Reversing File Access Control Using Disk Forensics on Low-Level Flash Memory
<p>A general layout of an EXT partition.</p> "> Figure 2
<p>The layers used in operation of a filesystem and FTL.</p> "> Figure 3
<p>An example of the PMT table.</p> "> Figure 4
<p>Example of rolling back changes to a page.</p> "> Figure 5
<p>The time needed for rollback (EXT2).</p> "> Figure 6
<p>The time needed for rollback (EXT3).</p> ">
Abstract
:1. Introduction
- We have developed , the pioneering access control recovery scheme capable of restoring access control metadata after the eviction of an adversary that has compromised the operating system.
- ensures recoverability of the access control metadata in the OS by (1) leveraging the out-of-place update implementation in the FTL, and (2) performing low-level disk forensics over the raw NAND flash.
- We have implemented a prototype of when deploying EXT2/EXT3 as the filesystem. Experimental evaluation demonstrates that can efficiently roll back the access control metadata, with a small impact on the performance of the equipped flash memory storage.
2. General Background
2.1. File Metadata
2.2. Filesystem
2.3. Master Boot Record
2.4. Access Control List
- Having dedicated files to store the ACL and referencing that file when accessing others.
- Spreading the ACL out over all the files’ metadata, and reading the associated metadata when accessing the target file.
2.5. Flash Memory
2.6. Flash Translation Layer (FTL)
3. Related Work
4. Models and Assumptions
5.
5.1. Main Design of
5.1.1. Setup
5.1.2. Monitoring
Algorithm 1 FTL_Write(pageaddress addr, byte data) /* Write data to logical page addr */ |
|
5.1.3. Rollback
Algorithm 2 Rollback() /* roll back all recent access control changes */ |
|
5.2. Implementing in EXT Filesystems
5.2.1. EXT: Challenges
- How big is a group of inodes? Since inode groups are where access control data is stored, we need this number. We need it specifically in pages, as we need to accurately track inode groups without storing each and every page which contains an inode in cache, which would use a large amount of memory. This will help us saving said memory when searching for whether a page contains inodes during the monitoring phase.
- How many groups of inodes are there in this filesystem? We need to know how large of a cache we need, and multiplying the size of a group by the number of groups yields the result. When the cache is initialized, we want to have an exact size in mind since internal memory usage on a drive of this nature should be kept to a minimum. Normally, this number is relatively low (<100), which results in low memory usage accordingly if handled well. The search given enables us to size the cache exactly as desired.
- Where is each group of inodes actually stored on the drive? To track the access control data, one must know where it is located. Groups are stored at various places across the drive, and each one needs to have its descriptor checked in order to gather its ‘inodes’ locations. These descriptors are stored immediately after the superblock as described in Section 2.2, and can be found by looking relatively early on in the descriptor. Notably, we need to store these locations in ascending order, as this will enable us to binary search the cache in the monitoring phase. Thankfully, the block groups are stored in ascending order, so we do not need to perform any kind of sorting following the setup phase for our desired order to be maintained.
5.2.2. EXT: Setup
- The size of a “block” (not related to the term used in Section 2.5), stored at byte 24 with length 4 bytes. This will only be used to turn data gathered in the superblock into data which is usable by the FTL.
- The number of inodes in an inode group, stored at byte 40 with length 4 bytes. This is used in calculations for the size of an inode group.
- The total number of inodes in the filesystem, stored at byte 0 with length 4 bytes. This is used to calculate the number of inode groups, which we need in order to properly initialize the cache.
- The number of inodes in a page, given as page_size/inode_size. Used in calculations for the number of pages an inode group takes.
- The number of inode groups, given as total_num_inodes/inodes_per_group. This helps us initialize the cache.
5.2.3. EXT: Monitoring
Algorithm 3 Setup(initialPage) /* Read EXT data from a partition starting at initialPage */ |
|
5.2.4. EXT: Rollback
Algorithm 4 Rollback()/* Take our cache of pages and revert access control changes */ |
|
6. Experimental Evaluation
6.1. Experimental Setup
- Throughput test, particularly in write speed. Since monitoring directly affects the write functionality of the drive, a test of throughput is needed in order to check whether our system dramatically impacts usability.
- Time to rollback. With our system, it is good to know how long a queue of a given size takes to revert to its original state. This will give us a sense of how major a change the rollback operation gives.
