75
FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang † ‡ Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi † † ‡
FlashGuard: Leveraging Intrinsic Flash Properties
to Defend Against Encryption Ransomware
Jian Huang † ‡
Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi †
† ‡
Encryption Ransomware Is Becoming More Aggressive
2
May 12, 2017
Encryption Ransomware Is Becoming More Aggressive
2
May 12, 2017230,000+ computers
150+ countries
$300-$600 per ransom
What Is Encryption Ransomware?
3
Destroy
original filesEncrypt files
Ask for payments
to decrypt files
What Is Encryption Ransomware?
3
What Is Encryption Ransomware?
3
A ransom notification:
users files have been
encrypted
What Is Encryption Ransomware?
3
A ransom notification:
users files have been
encrypted
Pay ransom to recover
user files
What Is Encryption Ransomware?
3
A ransom notification:
users files have been
encrypted
Pay ransom to recover
user files
What Is Encryption Ransomware?
3
A ransom notification:
users files have been
encrypted
Pay ransom to recover
user filesMore ransom
required if the
payment is delayed
Characteristics of Encryption Ransomware
4
Family #Samples Attack Time (minutes) Backup Spoliation
Petya 14 2
CTB-Locker 119 14
Jigsaw 5 16
Mobef 7 16
Maktub 10 22
Stampado 42 27
Cerber 29 37
Locky 344 43
7ev3n 16 44
TeslaCrypt 75 44
HydraCrypt 13 70
CryptoFortree 4 75
CrytoWall 799 75
Total 1477
Characteristics of Encryption Ransomware
4
Family #Samples Attack Time (minutes) Backup Spoliation
Petya 14 2
CTB-Locker 119 14
Jigsaw 5 16
Mobef 7 16
Maktub 10 22
Stampado 42 27
Cerber 29 37
Locky 344 43
7ev3n 16 44
TeslaCrypt 75 44
HydraCrypt 13 70
CryptoFortree 4 75
CrytoWall 799 75
Total 1477
How long does it take for
ransomware to finish the attack?
Characteristics of Encryption Ransomware
4
Family #Samples Attack Time (minutes) Backup Spoliation
Petya 14 2
CTB-Locker 119 14
Jigsaw 5 16
Mobef 7 16
Maktub 10 22
Stampado 42 27
Cerber 29 37
Locky 344 43
7ev3n 16 44
TeslaCrypt 75 44
HydraCrypt 13 70
CryptoFortree 4 75
CrytoWall 799 75
Total 1477
Ask for ransom quickly
Characteristics of Encryption Ransomware
4
Family #Samples Attack Time (minutes) Backup Spoliation
Petya 14 2
CTB-Locker 119 14
Jigsaw 5 16
Mobef 7 16
Maktub 10 22
Stampado 42 27
Cerber 29 37
Locky 344 43
7ev3n 16 44
TeslaCrypt 75 44
HydraCrypt 13 70
CryptoFortree 4 75
CrytoWall 799 75
Total 1477
Characteristics of Encryption Ransomware
4
Family #Samples Attack Time (minutes) Backup Spoliation
Petya 14 2
CTB-Locker 119 14
Jigsaw 5 16
Mobef 7 16
Maktub 10 22
Stampado 42 27
Cerber 29 37
Locky 344 43
7ev3n 16 44
TeslaCrypt 75 44
HydraCrypt 13 70
CryptoFortree 4 75
CrytoWall 799 75
Total 1477
Many ransomware attempt
to delete backup files
(and bypass User Access Control)
Why Existing Solutions Are Not Good Enough?
5
Malware detection
Why Existing Solutions Are Not Good Enough?
5
Malware detection
Damage has already happened when ransomware is detected
Why Existing Solutions Are Not Good Enough?
5
Malware detectionJournaling &
log-structured FS
Why Existing Solutions Are Not Good Enough?
5
Malware detectionJournaling &
log-structured FS
Ransomware with kernel privilege can destroy data backups
Why Existing Solutions Are Not Good Enough?
5
Malware detectionJournaling &
log-structured FSNetworked &
Cloud Storage
Why Existing Solutions Are Not Good Enough?
