Search for: All records

Ransomware attacks have become increasingly frequent and high-profile, resulting in billions of dollars in data and operational losses annually. Current mechanisms typically deploy defenses in vulnerable operating systems, making them susceptible to advanced adversaries capable of compromising the OS. While implementing defense mechanisms within storage devices can address this vulnerability, they lack detection accuracy due to their inability to access data semantics, such as file system metadata. Moreover, these methods only expose block-level interfaces without file-level information, limiting the usability and practicality of data recovery management. Therefore, we developSrFTL, a novel ransomware defense framework that allows leveraging data semantics for accurate ransomware detection and effective file-level data recovery against data compromise. Specifically, SrFTL employs defense enforcement within the flash translation layer (FTL) of SSDs. Then, SrFTL combines the secure enclave with the modified FTL through a secure channel to enable flexible ransomware defenses within the enclave. Finally, SrFTL deploys ransomware classification and data recovery defenses in the enclave, providing high detection accuracy and low-cost data recovery. Our evaluation demonstrates that SrFTL achieves zero false positives and negatives when detecting our collected real-world ransomware samples and benign applications, outperforming current FTL-level solutions (e.g., MimosaFTL). Moreover, SrFTL introduces on average a trivial performance overhead of 1.5% compared with a regular SSD. Finally, evaluating against multiple real-world ransomware samples, SrFTL enables fast data recovery with an average time of 9.3 seconds. SrFTL thus bridges the semantic gap between the FTL and OS-level file information to stop ransomware while maintaining the integrity and authenticity of employed defenses. 

In Voice Assistant (VA) platforms, when users add devices to their accounts and give voice commands, complex interactions occur between the devices, skills, VA clouds, and vendor clouds. These interactions are governed by the device management capabilities (DMC) of VA platforms, which rely on device names, types, and associated skills in the user account. Prior work studied vulnerabilities in specific VA components, such as hidden voice commands and bypassing skill vetting. However, the security and privacy implications of device management flaws have largely been unexplored. In this paper, we introduce DMC-Xplorer, a testing framework for the automated discovery of VA device management flaws. We first introduce VA description language (VDL), a new domain-specific language to create VA environments for testing, using VA and skill developer APIs. DMC-Xplorer then selects VA parameters (device names, types, vendors, actions, and skills) in a combinatorial approach and creates VA environments with VDL. It issues real voice commands to the environment via developer APIs and logs event traces. It validates the traces against three formal security properties that define the secure operation of VA platforms. Lastly, DMC-Xplorer identifies the root cause of property violations through intervention analysis to identify VA device management flaws. We exercised DMC-Xplorer on Amazon Alexa and Google Home and discovered two design flaws that can be exploited to launch four attacks. We show that malicious skills with default permissions can eavesdrop on privacy-sensitive device states, prevent users from controlling their devices, and disrupt the services on the VA cloud. 

Intent-based networking (IBN) offers advantages and opportunities compared with SDN, but IBN also poses new and unique security challenges that must be overcome.