A Framework for Analyzing Advanced Malware and Software

Vulnerabilities in software, whether they be malicious or benign are a major concern in every sector. My research broadly focused on security testing of software, including malware. For the last few years, ransomware attacks have become increasingly prevalent with the growth of cryptocurrencies.The first part of my research presents a strategy to recover from ransomware attacks by backing up critical information in slack space. In this work, I designed RDS3, a novel ransomware defense strategy, in which we stealthily back up data in the spare space of a computing device, such that the data encrypted by ransomware can be restored. The key concept is that unused space can backup critical data, which is fully isolated from the system. In this way, no ransomware will be able to \u27\u27touch\u27\u27 the backup data regardless of what privilege it is able to obtain.Next, my research focused on understanding ransomware from both structural and behavioral perspectives to design CRDETECTOR, crypto-ransomware detector. Reverse engineering is performed on executables at different levels such as raw binaries, assembly codes, libraries, and function calls to better analysis and interpret the purpose of code segments. In this work, I applied data-mining techniques to correlate multi-level code components (derived from reverse engineering process) to find unique signatures to identify ransomware families.As part of security testing of software, I conducted research on InfiniBand (IB) which supports remote direct memory access without making two copies of data (one in user space and the other in kernel space) and thus provides very low latency and very high throughput. To this end, for many industries, IB has become a promising new inter-connect protocol over Ethernet technologies and ensuring the security of is critical. To do this, the first step is to have a thorough understanding of the vulnerabilities of its current implementations, which is unfortunately still missing in the literature. While my extensive penetration testing could not find any significant security loopholes, there are certain aspects in both the design and the implementations that need to be addressed

PassSSD : 세분화 된 I/O 화이트리스트를 사용하는 랜섬웨어 방지 SSD

학위논문(석사) -- 서울대학교대학원 : 공과대학 컴퓨터공학부, 2021.8. Kim Jihong.최근 몇 년간 랜섬웨어는 안티바이러스 및 악성 프로그램 탐지 우회 기능을 갖춘 다수의 새로운 변종이 나타나면서 사이버 보안 전문가들 사이에서 인기를 끌고 있다. 많은 수의 랜섬웨어는 데이터 중심 애플리케이션에 널리 채택되고 있는 SSD 저장 장치를 공략하고 있지만, 현재 가장 널리 사용되고 있는 랜섬웨어 보호 방식들은 성능 및 신뢰성에 한계가 있다. 따라서 본 논문에서는 성능과 신뢰성을 훼손하지 않고 실시간으로 안전한 SSD 저장 장치 PassSSD를 제안한다. PassSSD는 프로그램의 I/O 수행 맥락인 I/O 프로그램 컨텍스트 서명을 활용한다. I/O 프로그램 컨텍스트 서명은 응용이 저장 장치에 접근할 때의 고유한 서명 정보로 본 연구에서 개발한 하드웨어에 의하여 계산이 된다. 이러한 서명 정보를 SSD 내 FTL (Flash Translation Layer)에 전달함으로써, 응용이 수행하고 있는 I/O에 대해서 스토리지가 자체적으로 접근 권한을 판단하게 된다. PassSSD는 FTL 내에서 화이트리스팅 기술을 활용한다. 화이트리스팅은 관리자가 사전에 특정 서비스 또는 액세스에 대한 접근 권한을 사전 승인된 프로그램에 대해서만 허용하는 정책으로, PassSSD는 사전에 등록된 I/O 프로그램 컨텍스트에 대해서만 디스크 접근을 허가하게 된다. 즉 PassSSD는 응용이 요청한 I/O 에 대한 있는 I/O 프로그램 컨텍스트 서명을 확인하고, 해당 서명이 화이트리스트에 있다면 저장 장치 내 데이터 접근을 허용하며, 없다면 이를 거부한다. 이로써 랜섬웨어 와 같은 무단 I/O 요청은 거부되고 저장 장치 내 데이터를 보호할 수 있다. 실험 결과 PassSSD의 FTL은 전체 수행 명령어 대비 1.9%의 적은 추가 명령어 수행만으로 성능 및 데이터 신뢰성을 보장할 수 있음을 확인하였다.In recent years, Ransomware has been popular among cybersecurity experts because of the easy creation of new variants capable of bypassing anti-viruses and anti-malware. As Ransomware is targeting SSD (Solid State Drive) storage which is widely adopted in various emerging data-driven applications, modern storage systems are required to satisfy new requirements such as high security and protection. Therefore, it becomes crucial to develop new protection techniques that can properly address new challenges. In this thesis, we propose protection techniques that enable secure real-time flash storage systems without compromising performance and reliability. Our techniques are motivated by FTL (Flash Translation Layer) mechanism inside SSD and Hardware-based PrC (program context) register. Application whitelisting mitigates the ransomware attacks by specifying a list of pre-approved executable files allowed on a computer system, but this type of coarse-grained protection is vulnerable to control-flow hijacking attacks on safe application side. We propose PassSSD - a fine-grained I/O whitelisting for a secure SSD using I/O (input/output) Program Contexts on RISCV architecture by modifying FlashBench FTL. We grant access to input/output requests based on whitelisted PrC's (program context) residing in FTL Superblock. In PassSSD, the PrC is extracted dynamically on ext4_write_end() function under inode.c on page granularity, where we attach PrC signature to every write syscalls and send (PrC,data) tuple to FlashBench FTL. On FlashBench FTL, the PrC monitor unit checks the incoming PrC from the Whitelist and allows the execution if PrC is whitelisted. By employing efficient protection on SSD, all unauthorized I/O requests are denied by the disk drive, logical page, and its physical page are separated by exploiting whitelisting technique. We implemented PassSSD on a FlashBench to verify the effectiveness of the proposed schemes. Our experimental results show that PassSSD can achieve the same performance level as a baseline scheme (FlashBench) with only 1% overhead bandwidth which is very negligible.Chapter 1 Introduction 1 1.1 Motivation 2 1.2 Contributions 3 1.3 Thesis Structure 4 Chapter 2 Background 5 2.1 Program Context 5 2.2 Whitelisting 6 2.3 Ransomware protection 7 2.3.1 SSD-Level Ransomware Defense 8 2.4 Limitations of existing Approaches 9 Chapter 3 PassSSD : Design and Implementation 11 3.1 PassSSD Overview 12 3.2 Disk-level Access Control 13 3.3 Threat Model: Ransomware Attacks 15 3.3.1 Attacker Model 16 3.4 Use Cases 18 Chapter 4 Program Context 19 4.1 Hardware-based PrC register 19 4.2 PrC(Program Context) Calculation 20 4.3 PrC Uniqueness 20 4.4 PrC Management Policy: 21 4.5 Page PrC Transfer and OS Support 22 Chapter 5 Evaluation and Experiments 24 5.1 Experimental Methodology 24 5.2 Implementation Environment 25 5.3 Experimental Results 25 Chapter 6 Conclusions 27 6.1 Summary 27 6.2 Future Work 28 Bibliography 29 국문초록 32석

