skip to main content
10.1145/3538643.3539749acmconferencesArticle/Chapter ViewAbstractPublication PageshotstorageConference Proceedingsconference-collections
research-article

Alohomora: protecting files from ransomware attacks using fine-grained I/O whitelisting

Published: 27 June 2022 Publication History

Abstract

We propose a novel whitelist-based anti-ransomware solution called alohomora. Alohomora is based on our observation that an I/O activity of an application can be an effective abstraction level for managing I/O whitelisting. In alohomora, when a write request is sent to an SSD, its program context value (which is supported by a host CPU register) is passed to the SSD. The SSD checks if the request was pre-approved using the program context value, thus preventing ransomware from modifying files in the SSD. Our experimental results using a prototype alohomora system show that alohomora can achieve a strong security level against sophisticated ransomware attacks without degrading I/O performance.

References

[1]
W. Turton and K. Mehrotra. Hackers breached colonial pipeline using compromised password. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password, 2021.
[2]
G. Cusack, O. Michel, and E. Keller. Machine learning-based detection of ransomware using SDN. In Proceedings of ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, 2018.
[3]
C. Chew and V. Kumar. Behaviour based ransomware detection. In Proceedings of International Conference on Computers and Their Applications, 2019.
[4]
A. Elhadi, M. Maarof, and B. Barry. Improving the detection of malware behaviour using simplified data dependent API call graph. International Journal of Security and Its Applications, 7(5):29--42, 2013.
[5]
H. Jian, J. Xu, X. Xing, P. Liu, and MK. Qureshi. FlashGuard: leveraging intrinsic flash properties to defend against encryption ransomware. In Proceedings of ACM SIGSAC Conference on Computer and Communications Security, 2017.
[6]
J. Park, Y. Jung, J. Won, M. Kang, S. Lee, and J. Kim. RansomBlocker: a low-overhead ransomware-proof SSD. In Proceddings of Design Automation Conference, 2019.
[7]
S. Baek, Y. Jung, A. Mohaisen, S. Lee, and D. Nyang. SSD-insider: internal defense of solid-state drive against ransomware with perfect data recovery. In Proceedings of International Conference on Distributed Computing Systems, 2018.
[8]
Microsoft documentation. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide, 2022.
[9]
L. Abrams. Windows 10 ransomware protection bypassed using DLL injection. https://www.bleepingcomputer.com/news/security/windows-10-ransomware-protection-bypassed-using-dll-injection, 2018.
[10]
A. Lopez. Malware in Linux: kernel-mode-rootkits. https://www.incibe-cert.es/en/blog/kernel-rootkits-en, 2015.
[11]
Rootkits: kernel mode. https://resources.infosecinstitute.com/topic/rootkits-user-mode-kernel-mode-part-2/, 2015.
[12]
The Linux kernel documentation. https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html, 2022.
[13]
Windows 7 code integrity security policy. https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1327.pdf, 2022.
[14]
Microsoft Windows 8.1 kernel patch protection analysis. https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/Windows_81_Kernel_Patch_Protection_Analysis.pdf, 2014.
[15]
Radare2. https://github.com/radareorg/radare2.
[16]
Linker and libraries guide. https://docs.oracle.com/cd/E26505_01/html/E26506/glmqp.html.
[17]
Freedom. https://github.com/sifive/freedom.
[18]
Xilinx virtex-7 FPGA vc707 evaluation kit. https://www.xilinx.com/products/boards-and-kits/ek-v7-vc707-g.html.
[19]
OpenSSD. http://openssd.io/.
[20]
OpenSSD greedy-FTL (run-gftl3). https://github.com/CRZ-Technology/OpenSSD-OpenChannelSSD/tree/main/CosmosPlus/OpenSSD/Toshiba_NAND/cosm-plus-ns_19.1_20211216/cosm-plus-sys/cosm-plus-sys.sdk/run-gftl3.
[21]
GonnaCry. https://github.com/tarcisio-marinho/GonnaCry.
[22]
RAASNet. https://github.com/leonv024/RAASNet.
[23]
Ransom0. https://github.com/HugoLB0/Ransom0.
[24]
Hidden-tear. https://github.com/starf1ame/Hidden-tear.
[25]
FScoiety. https://github.com/graniet/fsociety-ransomware-MrRobot.
[26]
MariaDB. https://mariadb.com.
[27]
RocksDB. http://rocksdb.org.
[28]
GCC, the GNU compiler collection. https://gcc.gnu.org.
[29]
Bacula. https://www.bacula.org.
[30]
Sysbench. https://github.com/akopytov/sysbench.
[31]
RocksDB document. https://www.bookstack.cn/read/rocksdb-en/961dd924ca767aa1.md.
[32]
Micron technical note. https://www.micron.com/-/media/client/global/documents/products/technical-note/nand-flash/tn2914.pdf.

Cited By

View all
  • (2024)Ransomware Reloaded: Re-examining Its Trend, Research and Mitigation in the Era of Data ExfiltrationACM Computing Surveys10.1145/369134057:1(1-40)Online publication date: 7-Oct-2024
  • (2023)ZenFS+: Nurturing Performance and Isolation to ZenFSIEEE Access10.1109/ACCESS.2023.325735411(26344-26357)Online publication date: 2023
Index terms have been assigned to the content through auto-classification.

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
HotStorage '22: Proceedings of the 14th ACM Workshop on Hot Topics in Storage and File Systems
June 2022
141 pages
ISBN:9781450393997
DOI:10.1145/3538643
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

  • USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 June 2022

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Funding Sources

Conference

HotStorage '22
Sponsor:

Acceptance Rates

HotStorage '22 Paper Acceptance Rate 19 of 47 submissions, 40%;
Overall Acceptance Rate 34 of 87 submissions, 39%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)28
  • Downloads (Last 6 weeks)2
Reflects downloads up to 13 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Ransomware Reloaded: Re-examining Its Trend, Research and Mitigation in the Era of Data ExfiltrationACM Computing Surveys10.1145/369134057:1(1-40)Online publication date: 7-Oct-2024
  • (2023)ZenFS+: Nurturing Performance and Isolation to ZenFSIEEE Access10.1109/ACCESS.2023.325735411(26344-26357)Online publication date: 2023

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media