SGX-SSD: A Policy-based Versioning SSD with Intel SGX Jinwoo Ahn† , Seungjin Lee†, Jinhoon Lee†, Yungwoo Ko†, Donghyun Min†, Junghee Lee‡, Youngjae Kim† †Sogang University, Republic of Korea, ‡Korea University, Republic of Korea
Motivation: Malware’s Data Tampering Attack Problem: Ring-0 level rootkit malware’s data tampering attack § It enhances the privilege of victim, and compromises software-based backup system. § It finds and destroys victim's local or remote backup data. Local Backup Victim Server Backup System Ransomware OS Kernel Ethernet Remote Backup 2
Motivation: Malware’s Data Tampering Attack Existing Solution: Versioning SSD [BVSSD, Systor 12], [Project Almanac, Eurosys 19] § Versioning SSD implements versioning system in SSD firmware. § SSD firmware is isolated from host server. § Even if OS is compromised, it is impossible to destroy backup data. Backup data is safe from malware! Victim Server BVSSD / Project Almanac Backup Versioning System System Ransomware OS Kernel 3
Motivation: Integrity vulnerability of Versioning SSD Versioning SSD preserves all file data for a fixed retention time(RT). § Space overhead extremely increases as all files are backed up regardless of the importance. § To free up space, Versioning SSD aggressively erases old backup data in a way that limits RT. Dwell Time : A period that the malware stays Integrity vulnerability occurs when: undetected in victim system Malware Dwell Time (DT) > Versioning SSD Retention Time (RT) 3/4 3/7 3/11 3/3 V1 is removed Recovery failed Files are Malware created encrypts files Versioning SSD V1 V1 V2 V1 V2 V2 V1 V1 V2 V1 V2 V2 secure.txt RT : 3 days temp.txt DT : 7 days 4
Motivation: Integrity vulnerability of Versioning SSD Malware's average DT is longer than the RT of Versioning SSDs. § Project Almanac provides 3-56 days of RT depending on the workload’s write intensity. § However, more than 50% of malware has a DT of 60 days or more. Existing Versioning SSD is vulnerable 25 Dwell Time Dist.(%) 22% from at least 50% of malware’s attack . 18% 20 15% 14% 15 11% 9% 7% 10 1% RT: 3-56 days 5 0 7 30 60 150 300 1000 2000 Dwell Time (days) 5
Motivation: Keeping deeper history for important files SGX-SSD: Policy-based per-file versioning SSD § Each file version is maintained according to policy set by users. § We defined 3 types of policy a user can set. § SGX-SSD minimizes the space consumption for versions to keep deeper history for important files. Retention Time Number of Versions Backup Cycle foo.txt foo.txt foo.txt RT: 3days #V : 5 BC : 30day secure.txt secure.txt secure.txt RT: 365 days #V : INF BC : 1day temp.txt temp.txt temp.txt RT: 0 day #V : 0 BC : NULL 6
Motivation: Keeping deeper history for important files SGX-SSD guarantees integrity from malware with long DT. § Malware DT: 7days, RT of secure.txt: 30days, RT of temp.txt: 0day 3/4 3/11 3/3 Recovery Malware Files are Success encrypts files created SGX- SSD V1 V1 V2 V2 V1 V1 secure.txt secure.txt secure.txt temp.txt V1 V2 V2 temp.txt temp.txt 7
Design Challenge: SGX-SSD Challenge 1: Secure Host Interface on Compromised OS § How can the policy request entered by a user be safely delivered to the SSD? Host Server Policy Policy OS Kernel User I/O Device SGX-SSD Challenge 2: Per-file versioning management by SSD § How can SSD recognize the file semantics corresponding to each block? SGX-SSD temp.txt RT 0day write(LBA, size) File ? Data App System secure.txt Data File RT 30 days 8
Summary § We defined the integrity vulnerability of the existing Versioning SSD. § To solve this, we proposed a per-file versioning implementation in SSD firmware. § By solving the aforementioned two challenges, the integrity of the file can be selectively guaranteed even if the OS is compromised. § Detail of SGX-SSD can be found at [ https://arxiv.org/abs/2004.13354 ]. 9
SGX-SSD: A Policy-based Versioning SSD with Intel SGX Jinwoo Ahn jinu37@sogang.ac.kr
Recommend
More recommend
