'R2D2' stops disk-wipe malware before it executes evil commands

'Reactive Redundancy for Data Destruction Protection' stops the likes of Shamoon and Stonedrill before they hit 'erase'

Purdue University researchers reckon they've cracked how to protect data against “disk-wipe” malware.

Led by Christopher Gutierrez, the team has created a shim of software that analyses write buffers before they reach storage, and if the write is destructive, it steps in to preserve the data targeted for destruction.

Dubbed R2D2 – “Reactive Redundancy for Data Destruction Protection” – their work will be published in the May issue of the journal Computers & Security.

In this [PDF] pre-press version of the paper, the researchers explained their technique. The inspection is implemented in the virtual machine monitor (VMM) using virtual machine introspection (VMI).

“This has the benefit that it does not rely on the entire OS as a root of trust”, they wrote, and they claimed a latency penalty of between 1 and 4 per cent for batch tasks, and 9 to 20 per cent for interactive tasks.

'R2D2' architecture

Click to enlarge

The system has been tested against various secure delete tools and malware like Shamoon and Stonedrill, and they claim complete success against “all the wiper malware samples in the wild that we experimented with”.

R2D2 intercepts the open file and write file system calls on a guest VM. When it detects an open file request, it checks “all open system calls” to see if the file is already open for writing.

“If the system call requests a write permission, a policy determines if the file should be protected based on a blacklist or whitelist,” they wrote.

Whitelisted files are those not protected; if a blacklisted file is requested, “If the file is on the blacklist, we take a snapshot of the file system because the file is considered critical to system stability.”

If the attacker tries to open a file on neither list, “R2D2 takes a temporary checkpoint of the file system, and subsequent write system calls are analysed, according to analysis policy, to determine if the write is suspect”.

The pseudocode for the Open File VMI looks like this:

Algorithm 1 Open File VMI Pseudocode
if File is opened for writing then
if File is in Blacklist then
Create a Snapshot (Permanent)
else if File is in Whitelist then
Create Checkpoint (Temporary)
end if
end if

The “whitelist” of files that can be lost is to improve performance, they explained. For example, re-installing an operating system is irritating, but it's better than losing user data. ®

Similar topics

Other stories you might like

  • Boeing's Starliner capsule corroded due to high humidity levels, NASA explains, and the spaceship won't fly this year

    Meanwhile Elon's running orbital tourist trips and ISS crew missions

    Boeing’s CST-100 Starliner capsule, designed to carry astronauts to and from the International Space Station, will not fly until the first half of next year at the earliest, as the manufacturing giant continues to tackle an issue with the spacecraft’s valves.

    Things have not gone smoothly for Boeing. Its Starliner program has suffered numerous setbacks and delays. Just in August, a second unmanned test flight was scrapped after 13 of 24 valves in the spacecraft’s propulsion system jammed. In a briefing this week, Michelle Parker, chief engineer of space and launch at Boeing, shed more light on the errant components.

    Boeing believes the valves malfunctioned due to weather issues, we were told. Florida, home to NASA’s Kennedy Space Center where the Starliner is being assembled and tested, is known for hot, humid summers. Parker explained that the chemicals from the spacecraft’s oxidizer reacted with water condensation inside the valves to form nitric acid. The acidity corroded the valves, causing them to stick.

    Continue reading
  • Research finds consumer-grade IoT devices showing up... on corporate networks

    Considering the slack security of such kit, it's a perfect storm

    Increasing numbers of "non-business" Internet of Things devices are showing up inside corporate networks, Palo Alto Networks has warned, saying that smart lightbulbs and internet-connected pet feeders may not feature in organisations' threat models.

    According to Greg Day, VP and CSO EMEA of the US-based enterprise networking firm: "When you consider that the security controls in consumer IoT devices are minimal, so as not to increase the price, the lack of visibility coupled with increased remote working could lead to serious cybersecurity incidents."

    The company surveyed 1,900 IT decision-makers across 18 countries including the UK, US, Germany, the Netherlands and Australia, finding that just over three quarters (78 per cent) of them reported an increase in non-business IoT devices connected to their org's networks.

    Continue reading
  • Huawei appears to have quenched its thirst for power in favour of more efficient 5G

    Never mind the performance, man, think of the planet

    MBB Forum 2021 The "G" in 5G stands for Green, if the hours of keynotes at the Mobile Broadband Forum in Dubai are to be believed.

    Run by Huawei, the forum was a mixture of in-person event and talking heads over occasionally grainy video and kicked off with an admission by Ken Hu, rotating chairman of the Shenzhen-based electronics giant, that the adoption of 5G – with its promise of faster speeds, higher bandwidth and lower latency – was still quite low for some applications.

    Despite the dream five years ago, that the tech would link up everything, "we have not connected all things," Hu said.

    Continue reading

Biting the hand that feeds IT © 1998–2021