Korean researchers have developed a series of attacks against SSDs (solid-state drives) that place malware out of reach of the user and security solutions. Applicable to drives with flexible capacity specifications, these attacks target a hidden area in the device called over-provisioning, which is commonly used by SSD manufacturers these days for performance optimization in NAND flash-based storage systems.
How does malware that settles on SSD work?
These attacks, which take place at the hardware level, take place in a very secret way and are permanent. Flexible capacity uses a feature found in SSDs from Micron Technology that allows storage devices to automatically adjust the size of raw and user-allocated space for better performance by absorbing write workload volumes.
This process, called over-provisioning, is a dynamic system that creates and adjusts a buffer that typically takes between 7% and 25% of the total disk capacity. It becomes invisible to the operating system and applications running on it, including security solutions and anti-virus tools. The SSD manager automatically adjusts this space for workloads based on write or read intensity.
How is SSD attack done?
An attack modeled by researchers at Korea University in Seoul simulated the attack by targeting an invalid data area containing undeleted information, the size of which depends on the two, located between the available SSD space and the Over-provisioning (OP) area. The resulting research paper revealed that a hacker could use the firmware manager to change the size of the OP space, thereby creating an exploitable invalid data space.
The problem here is that many SSD manufacturers choose not to delete the invalid data field to save resources. This area remains full of data for long periods of time, assuming that disconnecting the mapping table is sufficient to prevent unauthorized access. A malware that exploits this vulnerability could gain access to potentially sensitive information.
The researchers note that activities in NAND flash memory can reveal data that hasn’t been deleted for more than six months. In a second attack model, the OP domain can be used as a secret place where a threat actor can hide malware, which users cannot track or delete.
To simplify the explanation, it is assumed that two storage devices SSD1 and SSD2 are connected to one channel. Each storage device has 50% OP space. After the hacker stores the malware on SSD2, it immediately reduces SSD1’s OP space to 25% and expands SSD2’s OP space to 75%.
The software code is included in the hidden area of SSD2. A hacker gaining access to the SSD can resize the OP space and activate embedded malware code at any time. Since normal users have 100 percent user space in the channel, it will not be easy to detect such malicious behavior of hackers.
How can we take action?
As a defense against the first type of attack, the researchers suggest that SSD manufacturers wipe the OP domain with a pseudo-erase algorithm that won’t affect real-time performance. Because the obvious advantage of such an attack is that it’s stealth. Detecting malicious code in OP domains is not only time consuming but also requires highly specialized forensic techniques.
For the second type of attack, a potentially effective security measure against injecting malware into the OP domain is to implement valid-invalid data rate monitoring systems that monitor the rate inside SSDs in real time. When the invalid data rate suddenly increases significantly, the user may receive a warning and a verifiable data deletion function option in the OP area.
Finally, the SSD management application must have strong defenses against unauthorized access. In a statement on the subject, the researchers said:
Even if you are not a malicious hacker, a misguided employee can easily release and leak confidential information at any time using the OP domain variable software.
What do you think about this subject? Don’t forget to share your views with us in the comments!
7560
