One of the latest cyber threats involves hackers encrypting user files and then charging “ransom” to get them back.
In the paper, “Project Almanac: A Time-Traveling Solid State Drive,” University of Illinois students Chance Coats and Xiaohao Wang and Assistant Professor Jian Huang from the Coordinated Science Laboratory look at how they can use the commodity storage devices already in a computer, to save the files without having to pay the ransom.
“The paper explains how we leverage properties of flash-based storage that currently exist in most laptops, desktops, mobiles, and even IoT devices” said Coats, a graduate student in electrical and computer engineering (ECE).
“The motivation was a class of malware called ransomware, where hackers will take your files, encrypt them, delete the unencrypted files and then demand money to give the files back.”
The flash-based, solid-state drives Coats mentioned are part of the storage system in most computers.
When a file is modified on the computer, rather than getting rid of the old file version immediately, the solid-state drive saves the updated version to a new location.
Those old versions are the key to thwarting ransomware attacks.
If there is an attack, the tool discussed in the paper can be used to revert to a previous version of the file. The tool would also help in the case of a user accidentally deleting one of their own files.
Like any new tool, there is a trade-off.
“When you want to write new data, it has to be saved to a free block, or block that has already been erased,” said Coats.
“Normally a solid-state drive would delete old versions in an effort to erase blocks in advance, but because our drive is keeping the old versions intentionally, it may have to move the old versions before writing new ones.”
1.1 Technical Background on SSDs
Solid-state drives are widely used in various computing plat- forms as they provide orders-of-magnitude better perfor- mance than HDDs with a price that is approaching that of HDDs .
Rapidly shrinking process technology has also allowed us to boost SSD performance and capacity, accelerating their adoption in commodity systems.
An SSD has two major components, as shown in Figure 1: a set of flash memory chips, and an SSD controller. Each SSD has multiple channels, where each channel can inde- pendently receive and process read and write commands to flash chips. Within each chip, there are multiple planes. Each plane is further divided into multiple flash blocks, each of which consists of multiple flash pages.
Due to the nature of flash memory, SSDs can read and write only at page granularity. Furthermore, a write can only occur to a free page.
Once a free page is written, that page is no longer available for future writes until that page is first erased and its state reset to free. Unfortunately, the erase operation can be performed only at block (which has multiple pages) granularity, and it is time-consuming. Thus, a write operation is issued to a free page that has been erased
in advance (i.e., out-of-place write), rather than issuing an expensive erase operation for every write. Because of out-of- place writes, an SSD employs indirections for maintaining the logical-to-physical address mapping.
Out-of-place writes mean that each time a page is updated, the old version of the page is simply marked as invalid.
And garbage collection (GC) will be performed later to reclaim it.
The GC process runs once the number of free blocks is below a threshold in order to clean up invalid pages. The GC process will scan the SSD blocks, picking one candidate for cleaning. Then it will migrate any valid pages in the candidate block to a new free block, and when finished, it will erase the candidate block thereby freeing its pages for future writes. An SSD inherently preserves past storage states, which can be exploited to implement the time-travel property within firmware.
Since each block has limited lifetime, modern SSDs also have wear-leveling support to prolong SSD lifetime by evenly distributing write and erase to all blocks. To achieve wear- leveling, infrequently used block will be periodically moved so these blocks with low erase count can be used to reduce the stress of frequently erased blocks. The indirect mappings, wear-leveling and GC are all managed by the Flash Transla- tion Layer (FTL) in SSD firmware.
To handle the FTL, SSD controllers are usually equipped with embedded processors and RAM. The embedded proces- sors in SSD controllers help with issuing I/O requests, trans- lating logical addresses to physical addresses, and handling garbage collection and wear-leveling.
To exploit the massive parallelism of flash chips, the embedded processor may have multiple cores. For instance, the MEX SSD controller used in Samsung SSDs has a 3-core processor running at 400 MHz. The SSD controller has multiple channels and issues commands to perform I/O operations in different channels in parallel. These hardware components available in modern SSDs provide the essential resources to meet the requirements of Project Almanac.
Motivation Examples: Why TimeSSD
In this section, we will use several use cases to show the ben- efits of the hardware-isolated time-travel property provided
by TimeSSD, and explain how it can be leveraged to provide better security for flash-based storage systems.
