Reactive redundancy for data destruction protection (R2D2)
•We demonstrate R2D2's ability to preserve files under destruction on a Windows 7 VM.•R2D2 protects against modern Wiper Malware and secure delete methods.•R2D2 improves prior work by isolating analysis/preservation from the protected system.•R2D2 shows acceptable performance, suitable for the...
Gespeichert in:
Veröffentlicht in: | Computers & security 2018-05, Vol.74, p.184-201 |
---|---|
Hauptverfasser: | , , , |
Format: | Artikel |
Sprache: | eng |
Schlagworte: | |
Online-Zugang: | Volltext |
Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
Zusammenfassung: | •We demonstrate R2D2's ability to preserve files under destruction on a Windows 7 VM.•R2D2 protects against modern Wiper Malware and secure delete methods.•R2D2 improves prior work by isolating analysis/preservation from the protected system.•R2D2 shows acceptable performance, suitable for the home user or office related tasks.
Data destruction programs, such as Wiper Malware, cause substantial damage by overwriting critical digital assets on compromised machines, denying users access to computing resources. Our system, called R2D2, analyzes write buffers before they can reach a storage medium, determines if the write is destructive, and preserves the data under destruction. We interpose the inspection in the Virtual Machine Monitor (VMM) through a technique known as Virtual Machine Introspection (VMI). This has the benefit that it does not rely on the entire OS as a root of trust. We demonstrate the effectiveness of our prototype implementation by preserving data targeted for destruction by Wiper Malware such as Shamoon and Stonedrill, and a host of secure delete tools. We discover that R2D2 detects data destruction with high accuracy (99.8% true negative and true positive rates) and preserves critical data for all the Wiper Malware samples in the wild that we experimented with. While our prototype is not optimized for performance, we show that it is applicable for common user tasks in an office or home setting, with a latency increase of 1%–4% and 9%–20% to complete batch tasks and interactive tasks respectively. VMI accounts for 90.7%–98.5% of the latency overhead and thus R2D2 incurs a small cost for environments already using VMI. |
---|---|
ISSN: | 0167-4048 1872-6208 |
DOI: | 10.1016/j.cose.2017.12.012 |