Ransomware: A New Era of Digital Terrorism

This work entails the study of ten nasty ransomwares to reveal out the analytical similarities and differences among them, which will help in understanding the mindset of cyber crooks crawling over the dark net. It also reviews the traps used by ransomware for its distribution and side by side examining the new possibilities of its dispersal. It conclude by divulging inter-relationship between various distribution approaches adopted by ransomwares and some attentive measures to hinder the ransomware and supporting alertness as ultimate tool of defense at user’s hand

DECEPTION BASED TECHNIQUES AGAINST RANSOMWARES: A SYSTEMATIC REVIEW

Ransomware is the most prevalent emerging business risk nowadays. It seriously affects business continuity and operations. According to Deloitte Cyber Security Landscape 2022, up to 4000 ransomware attacks occur daily, while the average number of days an organization takes to identify a breach is 191. Sophisticated cyber-attacks such as ransomware typically must go through multiple consecutive phases (initial foothold, network propagation, and action on objectives) before accomplishing its final objective. This study analyzed decoy-based solutions as an approach (detection, prevention, or mitigation) to overcome ransomware. A systematic literature review was conducted, in which the result has shown that deception-based techniques have given effective and significant performance against ransomware with minimal resources. It is also identified that contrary to general belief, deception techniques mainly involved in passive approaches (i.e., prevention, detection) possess other active capabilities such as ransomware traceback and obstruction (thwarting), file decryption, and decryption key recovery. Based on the literature review, several evaluation methods are also analyzed to measure the effectiveness of these deception-based techniques during the implementation process

GuardFS: a File System for Integrated Detection and Mitigation of Linux-based Ransomware

Although ransomware has received broad attention in media and research, this evolving threat vector still poses a systematic threat. Related literature has explored their detection using various approaches leveraging Machine and Deep Learning. While these approaches are effective in detecting malware, they do not answer how to use this intelligence to protect against threats, raising concerns about their applicability in a hostile environment. Solutions that focus on mitigation rarely explore how to prevent and not just alert or halt its execution, especially when considering Linux-based samples. This paper presents GuardFS, a file system-based approach to investigate the integration of detection and mitigation of ransomware. Using a bespoke overlay file system, data is extracted before files are accessed. Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system. The experiments on GuardFS test the configurations in a reactive setting. The results demonstrate that although data loss cannot be completely prevented, it can be significantly reduced. Usability and performance analysis demonstrate that the defense effectiveness of the configurations relates to their impact on resource consumption and usability

RanAware, analysis and detection of ransomware on Windows systems

These past years the use of the computers increased significantly with the introduction of the home office policy caused by the pandemic. This grow has been accompanied by malware attacks and ransomware in particular. Therefore, it is mandatory to have a system able to protect, to prevent and to reduce the impact that this type of malware has in an organization. RanAware is a tool that performs an early ransomware detection based on recording file system operations. This information allows RanAware to monitor activity on the file system, collect and process statistics used to determine the presence of a ransomware in the system. After detection, RanAware handles the termination and isolation of the malicious program as well as the creation of an activity report of the ransomware operations. In addition, this project performs an evaluation of the impact that RanAware has in a system