flashguard: leveraing intrinsic flash properties to defend...
TRANSCRIPT
![Page 1: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/1.jpg)
FlashGuard: Leveraging Intrinsic Flash Properties
to Defend Against Encryption Ransomware
Jian Huang † ‡
Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi †
† ‡
![Page 2: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/2.jpg)
Encryption Ransomware Is Becoming More Aggressive
2
May 12, 2017
![Page 3: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/3.jpg)
Encryption Ransomware Is Becoming More Aggressive
2
May 12, 2017230,000+ computers
150+ countries
$300-$600 per ransom
![Page 4: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/4.jpg)
What Is Encryption Ransomware?
3
Destroy
original filesEncrypt files
Ask for payments
to decrypt files
![Page 5: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/5.jpg)
What Is Encryption Ransomware?
3
![Page 6: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/6.jpg)
What Is Encryption Ransomware?
3
A ransom notification:
users files have been
encrypted
![Page 7: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/7.jpg)
What Is Encryption Ransomware?
3
A ransom notification:
users files have been
encrypted
Pay ransom to recover
user files
![Page 8: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/8.jpg)
What Is Encryption Ransomware?
3
A ransom notification:
users files have been
encrypted
Pay ransom to recover
user files
![Page 9: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/9.jpg)
What Is Encryption Ransomware?
3
A ransom notification:
users files have been
encrypted
Pay ransom to recover
user filesMore ransom
required if the
payment is delayed
![Page 10: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/10.jpg)
Characteristics of Encryption Ransomware
4
Family #Samples Attack Time (minutes) Backup Spoliation
Petya 14 2
CTB-Locker 119 14
Jigsaw 5 16
Mobef 7 16
Maktub 10 22
Stampado 42 27
Cerber 29 37
Locky 344 43
7ev3n 16 44
TeslaCrypt 75 44
HydraCrypt 13 70
CryptoFortree 4 75
CrytoWall 799 75
Total 1477
![Page 11: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/11.jpg)
Characteristics of Encryption Ransomware
4
Family #Samples Attack Time (minutes) Backup Spoliation
Petya 14 2
CTB-Locker 119 14
Jigsaw 5 16
Mobef 7 16
Maktub 10 22
Stampado 42 27
Cerber 29 37
Locky 344 43
7ev3n 16 44
TeslaCrypt 75 44
HydraCrypt 13 70
CryptoFortree 4 75
CrytoWall 799 75
Total 1477
How long does it take for
ransomware to finish the attack?
![Page 12: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/12.jpg)
Characteristics of Encryption Ransomware
4
Family #Samples Attack Time (minutes) Backup Spoliation
Petya 14 2
CTB-Locker 119 14
Jigsaw 5 16
Mobef 7 16
Maktub 10 22
Stampado 42 27
Cerber 29 37
Locky 344 43
7ev3n 16 44
TeslaCrypt 75 44
HydraCrypt 13 70
CryptoFortree 4 75
CrytoWall 799 75
Total 1477
Ask for ransom quickly
![Page 13: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/13.jpg)
Characteristics of Encryption Ransomware
4
Family #Samples Attack Time (minutes) Backup Spoliation
Petya 14 2
CTB-Locker 119 14
Jigsaw 5 16
Mobef 7 16
Maktub 10 22
Stampado 42 27
Cerber 29 37
Locky 344 43
7ev3n 16 44
TeslaCrypt 75 44
HydraCrypt 13 70
CryptoFortree 4 75
CrytoWall 799 75
Total 1477
![Page 14: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/14.jpg)
Characteristics of Encryption Ransomware
4
Family #Samples Attack Time (minutes) Backup Spoliation
Petya 14 2
CTB-Locker 119 14
Jigsaw 5 16
Mobef 7 16
Maktub 10 22
Stampado 42 27
Cerber 29 37
Locky 344 43
7ev3n 16 44
TeslaCrypt 75 44
HydraCrypt 13 70
CryptoFortree 4 75
CrytoWall 799 75
Total 1477
Many ransomware attempt
to delete backup files
(and bypass User Access Control)
![Page 15: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/15.jpg)
Why Existing Solutions Are Not Good Enough?
5
Malware detection
![Page 16: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/16.jpg)
Why Existing Solutions Are Not Good Enough?
5
Malware detection
Damage has already happened when ransomware is detected
![Page 17: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/17.jpg)
Why Existing Solutions Are Not Good Enough?