6.2. Experimental Results
7. Discussion
- Boot-proofing. As discussed in the previous section, we must boot proof the system. Once this has been done, several attacks on our work become invalid as we can simply recover the state of the system after a reboot. Until then, a reboot clears the cache, possibly preventing some changes from being rolled back.
- Byte-specific monitoring. While our current system leaves byte-specific checks for the rollback phase, it is hypothetically possible to do so during monitoring. This would save a large amount of cache space as false positives become impossible. However, a method for doing so efficiently has yet to be found.
- Automatic Setup. Right now, the setup operation is performed by a command sent from the user. However, it may be possible for the FTL to detect a specific write pattern which corresponds to the completion of a partition on the drive. More work will need to be done in this area to confirm or deny this possibility.
8. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
Abbreviations
ACL | Access Control List |
CAN | Controller Area Network |
ECU | Electronic Control Unit |
EXT | EXTended file system |
FAT | File Access Table |
FTL | Flash Translation Layer |
GPT | GUID Partition Table |
NTFS | New Technology Filesystem |
References
- Foundation, T.L. Understanding Linux Permissions. Available online: https://www.linuxfoundation.org/blog/blog/classic-sysadmin-understanding-linux-file-permissions (accessed on 22 May 2024).
- Critical RCE Vulnerability in Linux Kernel Let Hackers Compromise the Entire Systems Remotely. Available online: https://cybersecuritynews.com/linux-kernel-bug-3/ (accessed on 6 May 2024).
- Microsoft. CVE-2021-34535. Available online: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34535 (accessed on 21 May 2024).
- NIST. CVE-2018-4121. Available online: https://nvd.nist.gov/vuln/detail/CVE-2018-4121 (accessed on 23 May 2024).
- Man Chmod. Available online: https://linux.die.net/man/1/chmod (accessed on 21 May 2024).
- Gupta, A.; Kim, Y.; Urgaonkar, B. DFTL: A flash translation layer employing demand-based selective caching of page-level address mappings. In Proceedings of the ACM; ACM: New York, NY, USA, 2009; Volume 44. [Google Scholar]
- Hardock, S.; Petrov, I.; Gottstein, R.; Buchmann, A. From In-Place Updates to In-Place Appends: Revisiting Out-of-Place Updates on Flash. In Proceedings of the 2017 ACM International Conference on Management of Data, New York, NY, USA, 14–19 May 2017; SIGMOD ’17. pp. 1571–1586. [Google Scholar] [CrossRef]
- Wirzenius, L.; Oja, J.; Stafford, S.; Weeks, A. Filesystems. Available online: https://tldp.org/LDP/sag/html/filesystems.html (accessed on 22 May 2024).
- OSDev Wiki. 2022. Available online: https://wiki.osdev.org/Ext2 (accessed on 21 May 2024).
- ext3 Filesystem. 2024. Available online: https://docs.kernel.org/filesystems/ext3.html (accessed on 21 May 2024).
- ext4 Filesystem. 2024. Available online: https://www.kernel.org/doc/html/v4.19/filesystems/ext4/index.html (accessed on 21 May 2024).
- Arpaci-Dusseau, R.H.; Arpaci-Dusseau, A.C. Operating Systems: Three Easy Pieces; Arpaci-Dusseau Books: Madison, WI, USA, 2023; Chapter 3. [Google Scholar]
- OSDev Wiki. 2023. Available online: https://wiki.osdev.org/MBR (accessed on 20 May 2024).
- Gruenbacher, A. POSIX Access Control Lists on Linux. In Proceedings of the 2003 USENIX Annual Technical Conference (USENIX ATC 03), San Antonio, TX, USA, 9–14 June 2003. [Google Scholar]
- Govindavajhala, S.; Appel, A.W. Windows Access Control Demystified; Princeton University: Princeton, NJ, USA, 2006. [Google Scholar]
- Liu, Z. SSD and HDD Statistics from EaseUS. 2023. Available online: https://www.tomshardware.com/news/ssd-and-hdd-statistics-from-easeus (accessed on 22 May 2024).
