files Delete/Overwrite

Read Overwrite Read Overwrite

FlashGuard only retains invalid pages that have been read for a certain period of time

slide-46
SLIDE 46

FlashGuard: A Ransomware-Aware SSD

11

0% 20% 40% 60% 80% 100% Ratio of different IO operations

Read Write Read-Overwrite University computers (20 days) Enterprise servers (6-10 days)

slide-47
SLIDE 47

FlashGuard: A Ransomware-Aware SSD

11

0% 20% 40% 60% 80% 100% Ratio of different IO operations

Read Write Read-Overwrite University computers (20 days) Enterprise servers (6-10 days)

slide-48
SLIDE 48

FlashGuard: A Ransomware-Aware SSD

11

0% 20% 40% 60% 80% 100% Ratio of different IO operations

Read Write Read-Overwrite University computers (20 days) Enterprise servers (6-10 days)

The data size is relatively small (a few GBs)

slide-49
SLIDE 49

Tracking Invalid Data with Out-of-Band Metadata

12

Data OOB Metadata Flash Block Flash Page LPA RIP Timestamp P-PPA 4 Bytes 1 bit 4 Bytes 4 Bytes The logical page address mapped to the physical page

slide-50
SLIDE 50

Tracking Invalid Data with Out-of-Band Metadata

12

Data OOB Metadata Flash Block Flash Page LPA RIP Timestamp P-PPA 4 Bytes 1 bit 4 Bytes 4 Bytes Previous physical page address for tracking all invalid pages

slide-51
SLIDE 51

Tracking Invalid Data with Out-of-Band Metadata

12

Data OOB Metadata Flash Block Flash Page LPA RIP Timestamp P-PPA 4 Bytes 1 bit 4 Bytes 4 Bytes Check how long the page has been retained

slide-52
SLIDE 52

Tracking Invalid Data with Out-of-Band Metadata

12

Data OOB Metadata Flash Block Flash Page LPA RIP Timestamp P-PPA 4 Bytes 1 bit 4 Bytes 4 Bytes Identify whether this page is a retained invalid page

slide-53
SLIDE 53

Ransomware-Award Garbage Collection in FlashGuard

13

Block A Block B Block C

valid page invalid page retained invalid page

select flash lock (greedy algorithm)

slide-54
SLIDE 54

Ransomware-Award Garbage Collection in FlashGuard

13

Block A Block B Block C

valid page invalid page retained invalid page

select flash lock (greedy algorithm) Block C

slide-55
SLIDE 55

Ransomware-Award Garbage Collection in FlashGuard

13

Block A Block B Block C

valid page invalid page retained invalid page

select flash lock (greedy algorithm) Block A

slide-56
SLIDE 56

Ransomware-Award Garbage Collection in FlashGuard

13

Block A Block B Block C

valid page invalid page retained invalid page

select flash lock (greedy algorithm) copy valid and retained invalid pages to a new block Block A

slide-57
SLIDE 57

Ransomware-Award Garbage Collection in FlashGuard

13

Block A Block B Block C

valid page invalid page retained invalid page

select flash lock (greedy algorithm) copy valid and retained invalid pages to a new block erase old flash block Block A

slide-58
SLIDE 58

Data Recovery in FlashGuard

14

Data OOB Metadata Flash Block Flash Page LPA RIP Timestamp P-PPA 4 Bytes 1 bit 4 Bytes 4 Bytes

slide-59
SLIDE 59

Data Recovery in FlashGuard

14

Data OOB Metadata Flash Block Flash Page LPA RIP Timestamp P-PPA 4 Bytes 1 bit 4 Bytes 4 Bytes

Leveraging OOB metadata to retrieve index information for recovery

slide-60
SLIDE 60

Data Recovery in FlashGuard

14

Data Recovery

slide-61
SLIDE 61

Data Recovery in FlashGuard

14

Data Recovery

Checking flash block one by one is slow Building the logical connections among retained invalid pages is challenging

slide-62
SLIDE 62

Data Recovery in FlashGuard

14

Data Recovery

Building the logical connections among retained invalid pages is challenging

Chip

Chip

Chip

Leveraging internal parallelism of SSDs

slide-63
SLIDE 63

Data Recovery in FlashGuard

14

Data Recovery

Chip

Chip

Chip

Leveraging internal parallelism of SSDs Leveraging previous-PPA stored in OOB metadata

data P-PPA data P-PPA data P-PPA

slide-64
SLIDE 64

FlashGuard Experimental Setup

15

1 TB 64 pages/block 4 KB/page

  • ver-provisioning ratio: 15%

Programmable SSD

slide-65
SLIDE 65

FlashGuard Experimental Setup

15

1 TB 64 pages/block 4 KB/page

  • ver-provisioning ratio: 15%

Programmable SSD Ransomware Samples

1,477 ransomware samples (VirusTotal)

slide-66
SLIDE 66

FlashGuard Experimental Setup

15

1 TB 64 pages/block 4 KB/page

  • ver-provisioning ratio: 15%

Storage Workloads

Enterprise servers (11 workloads) University machines (6 workloads) Storage benchmarks: IOZone/Postmark Database workloads (TPCC/TPCE)

Programmable SSD Ransomware Samples

1,477 ransomware samples (VirusTotal)

slide-67
SLIDE 67

Recovery Time of Ransomware Samples

16

1 2 3 4 5 Victim Data Size (GB)

Victim Data Size

slide-68
SLIDE 68

Recovery Time of Ransomware Samples

16

1 2 3 4 5 Victim Data Size (GB)

Victim Data Size

10 20 30 40 50 60 Recovery Time (secs)

Recovery Time

slide-69
SLIDE 69

Impact on Regular Storage Operations

17

200 400 600 800 1000 1200 1400 Latency (microseconds) Unmodifed SSD FlashGuard

FlashGuard decreases the storage performance by 6% for I/O-intensive workloads

1 10 100 1000 10000 100000 Latency (microseconds)

slide-70
SLIDE 70

Impact on SSD Lifetime

18

0.2 0.4 0.6 0.8 1 1.2 Normalized Write Amplification Factor Unmodifed SSD FlashGuard

FlashGuard increases the WAF by 4% due to the additional page movements in GC

slide-71
SLIDE 71

Potential Attacks and Future Work

19

GC Attack

slide-72
SLIDE 72

Potential Attacks and Future Work

19

GC Attack Timing Attack

slide-73
SLIDE 73

Potential Attacks and Future Work

19

GC Attack Timing Attack Secure Deletion

slide-74
SLIDE 74

FlashGuard Summary

20

Hardware-assisted Defense

Against Encryption Ransomware

Negligible Impact on

SSD performance & lifetime

slide-75
SLIDE 75

21

Thanks!

Jian Huang† ‡ jianh@illinois.edu

Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi † †

Q&A