5
Malware detectionJournaling &
log-structured FS
![Page 18: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/18.jpg)
Why Existing Solutions Are Not Good Enough?
5
Malware detectionJournaling &
log-structured FS
Ransomware with kernel privilege can destroy data backups
![Page 19: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/19.jpg)
Why Existing Solutions Are Not Good Enough?
5
Malware detectionJournaling &
log-structured FSNetworked &
Cloud Storage
![Page 20: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/20.jpg)
Why Existing Solutions Are Not Good Enough?
5
Malware detectionJournaling &
log-structured FSNetworked &
Cloud Storage
Increased storage cost & can be stopped by ransomware
![Page 21: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/21.jpg)
Threat Model of Encryption Ransomware
6
Block Driver
Application
kernel
userspace
read/write
Block I/O Interface
Flash Translation Layer
NAND Flash
Disk
![Page 22: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/22.jpg)
Threat Model of Encryption Ransomware
6
Block Driver
Application
kernel
userspace
read/write
Block I/O Interface
Flash Translation Layer
NAND Flash
Disk
![Page 23: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/23.jpg)
Threat Model of Encryption Ransomware
6
Block Driver
Application
kernel
userspace
read/write
Block I/O Interface
Flash Translation Layer
NAND Flash
Disk
Our Goal: defend against encryption ransomware
without relying on software-based solutions &
without explicit data backups
![Page 24: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/24.jpg)
Threat Model of Encryption Ransomware
6
Block Driver
Application
kernel
userspace
read/write
Block I/O Interface
Flash Translation Layer
NAND Flash
Disk
Hard Disk Drive Flash-based SSD
![Page 25: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/25.jpg)
Flash Performs Better Than Hard Disk Drive
7
No Seek
Latency
40x lower latency
![Page 26: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/26.jpg)
Flash Performs Better Than Hard Disk Drive
7
No Seek
Latency
40x lower latency
Increased
Parallelism
Dozens of
parallel chips
![Page 27: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/27.jpg)
Flash Performs Better Than Hard Disk Drive
7
No Seek
Latency
40x lower latency
Increased
Parallelism
Dozens of
parallel chips
Became
Commodity
Less than $0.2/GB
![Page 28: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/28.jpg)
Flash Performs Better Than Hard Disk Drive
7
No Seek
Latency
40x lower latency
Increased
Parallelism
Dozens of
parallel chips
Became
Commodity
Less than $0.2/GB
Significant improvements on Flash
![Page 29: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/29.jpg)
How Flash Is Used Today?
8
Application
Flash-based Disk
File System
![Page 30: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/30.jpg)
How Flash Is Used Today?
8
Application
File System
Flash Translation Layer
Flash
![Page 31: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/31.jpg)
How Flash Is Used Today?
8
Application
File System
Flash Translation Layer
Flash
Out-of-Place Update
A
![Page 32: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/32.jpg)
How Flash Is Used Today?
8
Application
File System
Flash Translation Layer
Flash
Out-of-Place Update
Write
A
![Page 33: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/33.jpg)
How Flash Is Used Today?
8
Application
File System
Flash Translation Layer
Flash
Out-of-Place Update
AA
Write
B
![Page 34: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/34.jpg)
How Flash Is Used Today?
