TEE-aided Write Protection Against Privileged Data Tampering

Unauthorized data alteration has been a longstanding threat since the emergence of malware. System and application software can be reinstalled and hardware can be replaced, but user data is priceless in many cases. Especially in recent years, ransomware has become high-impact due to its direct monetization model. State-of-the-art defenses are mostly based on known signature or behavior analysis, and more importantly, require an uncompromised OS kernel. However, malware with the highest software privileges has shown its obvious existence. We propose to move from current detection/recovery based mechanisms to data loss prevention, where the focus is on armoring data instead of counteracting malware. Our solution, Inuksuk, relies on today's Trusted Execution Environments (TEEs), as available both on the CPU and storage device, to achieve programmable write protection. We back up a copy of user-selected files as write-protected at all times, and subsequent updates are written as new versions securely through TEE. We implement Inuksuk on Windows 7 and 10, and Linux (Ubuntu); our core design is OS and application agnostic, and incurs no run-time performance penalty for applications. File transfer disruption can be eliminated or alleviated through access modes and customizable update policies (e.g., interval, granularity). For Inuksuk's adoptability in modern OSes, we have also ported Flicker (EuroSys 2008), a defacto standard tool for in-OS privileged TEE management, to the latest 64-bit Windows.

[1]  Weidong Shi,et al.  A comparison study of intel SGX and AMD memory encryption technology , 2018, HASP@ISCA.

[2]  Friedrich-Alexander,et al.  Self-Encrypting Disks pose Self-Decrypting Risks How to break Hardware-based Full Disk Encryption , 2013 .

[3]  B. Preneel,et al.  Analyzing trusted platform communication ? , 2005 .

[4]  Gil Neiger,et al.  Intel ® Virtualization Technology for Directed I/O , 2006 .

[5]  Gianluca Stringhini,et al.  PayBreak: Defense Against Cryptographic Ransomware , 2017, AsiaCCS.

[6]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[7]  Johannes Winter,et al.  A hijacker's guide to communication interfaces of the trusted platform module , 2013, Comput. Math. Appl..

[8]  Rafal Wojtczuk,et al.  Another Way to Circumvent Intel ® Trusted Execution Technology , 2009 .

[9]  Patrick Traynor,et al.  CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[10]  Leyla Bilge,et al.  Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks , 2015, DIMVA.

[11]  Peng Liu,et al.  FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware , 2017, CCS.

[12]  T. Mandt,et al.  Demystifying the Secure Enclave Processor , 2016 .

[13]  Bernard van Gastel,et al.  Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[14]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[15]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[16]  Moti Yung,et al.  Cryptovirology: extortion-based security threats and countermeasures , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[17]  Gunnar Alendal,et al.  got HW crypto? On the (in)security of a Self-Encrypting Drive series , 2015, IACR Cryptol. ePrint Arch..

[18]  Felix C. Freiling,et al.  Stark - Tamperproof Authentication to Resist Keylogging , 2013, Financial Cryptography.

[19]  Engin Kirda,et al.  Redemption: Real-Time Protection Against Ransomware at End-Hosts , 2017, RAID.

[20]  Johannes Götzfried,et al.  Cache Attacks on Intel SGX , 2017, EUROSEC.

[21]  Craig A. N. Soules,et al.  Self-securing storage: protecting data in compromised systems , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[22]  Aron Laszka,et al.  On the Economics of Ransomware , 2017, GameSec.

[23]  Alessandro Barenghi,et al.  ShieldFS: a self-healing, ransomware-aware filesystem , 2016, ACSAC.

[24]  Evan R. Sparks A Security Assessment of Trusted Platform Modules , 2007 .

[25]  Damon McCoy,et al.  Tracking Ransomware End-to-end , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[26]  Moti Yung,et al.  Cryptovirology , 2017, Commun. ACM.

[27]  Engin Kirda,et al.  UNVEIL: A large-scale, automated approach to detecting ransomware (keynote) , 2016, SANER.

[28]  Vashek Matyas,et al.  The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli , 2017, CCS.

[29]  Christof Fetzer,et al.  Pesos: policy enhanced secure object store , 2018, EuroSys.

[30]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[31]  Andrew Woodward BitLocker - the end of digital forensics? , 2006 .

[32]  William Stallings Format-preserving encryption: Overview and NIST specification , 2017, Cryptologia.

[33]  Da-Yu Kao,et al.  Rational Choice Observation of Malware Authors in Taiwan , 2014, PAISI.

[34]  Patrick D. McDaniel,et al.  Rootkit-resistant disks , 2008, CCS.