Christopher N. Gutierrez
Eugene H. Spafford
Saurabh Bagchi
Abstract
We demonstrate R2D2's ability to preserve files under destruction on a Windows 7 VM.R2D2 protects against modern Wiper Malware and secure delete methods.R2D2 improves prior work by isolating analysis/preservation from the protected system.R2D2 shows acceptable performance, suitable for the home user or office related tasks. Data destruction programs, such as Wiper Malware, cause substantial damage by overwriting critical digital assets on compromised machines, denying users access to computing resources. Our system, called R2D2, analyzes write buffers before they can reach a storage medium, determines if the write is destructive, and preserves the data under destruction. We interpose the inspection in the Virtual Machine Monitor (VMM) through a technique known as Virtual Machine Introspection (VMI). This has the benefit that it does not rely on the entire OS as a root of trust. We demonstrate the effectiveness of our prototype implementation by preserving data targeted for destruction by Wiper Malware such as Shamoon and Stonedrill, and a host of secure delete tools. We discover that R2D2 detects data destruction with high accuracy (99.8% true negative and true positive rates) and preserves critical data for all the Wiper Malware samples in the wild that we experimented with. While our prototype is not optimized for performance, we show that it is applicable for common user tasks in an office or home setting, with a latency increase of 1%4% and 9%20% to complete batch tasks and interactive tasks respectively. VMI accounts for 90.7%98.5% of the latency overhead and thus R2D2 incurs a small cost for environments already using VMI.
- bib0010 A. Bacs, C. Giuffrida, B. Grill, H. Bos, Slick: an intrusion detection system for virtualized storage devices, in: Proceedings of the 31st annual ACM Symposium on Applied Computing (SAC '16), ACM, New York, 2016, pp. 2033-2040. Google Scholar
Digital Library
- bib0015 K. Baumgartner, Sony/Destover: mystery North Korean actor's destructive and past network activity. https://securelist.com/destover/67985/Google Scholar
- bib0020 A. Continella, A. Guagnelli, G. Zingaro, G. De Pasquale, A. Barenghi, S. Zanero, ShieldFS: a self-healing, Ransomware-aware file system, in: Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC '16), ACM, New York, 2016, pp. 336-347. Google ScholarDigital Library
- bib0025 B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, W. Lee, Virtuoso: narrowing the semantic gap in virtual machine introspection, in: Security and Privacy (SP), 2011 IEEE symposium on, IEEE, 2011, pp. 297-312. Google ScholarDigital Library
- bib0030 Free Software Foundation, Inc, GNU Coreutils 11.6 shred: remove files more securely. https://www.gnu.org/software/coreutils/manual/html_node/shred-invocation.htmlGoogle Scholar
- bib0035 Futuremark Corporation, 2016 a. PCMark 8 technical guide, 2016.Google Scholar
- bib0040 S. Garfinkel, P. Farrell, V. Roussev, G. Dinolt, Bringing science to digital forensics with standardized forensic corpora, Digit Investig, 6 (2009) S2-11. Google ScholarDigital Library
- bib0045 T. Garfinkel, M. Rosenblum, A virtual machine introspection based architecture for intrusion detection, Proc Netw Distrib Syst Secur, 1 (2003) 253-285.Google Scholar
- bib0050 A. Goel, K. Po, K. Farhadi, Z. Li, E. de Lara, The Taser intrusion recovery system, in: Proceedings of the twentieth ACM Symposium on Operating Systems principles (SOSP '05), ACM, New York, 2005, pp. 163-176. Google ScholarDigital Library
- bib0055 P. Gutmann, Secure deletion of data from magnetic and solid-state memory, in: Proceedings of the 6th conference on USENIX Security Symposium, focusing on applications of cryptography (SSYM'96), vol. 6, USENIX Association, Berkeley (CA), 1996, pp. 8. Google ScholarDigital Library