8
Application
File System
Flash Translation Layer
Flash
Out-of-Place Update
AA
Write
B
Garbage
Collection
![Page 35: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/35.jpg)
FlashGuard: Leveraging Intrinsic Flash Properties
9
Block Driver
Application
kernel
userspace
read/write
Block I/O Interface
Flash Translation Layer
Flash
Flash-based SSD
![Page 36: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/36.jpg)
FlashGuard: Leveraging Intrinsic Flash Properties
9
Block Driver
Application
kernel
userspace
read/write
Block I/O Interface
Flash Translation Layer
Flash
![Page 37: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/37.jpg)
A
Retaining Data in SSDs without Hardware Modification
10
Overwrite a block
Overwrite on SSD
Overwrite
![Page 38: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/38.jpg)
B
A
Retaining Data in SSDs without Hardware Modification
10
Overwrite a block
Overwrite on SSD
Overwrite A
![Page 39: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/39.jpg)
B
A
Retaining Data in SSDs without Hardware Modification
10
Overwrite a block
Overwrite on SSD
Overwrite A A
Overwrite on HDD
![Page 40: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/40.jpg)
B
A
Retaining Data in SSDs without Hardware Modification
10
Overwrite a block
Overwrite on SSD
Overwrite A A
Overwrite on HDD
B Overwrite
![Page 41: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/41.jpg)
B
A
Retaining Data in SSDs without Hardware Modification
10
Overwrite a block
Overwrite on SSD
Overwrite A A
Overwrite on HDD
B Overwrite
Retaining all the invalid pages
(stale data) is expensive
![Page 42: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/42.jpg)
B
A
Retaining Data in SSDs without Hardware Modification
10
Overwrite a block
Overwrite on SSD
Overwrite A A
Overwrite on HDD
B Overwrite
Retaining all the invalid pages
(stale data) is expensive
Only retain the invalid pages caused by encryption ransomware
![Page 43: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/43.jpg)
FlashGuard: A Ransomware-Aware SSD
11
File Read Encrypt Overwrite
File Read Encrypt Write new files Delete/Overwrite
![Page 44: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/44.jpg)
FlashGuard: A Ransomware-Aware SSD
11
File Read Encrypt Overwrite
File Read Encrypt Write new files Delete/Overwrite
Read Overwrite
Read Overwrite
![Page 45: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/45.jpg)
FlashGuard: A Ransomware-Aware SSD
11
File Read Encrypt Overwrite
File Read Encrypt Write new files Delete/Overwrite
Read Overwrite
Read Overwrite
FlashGuard only retains invalid pages that have been read
for a certain period of time
![Page 46: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/46.jpg)
FlashGuard: A Ransomware-Aware SSD
11
0%
20%
40%
60%
80%
100%
Rat
io o
f diffe
rent
IO o
pera
tions
Read Write Read-Overwrite
University computers (20 days) Enterprise servers (6-10 days)
![Page 47: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/47.jpg)
FlashGuard: A Ransomware-Aware SSD
11
0%
20%
40%
60%
80%
100%
Rat
io o
f diffe
rent
IO o
pera
tions
Read Write Read-Overwrite
University computers (20 days) Enterprise servers (6-10 days)
![Page 48: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/48.jpg)
FlashGuard: A Ransomware-Aware SSD
11
0%
20%
40%
60%
80%
100%
Rat
io o
f diffe
rent
IO o
pera
tions
Read Write Read-Overwrite
University computers (20 days) Enterprise servers (6-10 days)
The data size is
relatively small (a few GBs)
![Page 49: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/49.jpg)
Tracking Invalid Data with Out-of-Band Metadata
12
Data OOB Metadata
Flash Block
Flash Page
LPA RIPTimestampP-PPA
4 Bytes 1 bit4 Bytes 4 Bytes
The logical page address
mapped to the physical page
![Page 50: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/50.jpg)
Tracking Invalid Data with Out-of-Band Metadata
12
Data OOB Metadata
Flash Block
Flash Page
LPA RIPTimestampP-PPA
4 Bytes 1 bit4 Bytes 4 Bytes
Previous physical page address
for tracking all invalid pages
![Page 51: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/51.jpg)
Tracking Invalid Data with Out-of-Band Metadata
12
Data OOB Metadata
Flash Block
Flash Page
LPA RIPTimestampP-PPA
4 Bytes 1 bit4 Bytes 4 Bytes
Check how long the page has
been retained
![Page 52: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/52.jpg)
Tracking Invalid Data with Out-of-Band Metadata
12
Data OOB Metadata
Flash Block
Flash Page
LPA RIPTimestampP-PPA
4 Bytes 1 bit4 Bytes 4 Bytes
Identify whether this page
is a retained invalid page
![Page 53: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/53.jpg)
Ransomware-Award Garbage Collection in FlashGuard
13
Block A Block B Block C
valid page invalid page retained invalid page
select flash lock (greedy algorithm)
![Page 54: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/54.jpg)
Ransomware-Award Garbage Collection in FlashGuard
13
Block A Block B Block C
valid page invalid page retained invalid page