- Cai, Y.; Ghose, S.; Haratsch, E.F.; Luo, Y.; Mutlu, O. Error Characterization, Mitigation, and Recovery in Flash-Memory-Based Solid-State Drives. Proc. IEEE 2017, 105, 1666–1704. [Google Scholar] [CrossRef]
- Luo, Y.; Lin, M. Flash translation layer: A review and bibliometric analysis. Int. J. Intell. Comput. Cybern. 2021, 14, 480–508. [Google Scholar] [CrossRef]
- Kim, J.; Kim, J.M.; Noh, S.H.; Min, S.L.; Cho, Y. A space-efficient flash translation layer for compactflash systems. IEEE Trans. Consum. Electron. 2002, 48, 366–375. [Google Scholar]
- Chung, T.S.; Park, D.J.; Park, S.; Lee, D.H.; Lee, S.W.; Song, H.J. A survey of Flash Translation Layer. J. Syst. Archit. 2009, 55, 332–343. [Google Scholar] [CrossRef]
- Guan, L.; Jia, S.; Chen, B.; Zhang, F.; Luo, B.; Lin, J.; Liu, P.; Xing, X.; Xia, L. Supporting Transparent Snapshot for Bare-metal Malware Analysis on Mobile Devices. In Proceedings of the 33rd Annual Computer Security Applications Conference, Orlando, FL, USA, 4–8 December 2017. [Google Scholar]
- Wei, M.Y.C.; Grupp, L.M.; Spada, F.E.; Swanson, S. Reliably erasing data from flash-based solid state drives. In Proceedings of the 9th USENIX Conference on File and Storage Technologies (FAST 11), San Jose, CA, USA, 15–17 February 2011; Volume 11. [Google Scholar]
- Huang, J.; Xu, J.; Xing, X.; Liu, P.; Qureshi, M.K. FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017; ACM: New York, NY, USA, 2017; pp. 2231–2244. [Google Scholar]
- Wang, P.; Jia, S.; Chen, B.; Xia, L.; Liu, P. Mimosaftl: Adding secure and practical ransomware defense strategy to flash translation layer. In Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy, Richardson, TX, USA, 25–27 March 2019. [Google Scholar]
- Baek, S.; Jung, Y.; Mohaisen, A.; Lee, S.; Nyang, D. Ssd-insider: Internal defense of solid-state drive against ransomware with perfect data recovery. In Proceedings of the 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), Vienna, Austria, 2–6 July 2018. [Google Scholar]
- Baek, S.; Jung, Y.; Mohaisen, D.; Lee, S.; Nyang, D. SSD-assisted ransomware detection and data recovery techniques. IEEE Trans. Comput. 2020, 70, 1762–1776. [Google Scholar] [CrossRef]
- Chen, N.; Dafoe, J.; Chen, B. Poster: Data Recovery from Ransomware Attacks via File System Forensics and Flash Translation Layer Data Extraction. In Proceedings of the 2022 ACM Conference on Computer and Communications Security, Los Angeles, CA, USA, 7–11 November 2022. [Google Scholar]
- Min, D.; Park, D.; Ahn, J.; Walker, R.; Lee, J.; Park, S.; Kim, Y. Amoeba: An autonomous backup and recovery ssd for ransomware attack defense. IEEE Comput. Archit. Lett. 2018, 17, 245–248. [Google Scholar] [CrossRef]
- Min, D.; Ko, Y.; Walker, R.; Lee, J.; Kim, Y. A content-based ransomware detection and backup solid-state drive for ransomware defense. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 2021, 41, 2038–2051. [Google Scholar] [CrossRef]
- Park, J.; Jung, Y.; Won, J.; Kang, M.; Lee, S.; Kim, J. RansomBlocker: A low-overhead ransomware-proof SSD. In Proceedings of the 56th Annual Design Automation Conference 2019, Las Vegas, NV, USA, 2–6 June 2019; pp. 1–6. [Google Scholar]
- Chen, N.; Chen, B. Defending against OS-Level Malware in Mobile Devices via Real-Time Malware Detection and Storage Restoration. J. Cybersecur. Priv. 2022, 2, 311–318. [Google Scholar] [CrossRef]
- Xie, W.; Chen, N.; Chen, B. Enabling Accurate Data Recovery for Mobile Devices against Malware Attacks. In Proceedings of the 18th EAI International Conference on Security and Privacy in Communication Networks, Virtual Event, 17–19 October 2022. [Google Scholar]
- Huang, P.; Zhou, K.; Wu, C. ShiftFlash: Make flash-based storage more resilient and robust. Perform. Eval. 2011, 68, 1193–1206. [Google Scholar] [CrossRef]
- Son, Y.; Choi, J.; Jeon, J.; Min, C.; Kim, S.; Yeom, H.Y.; Han, H. SSD-Assisted Backup and Recovery for Database Systems. In Proceedings of the 2017 IEEE 33rd International Conference on Data Engineering (ICDE), San Diego, CA, USA, 19–22 April 2017; pp. 285–296. [Google Scholar] [CrossRef]
- Dafoe, J.; Singh, H.; Chen, N.; Chen, B. Enabling Real-Time Restoration of Compromised ECU Firmware in Connected and Autonomous Vehicles. In Proceedings of the 2023 EAI International Conference on Security and Privacy in Cyber Physical Systems and Smart Vehicles, Chicago, IL, USA, 12–13 October 2023. [Google Scholar]
- Jung, S.; Song, Y.H. Data loss recovery for power failure in flash memory storage systems. J. Syst. Archit. 2015, 61, 12–27. [Google Scholar] [CrossRef]
- Code, G. OpenNFM. 2011. Available online: https://github.com/IMCG/opennfm (accessed on 27 September 2024).