- bib0060 A. Ivanov, O. Mamedov, ExPetr/Petya/NotPetya is a wiper, not ransomware. https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/Google Scholar
- bib0065 B. Jain, M.B. Baig, D. Zhang, D.E. Porter, R. Sion, SoK: introspections on trust and the semantic gap, in: 2014 IEEE symposium on security and privacy, 2014, pp. 605-620. Google ScholarDigital Library
- bib0070 X. Jiang, X. Wang, D. Xu, Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction, in: Proceedings of the 14th ACM conference on Computer and communications security, ACM, 2007, pp. 128-138. Google ScholarDigital Library
- bib0075 K. Kasumu, CrystalDiskMark. http://crystalmark.info/?lang=enGoogle Scholar
- bib0080 G.C. Kessler, File signatures table. http://www.garykessler.net/library/file_sigs.htmlGoogle Scholar
- bib0085 A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, E. Kirda, UNVEIL: a large-scale, automated approach to detecting ransomware, in: 25th USENIX security symposium (USENIX security 16), USENIX Association, Austin (TX), 2016, pp. 757-772. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/kharazGoogle Scholar
- bib0090 J. Kong, Designing BSD rootkits, No Starch Press, San Francisco (CA), 2007. Google ScholarDigital Library
- bib0095 R. Konishi, Y. Amagai, K. Sato, H. Hifumi, S. Kihara, S. Moriai, The Linux implementation of a log-structured file system, SIGOPS Oper Syst Rev, 40 (2006) 102-107. Google ScholarDigital Library
- bib0100 W. Lee, B.D. Payne, M. Carbone, Secure and flexible monitoring of virtual machines, Comput Secur Appl Conf Ann (2007) 385-397.Google Scholar
- bib0105 T.K. Lengyel, Drakvuf. https://github.com/tklengyel/drakvufGoogle Scholar
- bib0110 T.K. Lengyel, S. Maresca, B.D. Payne, G.D. Webster, S. Vogl, A. Kiayias, Scalability, fidelity and stealth in the DRAKVUF Dynamic Malware Analysis System, in: Proceedings of the 30th annual computer security applications conference, 2014. Google ScholarDigital Library
- bib0115 J. Mankin, D. Kaeli, Dione: a flexible disk monitoring and analysis framework, Springer Berlin Heidelberg, Berlin, Heidelberg, 2012. Google ScholarDigital Library
- bib0120 D. McMillen, Wiper malware analysis research and intelligence report, 2014.Google Scholar
- bib0125 Microsoft Corporation, ZwWriteFile Routine. msdn.microsoft.com/en-us/library/windows/hardware/ff567121(v=vs.85).aspxGoogle Scholar
- bib0130 Microsoft Corporation, Naming files, paths, and namespaces. https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspxGoogle Scholar
- bib0135 Microsoft Corporation, Driver signing. https://docs.microsoft.com/en-us/windows-hardware/drivers/install/driver-signingGoogle Scholar
- bib0140 D.B. Parker, Toward a new framework for information security?, John Wiley & Sons, Inc., 2012.Google Scholar
- bib0145 B. Payne, S. Maresca, T.K. Lengye, A. Saba, LibVMI. github.com/libvmi/libvmiGoogle Scholar
- bib0150 F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, Scikit-learn: machine learning in python, J Mach Learn Res, 12 (2011) 2825-2830. http://dl.acm.org/citation.cfm?id=1953048.2078195 Google ScholarDigital Library
- bib0155 A.G. Pennington, J.L. Griffin, J.S. Bucy, J.D. Strunk, G.R. Ganger, Storage-based intrusion detection, ACM Trans Inf Syst Secur, 13 (2010) Article 30. Google ScholarDigital Library
- bib0160 N. Perloroth, In cyberattack on Saudi firm, U.S. sees Iran firing back. http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.htmlGoogle Scholar
- bib0165 E. Piper, Cyberattack hits 200,000 in at least 150 countries Europol. http://www.reuters.com/article/us-cyber-attack-europol-idUSKCN18A0FXGoogle Scholar
- bib0170 C. Raiu, M.A. Hasbini, S. Belov, S. Mineev, From Shamoon to Stonedrill Wipers attacking Saudi organizations and beyond. https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdfGoogle Scholar