select flash lock (greedy algorithm)
Block C
![Page 55: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/55.jpg)
Ransomware-Award Garbage Collection in FlashGuard
13
Block A Block B Block C
valid page invalid page retained invalid page
select flash lock (greedy algorithm)
Block A
![Page 56: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/56.jpg)
Ransomware-Award Garbage Collection in FlashGuard
13
Block A Block B Block C
valid page invalid page retained invalid page
select flash lock (greedy algorithm)
copy valid and retained invalid pages to a new block
Block A
![Page 57: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/57.jpg)
Ransomware-Award Garbage Collection in FlashGuard
13
Block A Block B Block C
valid page invalid page retained invalid page
select flash lock (greedy algorithm)
copy valid and retained invalid pages to a new block
erase old flash block
Block A
![Page 58: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/58.jpg)
Data Recovery in FlashGuard
14
Data OOB Metadata
Flash Block
Flash Page
LPA RIPTimestampP-PPA
4 Bytes 1 bit4 Bytes 4 Bytes
![Page 59: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/59.jpg)
Data Recovery in FlashGuard
14
Data OOB Metadata
Flash Block
Flash Page
LPA RIPTimestampP-PPA
4 Bytes 1 bit4 Bytes 4 Bytes
Leveraging OOB metadata to retrieve index information for recovery
![Page 60: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/60.jpg)
Data Recovery in FlashGuard
14
Data Recovery
![Page 61: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/61.jpg)
Data Recovery in FlashGuard
14
Data Recovery
Checking flash block one by one is slow
Building the logical connections among
retained invalid pages is challenging
![Page 62: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/62.jpg)
Data Recovery in FlashGuard
14
Data Recovery
Building the logical connections among
retained invalid pages is challenging
Chip
…
Chip
…
Chip
…
Leveraging internal parallelism of SSDs
![Page 63: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/63.jpg)
Data Recovery in FlashGuard
14
Data Recovery
Chip
…
Chip
…
Chip
…
Leveraging internal parallelism of SSDs
Leveraging previous-PPA stored in OOB metadata
data P-PPA
data P-PPA
data P-PPA
![Page 64: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/64.jpg)
FlashGuardExperimental Setup
15
1 TB
64 pages/block
4 KB/page
over-provisioning ratio: 15%
Programmable SSD
![Page 65: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/65.jpg)
FlashGuardExperimental Setup
15
1 TB
64 pages/block
4 KB/page
over-provisioning ratio: 15%
Programmable SSD
Ransomware Samples1,477 ransomware samples (VirusTotal)
![Page 66: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/66.jpg)
FlashGuardExperimental Setup
15
1 TB
64 pages/block
4 KB/page
over-provisioning ratio: 15%
Storage WorkloadsEnterprise servers (11 workloads)
University machines (6 workloads)
Storage benchmarks: IOZone/Postmark
Database workloads (TPCC/TPCE)
Programmable SSD
Ransomware Samples1,477 ransomware samples (VirusTotal)
![Page 67: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/67.jpg)
Recovery Time of Ransomware Samples
16
0
1
2
3
4
5
Vic
tim
Dat
a Si
ze (
GB
)
Victim Data Size
![Page 68: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/68.jpg)
Recovery Time of Ransomware Samples
16
0
1
2
3
4
5
Vic
tim
Dat
a Si
ze (
GB
)
Victim Data Size
0
10
20
30
40
50
60
Reco
very
Tim
e (
secs
)
Recovery Time
![Page 69: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/69.jpg)
Impact on Regular Storage Operations
17
0
200
400
600
800
1000
1200
1400
Lat
ency
(m
icro
seco
nds)
Unmodifed SSD FlashGuard
FlashGuard decreases the storage performance by 6% for
I/O-intensive workloads
1
10
100
1000
10000
100000
Lat
ency
(m
icro
seco
nds)
![Page 70: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/70.jpg)
Impact on SSD Lifetime
18
0
0.2
0.4
0.6
0.8
1
1.2
Norm
aliz
ed
Wri
te A
mplif
icat
ion F
acto
r
Unmodifed SSD FlashGuard
FlashGuard increases the WAF by 4%
due to the additional page movements in GC
![Page 71: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/71.jpg)
Potential Attacks and Future Work
19
GC Attack
![Page 72: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/72.jpg)
Potential Attacks and Future Work
19
GC Attack Timing Attack
![Page 73: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/73.jpg)
Potential Attacks and Future Work
19
GC Attack Timing Attack Secure Deletion
![Page 74: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/74.jpg)
FlashGuardSummary
20
Hardware-assisted Defense Against Encryption Ransomware
Negligible Impact on
SSD performance & lifetime
![Page 75: FlashGuard: Leveraing Intrinsic Flash Properties to Defend ...jianh.web.engr.illinois.edu/papers/FlashGuard-CCS17-Jian.pdf · Encryption Ransomware Is Becoming More Aggressive 2 May](https://reader033.vdocuments.us/reader033/viewer/2022042302/5eccec1def54ca3b8c18b3c0/html5/thumbnails/75.jpg)
21
Thanks!
Jian Huang† ‡
Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi †
†
Q&A
‡