Storage Security: Durability of user data is a major design concerns in secure storage systems. To achieve this, storage systems have developed techniques such as journal- ing and data backups for decades. However, they still suffer from malware attacks today. If malware man- ages to gain administrator privileges, it can execute kernel- level attacks to destroy both local and remote data backups. Take the WannaCry encryption ransomware for exam- ple. It quickly infected hundreds of thousands of computers across 150 countries in less than a week after it was launched in May 2017 .
Encryption ransomware like WannaCry destructively encrypts user files. To defend against this, prior work has proposed several detection approaches .
However, they kick in only after some data has already been encrypted. Furthermore, ransomware can use kernel priv- ileges to destroy backups .
Therefore, software-based approaches do not offer sufficient protection.
Hence, it is natural to turn to a hardware-assisted ap- proach. TimeSSD provides firmware-level time-travel prop- erty by retaining the past storage state in the storage de- vice. Therefore, TimeSSD can recover user data, even after it has been encrypted or deleted by malware.
The firmware-assisted approach adopted by TimeSSD has two advantages.
First, it makes the time-travel property firmware-isolated to malware.
Second, it has a much smaller TCB, compared to the OS kernel and other software-based approaches, and thus is less vulnerable to malware attacks.
Data Recovery in File Systems: An important functionality of file systems is to recover the system and user data upon system crashes and failures.
ver, journaling introduces a significant performance over- head, due to the extra write traffic.
TimeSSD transparently retains the lineage of the past stor- age states in SSDs.
As TimeSSD retains the history of both metadata (e.g., inode in file systems) and data for a window of time, it allows developer to roll back a storage system to a previous state (at a specific time in the past) with minimal software involvement.
Moreover, TimeSSD leverages the in- trinsic out-of-place write mechanism in SSDs to retain past storage state, avoiding the redundant writes generated by the software-based journaling approach.
Storage Forensics: Digital storage forensics have been widely used in both criminal law and private investigation, such as criminal identification and the detection of unautho- rized data modification .
Storage forensics need to recon- struct the original sequence of events that led to the incident.
However, it is challenging to collect trusted evidence and to reconstruct the history of events.
Due to insufficient evi- dence, incomplete recovery of events, or incomplete chronol- ogy of events, reconstruction of evidence may be incomplete or incorrect, which causes the failure of the investigation.
To make matters worse, existing storage forensics have little capability to mitigate an anti-forensics malware with OS kernel privilege.
TimeSSD provides trustworthy evidence for storage forensics softwares, even if malicious users try to destroy the evidence in the victim computer.
In contrast to forensics soft- ware that executes with the OS, TimeSSD leverages the time- travel property in the hardware-isolated firmware, which facilitates the collection and reasoning of trusted evidence for storage forensics.
Since TimeSSD is isolated from the OS, the evidence will be tamper-proof from malicious users.
Coats described this as a trade-off between retention duration and storage performance.
If the parameters of their new tool are set to maintain data for too long, old and unnecessary versions will be kept and take up space on the storage device.
As the device fills with old file versions, the system takes longer to respond to typical storage requests and performance degrades.
On the other hand, if the parameters are set to a retention window that is too narrow, users would have a quicker response time, but they may not have all of their backup files saved should a malware attack take place.
To manage this trade-off, Huang and his students built in functionality for the tool to monitor and adjust these parameters dynamically.
Despite the dynamic changes to system parameters, their tool guarantees data will be retained for at least three days.
This allows users the option to backup their data onto other systems within the guaranteed time-period if they choose to do so.
The idea behind their tool has gained interest at an international level.
The paper about this research was published at a top-tier system conference, EuroSys, this past spring. Coats represented the group at the conference.
“Our research group really enjoys building practical computer systems; this is a great practice for our students, they will experience how our research will generate real-world impact,” said Huang, an assistant professor of electrical and computer engineering at Illinois.
“Moving forward, our group will look at the possibility of retaining user data in a storage device for a much longer time with lower performance overhead, and applying the time-traveling solid-state drive to wider applications such as systems debugging and digital forensics.”
More information: Xiaohao Wang et al, Project Almanac, Proceedings of the Fourteenth EuroSys Conference 2019 CD-ROM on ZZZ – EuroSys ’19(2019). DOI: 10.1145/3302424.3303983
Provided by University of Illinois at Urbana-Champaign