5
Malware detectionJournaling &
log-structured FSNetworked &
Cloud Storage
Increased storage cost & can be stopped by ransomware
Threat Model of Encryption Ransomware
6
Block Driver
Application
kernel
userspace
read/write
Block I/O Interface
Flash Translation Layer
NAND Flash
Disk
Threat Model of Encryption Ransomware
6
Block Driver
Application
kernel
userspace
read/write
Block I/O Interface
Flash Translation Layer
NAND Flash
Disk
Threat Model of Encryption Ransomware
6
Block Driver
Application
kernel
userspace
read/write
Block I/O Interface
Flash Translation Layer
NAND Flash
Disk
Our Goal: defend against encryption ransomware
without relying on software-based solutions &
without explicit data backups
Threat Model of Encryption Ransomware
6
Block Driver
Application
kernel
userspace
read/write
Block I/O Interface
Flash Translation Layer
NAND Flash
Disk
Hard Disk Drive Flash-based SSD
Flash Performs Better Than Hard Disk Drive
7
No Seek
Latency
40x lower latency
Flash Performs Better Than Hard Disk Drive
7
No Seek
Latency
40x lower latency
Increased
Parallelism
Dozens of
parallel chips
Flash Performs Better Than Hard Disk Drive
7
No Seek
Latency
40x lower latency
Increased
Parallelism
Dozens of
parallel chips
Became
Commodity
Less than $0.2/GB
Flash Performs Better Than Hard Disk Drive
7
No Seek
Latency
40x lower latency
Increased
Parallelism
Dozens of
parallel chips
Became
Commodity
Less than $0.2/GB
Significant improvements on Flash
How Flash Is Used Today?
8
Application
Flash-based Disk
File System
How Flash Is Used Today?
8
Application
File System
Flash Translation Layer
Flash
How Flash Is Used Today?
8
Application
File System
Flash Translation Layer
Flash
Out-of-Place Update
A
How Flash Is Used Today?
8
Application
File System
Flash Translation Layer
Flash
Out-of-Place Update
Write
A
How Flash Is Used Today?
8
Application
File System
Flash Translation Layer
Flash
Out-of-Place Update
AA
Write
B
How Flash Is Used Today?
8
Application
File System
Flash Translation Layer
Flash
Out-of-Place Update
AA
Write
B
Garbage
Collection
FlashGuard: Leveraging Intrinsic Flash Properties
9
Block Driver
Application
kernel
userspace
read/write
Block I/O Interface
Flash Translation Layer
Flash
Flash-based SSD
FlashGuard: Leveraging Intrinsic Flash Properties
9
Block Driver
Application
kernel
userspace
read/write
Block I/O Interface
Flash Translation Layer
Flash
A
Retaining Data in SSDs without Hardware Modification
10
Overwrite a block
Overwrite on SSD
Overwrite
B
A
Retaining Data in SSDs without Hardware Modification
10
Overwrite a block
Overwrite on SSD
Overwrite A
B
A
Retaining Data in SSDs without Hardware Modification
10
Overwrite a block
Overwrite on SSD
Overwrite A A
Overwrite on HDD
B
A
Retaining Data in SSDs without Hardware Modification
10
Overwrite a block
Overwrite on SSD
Overwrite A A
Overwrite on HDD
B Overwrite
B
A
Retaining Data in SSDs without Hardware Modification
10
Overwrite a block
Overwrite on SSD
Overwrite A A
Overwrite on HDD
B Overwrite
Retaining all the invalid pages
(stale data) is expensive
B
A
Retaining Data in SSDs without Hardware Modification
10
Overwrite a block
Overwrite on SSD
Overwrite A A
Overwrite on HDD
B Overwrite
Retaining all the invalid pages
(stale data) is expensive
Only retain the invalid pages caused by encryption ransomware
FlashGuard: A Ransomware-Aware SSD
11
File Read Encrypt Overwrite
File Read Encrypt Write new files Delete/Overwrite
FlashGuard: A Ransomware-Aware SSD
11
File Read Encrypt Overwrite
File Read Encrypt Write new files Delete/Overwrite
Read Overwrite
Read Overwrite
FlashGuard: A Ransomware-Aware SSD
11
File Read Encrypt Overwrite
File Read Encrypt Write new files Delete/Overwrite
Read Overwrite
Read Overwrite
FlashGuard only retains invalid pages that have been read
for a certain period of time
FlashGuard: A Ransomware-Aware SSD
11
0%
20%
40%
60%
80%
100%
Rat
io o
f diffe
rent
IO o
pera
tions
Read Write Read-Overwrite
University computers (20 days) Enterprise servers (6-10 days)
FlashGuard: A Ransomware-Aware SSD
11
0%
20%
40%
60%
80%
100%
Rat
io o
f diffe
rent
IO o
pera
tions
Read Write Read-Overwrite
University computers (20 days) Enterprise servers (6-10 days)
FlashGuard: A Ransomware-Aware SSD
11
0%
20%
40%
60%
80%
100%
Rat
io o
f diffe
rent
IO o
pera
tions
Read Write Read-Overwrite
University computers (20 days) Enterprise servers (6-10 days)
