More Like this

1. Enabling per-file data recovery from ransomware attacks via file system forensics and flash translation layer data extraction

   https://doi.org/10.1186/s42400-024-00287-9  

   Dafoe, Josh; Chen, Niusen; Chen, Bo; Wang, Zhenlin (December 2024, Cybersecurity)

   Abstract Ransomware attacks are increasingly prevalent in recent years. Crypto-ransomware corrupts files on an infected device and demands a ransom to recover them. In computing devices using flash memory storage (e.g., SSD, MicroSD, etc.), existing designs recover the compromised data by extracting the entire raw flash memory image, restoring the entire external storage to a good prior state. This is feasible through taking advantage of the out-of-place updates feature implemented in the flash translation layer (FTL). However, due to the lack of “file” semantics in the FTL, such a solution does not allow a fine-grained data recovery in terms of files. Considering the file-centric nature of ransomware attacks, recovering the entire disk is mostly unnecessary. In particular, the user may just wish a speedy recovery of certain critical files after a ransomware attack. In this work, we have designed$$\textsf{FFRecovery}$$ $\mathrm{FFRecovery}$, a new ransomware defense strategy that can support fine-grained per file data recovery after the ransomware attack. Our key idea is that, to restore a file corrupted by the ransomware, we (1) restore its file system metadata via file system forensics, and (2) extract its file data via raw data extraction from the FTL, and (3) assemble the corresponding file system metadata and the file data. Another essential aspect of$$\textsf{FFRecovery}$$ $\mathrm{FFRecovery}$is that we add a garbage collection delay and freeze mechanism into the FTL so that no raw data will be lost prior to the recovery and, additionally, the raw data needed for the recovery can be always located. A prototype of$$\textsf{FFRecovery}$$ $\mathrm{FFRecovery}$has been developed and our experiments using real-world ransomware samples demonstrate the effectiveness of$$\textsf{FFRecovery}$$ $\mathrm{FFRecovery}$. We also demonstrate that$$\textsf{FFRecovery}$$ $\mathrm{FFRecovery}$has negligible storage cost and performance impact. 

   more » « less
2. Reversing File Access Control Using Disk Forensics on Low-Level Flash Memory

   https://doi.org/10.3390/jcp4040038  

   Rother, Caleb; Chen, Bo (October 2024, Journal of Cybersecurity and Privacy)

   In the history of access control, nearly every system designed has relied on the operating system (OS) to enforce the access control protocols. However, if the OS (and specifically root access) is compromised, there are few if any solutions that can get users back into their system efficiently. In this work, we have proposed a novel approach that allows secure and efficient rollback of file access control after an adversary compromises the OS and corrupts the access control metadata. Our key observation is that the underlying flash memory typically performs out-of-place updates. Taking advantage of this unique feature, we can extract the “stale data” specific for OS access control, by performing low-level disk forensics over the raw flash memory. This allows efficiently rolling back the OS access control to a state pre-dating the compromise. To justify the feasibility of the proposed approach, we have implemented it in a computing device using file system EXT2/EXT3 and open-sourced flash memory firmware OpenNFM. We also evaluated the potential impact of our design on the original system. Experimental results indicate that the performance of the affected drive is not significantly impacted. 

   more » « less
3. FileScale: Fast and Elastic Metadata Management for Distributed File Systems

   https://doi.org/10.1145/3620678.3624784  

   Liao, Gang; Abadi, Daniel J. (October 2023, SoCC '23: Proceedings of the 2023 ACM Symposium on Cloud Computing)

   File systems that store metadata on a single machine or via a shared-disk abstraction face scalability challenges, especially in contexts demanding the management of billions of files. Recent work has shown that employing shared-nothing, distributed database system (DDBMS) for metadata storage can alleviate these scalability challenges without compromising on high availability guarantees. However, for low-scale deployments -- where metadata can fit in memory on a single machine -- these DDBMS-based systems typically perform an order of magnitude worse than systems that store metadata in memory on a single machine. This has limited the impact of these distributed database approaches, since they are only currently applicable to file systems of extreme scale. This paper describes FileScale, a three-tier architecture that incorporates a DDBMS as part of a comprehensive approach to file system metadata management. In contrast to previous approaches, FileScale performs comparably to the single-machine architecture at a small scale, while enabling linear scalability as the file system metadata increases. 

   more » « less
4. Fast in-memory CRIU for docker containers

   https://doi.org/10.1145/3357526.3357542  

   Venkatesh, Ranjan Sarpangala; Smejkal, Till; Milojicic, Dejan S.; Gavrilovska, Ada (January 2019, MEMSYS '19: Proceedings of the International Symposium on Memory Systems)

   Server systems with large amounts of physical memory can benefit from using some of the available memory capacity for in-memory snapshots of the ongoing computations. In-memory snapshots are useful for services such as scaling of new workload instances, debugging, during scheduling, etc., which do not require snapshot persistence across node crashes/reboots. Since increasingly more frequently servers run containerized workloads, using technologies such as Docker, the snapshot, and the subsequent snapshot restore mechanisms, would be applied at granularity of containers. However, CRIU, the current approach to snapshot/restore containers, suffers from expensive filesystem write/read operations on image files containing memory pages, which dominate the runtime costs and impact the potential benefits of manipulating in-memory process state. In this paper, we demonstrate that these overheads can be eliminated by using MVAS -- kernel support for multiple independent virtual address spaces (VAS), designed specifically for machines with large memory capacities. The resulting VAS-CRIU stores application memory as a separate snapshot address space in DRAM and avoids costly file system operations. This accelerates the snapshot/restore of address spaces by two orders of magnitude, resulting in an overall reduction in snapshot time by up to 10× and restore time by up to 9×. We demonstrate the utility of VAS-CRIU for container management services such as fine-grained snapshot generation and container instance scaling. 

   more » « less
5. Data Recovery from “Scrubbed” NAND Flash Storage: Need for Analog Sanitization

   Hasan, Md; Ray, Biswajit (August 2020, 29th USENIX Security Symposium)

   null (Ed.)

   Digital sanitization of flash based non-volatile memory system is a well-researched topic. Since flash memory cell holds information in the analog threshold voltage, flash cell may hold the imprints of previously written data even after digital sanitization. In this paper, we show that data is partially or completely recoverable from the flash media sanitized with “scrubbing” based technique, which is a popular technique for page deletion in NAND flash. We find that adversary may utilize the data retention property of the memory cells for recovering the deleted data using standard digital interfaces with the memory. We demonstrate data recovery from commercial flash memory chip, sanitized with scrubbing, by using partial erase operation on the chip. Our results show that analog scrubbing is needed to securely delete information in flash system. We propose and implement analog scrubbing using partial program operation based on the file creation time information. 

   more » « less