- bib0175 A. Rukhin, J. Soto, J. Nechvatal, S. Miles, E. Barker, S. Leigh, A statistical test suite for random and pseudorandom number generators for cryptographic applications, National Institute of Standards and Technology, 2010.Google Scholar
- bib0180 M. Russinovich, SDelete. https://technet.microsoft.com/en-us/sysinternals/sdelete.aspxGoogle Scholar
- bib0185 T. Sammes, B. Jenkinson, Forensic computing: a practitioner's guide, Springer-Verlag, London (UK), 2000. Google ScholarDigital Library
- bib0190 N. Scaife, H. Carter, P. Traynor, K.R.B. Butler, CryptoLock (and drop it): stopping ransomware attacks on user data, in: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), 2016, pp. 303-312.Google ScholarCross Ref
- bib0195 B. Schneier, Applied cryptography: protocols, algorithms, and source code in C, John Wiley & Sons, Inc., New York, 1996. Google ScholarDigital Library
- bib0200 F. Sinitsyn, TeslaCrypt 2.0 disguised as CryptoWall. https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/Google Scholar
- bib0205 A. Solomon, A brief history of PC viruses, Comput Fraud Secur Bullet, 12 (1993) 9-19.Google ScholarCross Ref
- bib0210 J.D. Strunk, G.R. Goodson, M.L. Scheinholtz, C.A.N. Soules, G.R. Ganger, Self-securing storage: protecting data in compromised system, in: Proceedings of the 4th conference on symposium on Operating System Design & Implementation (OSDI'00), vol. 4, USENIX Association, Berkeley (CA), 2000. http://dl.acm.org/citation.cfm?id=1251229.1251241 Google ScholarDigital Library
- bib0215 M. Suiche, Petya.2017 is a wiper not a ransomware, 2017.Google Scholar
- bib0220 R. Sun, D.E. Porter, D. Oliveira, M. Bishop, The case for less predictable operating system behavior, in: 15th workshop on Hot Topics in Operating Systems (HotOS XV), HotOS, 2015. https://www.usenix.org/conference/hotos15/workshop-program/presentation/sun Google ScholarDigital Library
- bib0225 D. Tarakanov, Shamoon the wiper: further details (part II). https://securelist.com/shamoon-the-wiper-further-details-part-ii/57784/Google Scholar
- bib0230 G. Trant, J. Low, D. van Lith, Eraser Appendix A: erasure methods. http://eraser.heidi.ie/appendix-a-erasure-methods/Google Scholar
- bib0235 Verizon Wireless, 2017 data breach investigations report, 2017.Google Scholar
- bib0240 A. Ziem, BleachBit clean your system and free disk space. https://www.bleachbit.org/Google Scholar
Index Terms
- Reactive redundancy for data destruction protection (R2D2)
Recommendations
Efficient VM Introspection in KVM and Performance Comparison with Xen
PRDC '14: Proceedings of the 2014 IEEE 20th Pacific Rim International Symposium on Dependable ComputingIntrusion detection system (IDS) offloading is useful for securely executing IDSes. It runs a target system in a virtual machine (VM) and enables IDSes to monitor the VM from the outside using VM introspection. Although VM introspection is well studied, ...
PSI-NetVisor: Program semantic aware intrusion detection at network and hypervisor layer in cloud
Soft computing and intelligent systems: Tools, techniques and applicationsCloud Security is of paramount importance in the new era of virtualization technology. Tenant Virtual Machine (VM) level security solutions can be easily evaded by modern attack techniques. Out-VM monitoring allows cloud administrator (CA) to monitor and ...
Virtual Machine Introspection
SIN '14: Proceedings of the 7th International Conference on Security of Information and NetworksDue to exposure to the Internet, virtual machines (VMs) as forms of delivering virtualized infrastructures and resources represent a first point-of-target for security attackers who want to gain access into the virtualization environment. In-VM ...
Comments