The data size is
relatively small (a few GBs)
Tracking Invalid Data with Out-of-Band Metadata
12
Data OOB Metadata
Flash Block
Flash Page
LPA RIPTimestampP-PPA
4 Bytes 1 bit4 Bytes 4 Bytes
The logical page address
mapped to the physical page
Tracking Invalid Data with Out-of-Band Metadata
12
Data OOB Metadata
Flash Block
Flash Page
LPA RIPTimestampP-PPA
4 Bytes 1 bit4 Bytes 4 Bytes
Previous physical page address
for tracking all invalid pages
Tracking Invalid Data with Out-of-Band Metadata
12
Data OOB Metadata
Flash Block
Flash Page
LPA RIPTimestampP-PPA
4 Bytes 1 bit4 Bytes 4 Bytes
Check how long the page has
been retained
Tracking Invalid Data with Out-of-Band Metadata
12
Data OOB Metadata
Flash Block
Flash Page
LPA RIPTimestampP-PPA
4 Bytes 1 bit4 Bytes 4 Bytes
Identify whether this page
is a retained invalid page
Ransomware-Award Garbage Collection in FlashGuard
13
Block A Block B Block C
valid page invalid page retained invalid page
select flash lock (greedy algorithm)
Ransomware-Award Garbage Collection in FlashGuard
13
Block A Block B Block C
valid page invalid page retained invalid page
select flash lock (greedy algorithm)
Block C
Ransomware-Award Garbage Collection in FlashGuard
13
Block A Block B Block C
valid page invalid page retained invalid page
select flash lock (greedy algorithm)
Block A
Ransomware-Award Garbage Collection in FlashGuard
13
Block A Block B Block C
valid page invalid page retained invalid page
select flash lock (greedy algorithm)
copy valid and retained invalid pages to a new block
Block A
Ransomware-Award Garbage Collection in FlashGuard
13
Block A Block B Block C
valid page invalid page retained invalid page
select flash lock (greedy algorithm)
copy valid and retained invalid pages to a new block
erase old flash block
Block A
Data Recovery in FlashGuard
14
Data OOB Metadata
Flash Block
Flash Page
LPA RIPTimestampP-PPA
4 Bytes 1 bit4 Bytes 4 Bytes
Data Recovery in FlashGuard
14
Data OOB Metadata
Flash Block
Flash Page
LPA RIPTimestampP-PPA
4 Bytes 1 bit4 Bytes 4 Bytes
Leveraging OOB metadata to retrieve index information for recovery
Data Recovery in FlashGuard
14
Data Recovery
Data Recovery in FlashGuard
14
Data Recovery
Checking flash block one by one is slow
Building the logical connections among
retained invalid pages is challenging
Data Recovery in FlashGuard
14
Data Recovery
Building the logical connections among
retained invalid pages is challenging
Chip
…
Chip
…
Chip
…
Leveraging internal parallelism of SSDs
Data Recovery in FlashGuard
14
Data Recovery
Chip
…
Chip
…
Chip
…
Leveraging internal parallelism of SSDs
Leveraging previous-PPA stored in OOB metadata
data P-PPA
data P-PPA
data P-PPA
FlashGuardExperimental Setup
15
1 TB
64 pages/block
4 KB/page
over-provisioning ratio: 15%
Programmable SSD
FlashGuardExperimental Setup
15
1 TB
64 pages/block
4 KB/page
over-provisioning ratio: 15%
Programmable SSD
Ransomware Samples1,477 ransomware samples (VirusTotal)
FlashGuardExperimental Setup
15
1 TB
64 pages/block
4 KB/page
over-provisioning ratio: 15%
Storage WorkloadsEnterprise servers (11 workloads)
University machines (6 workloads)
Storage benchmarks: IOZone/Postmark
Database workloads (TPCC/TPCE)
Programmable SSD
Ransomware Samples1,477 ransomware samples (VirusTotal)
Recovery Time of Ransomware Samples
16
0
1
2
3
4
5
Vic
tim
Dat
a Si
ze (
GB
)
Victim Data Size
Recovery Time of Ransomware Samples
16
0
1
2
3
4
5
Vic
tim
Dat
a Si
ze (
GB
)
Victim Data Size
0
10
20
30
40
50
60
Reco
very
Tim
e (
secs
)
Recovery Time
Impact on Regular Storage Operations
17
0
200
400
600
800
1000
1200
1400
Lat
ency
(m
icro
seco
nds)
Unmodifed SSD FlashGuard
FlashGuard decreases the storage performance by 6% for
I/O-intensive workloads
1
10
100
1000
10000
100000
Lat
ency
(m
icro
seco
nds)
Impact on SSD Lifetime
18
0
0.2
0.4
0.6
0.8
1
1.2
Norm
aliz
ed
Wri
te A
mplif
icat
ion F
acto
r
Unmodifed SSD FlashGuard
FlashGuard increases the WAF by 4%
due to the additional page movements in GC
Potential Attacks and Future Work
19
GC Attack
Potential Attacks and Future Work
19
GC Attack Timing Attack
Potential Attacks and Future Work
19
GC Attack Timing Attack Secure Deletion
FlashGuardSummary
20
Hardware-assisted Defense Against Encryption Ransomware
Negligible Impact on
SSD performance & lifetime
21
Thanks!
Jian Huang† ‡
Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi †
†
Q&A
‡
