Researchers developing solid-state drive to help defend against ransomware
There are ways to defend against computer viruses, but not nearly as much can be done against ransomware. It can lock computers, shut down systems, and can cripple infrastructure.
"The [computing] community cannot figure out a good way to defend against ransomware," said Jian Huang, assistant professor in Electrical and Computer Engineering and Computer Science. "Hospitals, government agencies, schools, or universities can be comprised by ransomware attacks."
One ransomware cyberattack that made headlines last year was the attack against the Colonial Pipleline. The company paid the ransom, roughly $4.4 million. However, it took days to get the computer systems along the pipeline back up and running, causing fuel shortage and panic buying along the Gulf Coast and eastern seaboard.
Huang and his students, including Benjamin Reidys, have been working on a solution over the last two years that not only stores files that would be compromised in an attack, but also gives users a way to analyze the attack itself. Huang received $1 million in funding for the research in 2020 from the Army Research Laboratory. The team's recent work, 'RSSD: Defend against Ransomware with Hardware-Isolated Network-Storage Codesign and Post-Attack Analysis,' was presented at ASPLOS'22 last month.
RSSD stands for ransomware-aware solid-state drive. It redesigns the flash management of SSDs for enabling the hardware-assisted logging, which can conservatively retain older versions of user data and received storage operations in time order with low overhead. Currently, local SSDs have a very limited capacity for that. The idea instead is to extend local storage capacity by using remote cloud storage to expand both memory and storage capacity via a hardware isolated network-storage codesign. This concept is called zero data loss recovery.
"We transfer data from the SSD to the remote cloud. This is transparent to the host OS. So even though the system software was compromised, we'll still be able to transfer data in a secure way to the remote cloud," said Huang.
Another feature of RSSD would be a post-attack analysis that would be done through the cloud via machine learning algorithms to learn more about how ransomware was able to infect the device in the first place. This could also be beneficial for authorities investigating a cyberattack. However, as ransomware will evolve to circumvent existing detections and defenses, a post attack analysis would be beneficial in developing new technology that could be used in the future against ransomware.
To test their concept of the RSSD, they implemented it with a programmable SSD board which supports the NVM Express protocol and NVM-oE. To support data recovery, they slightly modified the NVMe command interpreter and added a state query engine into the SSD firmware for locating retained stale data. The team also modified existing WannaCry ransomware samples to mimic three new attacks that haven't been utilized in the real world yet that can circumvent existing SSD-based protections. Those include a garbage-collection attack that exploits storage capacity and keeps writing data to trigger garbage-collection and force SSDs to release retained data, a timing attack that intentionally slows down the pace of encrypting data and hides its I/O patterns to escape existing defense, and a trimming attack that utilizes the trim command available in SSDs to physically erase data.
Researchers believe it is only a matter of time before attacks like these are used against computers and systems in everyday use.
"The SSD market is becoming larger than the HDD in the storage market,” said Huang. “If we look at today's desktops and laptops, they have already used SSDs. We believe, because the ransomware authors, they want to increase the profits, eventually they are going to target these new storage devices.”
Even though the team found through their proof of concept that the RSSD was able to retain stale data for a far longer time than state-of-the-art approaches and had fast data recovery, they said more work can still be done.
“We didn’t discuss a concrete machine learning algorithm [for post attack analysis in the cloud.] We leave this as future work,” said Huang. “Another thing is real time detection. We wouldn’t have to wait until the cloud detect the [ransomware] patterns. If we can do it in the device level, the device will just stop working and tell you ransomware is attacking your data.”