- Olimex LPC-H3131. Available online: https://www.olimex.com/Products/ARM/NXP/LPC-H3131/ (accessed on 20 May 2024).
- Intel Core I9-10900KF. Available online: https://ark.intel.com/content/www/us/en/ark/products/199331/intel-core-i9-10900kf-processor-20m-cache-up-to-5-30-ghz.html (accessed on 20 May 2024).
- Tankasala, D.; Chen, N.; Chen, B. Creating A Testbed for Flash Memory Research via LPC-H3131 and OpenNFM—Linux Version. 2022. Available online: https://snp.cs.mtu.edu/outreach/OpenNFM-LPC-Ubuntu.pdf (accessed on 20 May 2024).
- Firmianay. Chapter 16: The Page Cache and Page Writeback. 2021. Available online: https://github.com/firmianay/Life-long-Learner/blob/master/linux-kernel-development/chapter-16.md (accessed on 21 May 2024).
- Microsoft. How NTFS Works. 2024. Available online: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc781134(v=ws.10) (accessed on 21 May 2024).
- FAT File Systems. Available online: https://www.ntfs.com/fat_systems.htm (accessed on 21 May 2024).
- ELMChan. exFAT filesystem. Available online: http://elm-chan.org/docs/exfat_e.html (accessed on 22 May 2024).
- OSDev Wiki. 2024. Available online: https://wiki.osdev.org/FAT (accessed on 5 May 2024).
Type | Unmodified | Modified |
---|---|---|
Seq-Read | 1450 kB/s | 1454 kB/s |
Rand-Read | 1022 kB/s | 1029 kB/s |
Seq-Write | 912 kB/s | 880 kB/s |
Rand-Write | 788 kB/s | 773 kB/s |
Type | Unmodified | Modified |
---|---|---|
Seq-Read | 1464 kB/s | 1456 kB/s |
Rand-Read | 1054 kB/s | 1052 kB/s |
Seq-Write | 1291 kB/s | 1218 kB/s |
Rand-Write | 845 kB/s | 827 kB/s |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Rother, C.; Chen, B. Reversing File Access Control Using Disk Forensics on Low-Level Flash Memory. J. Cybersecur. Priv. 2024, 4, 805-822. https://doi.org/10.3390/jcp4040038
Rother C, Chen B. Reversing File Access Control Using Disk Forensics on Low-Level Flash Memory. Journal of Cybersecurity and Privacy. 2024; 4(4):805-822. https://doi.org/10.3390/jcp4040038
Chicago/Turabian StyleRother, Caleb, and Bo Chen. 2024. "Reversing File Access Control Using Disk Forensics on Low-Level Flash Memory" Journal of Cybersecurity and Privacy 4, no. 4: 805-822. https://doi.org/10.3390/jcp4040038
APA StyleRother, C., & Chen, B. (2024). Reversing File Access Control Using Disk Forensics on Low-Level Flash Memory. Journal of Cybersecurity and Privacy, 4(4), 805-822. https://doi.org/10.3390/jcp4040038