A study team from the University of Renju University, Daxi, Northern Science and Technology (DGIST), the University of Central Florida (UCF), and the Pear Female University (EWU) Network Security Department, just introduced a set of leisible software attacks SSD data detection and recovery method. It is said that this scheme named “SSD-Insider” can achieve almost 100% accuracy and has been tested by Lesso Software in the real world.
Research map (from: UCF | PDF)
It is reported that the working principle of SSD-Insider is to identify some of the known discriminable lesso software behavior patterns in SSD activities.
In order to identify lesso software activities only through the distribution of the IO request header, the research team pays attention to the soldier software such as Wannacry, Mole and Cryptoshield, and has a fairly unique coverage.
Renhou University researcher DAEHUN NYANG said in an interview with the Register: “When SSD-INSIDER detects the lesser activity, the memory input / output (IO) will be paused so that the user can eliminate the Lesso software process.”
Lesson software behavior pattern analysis
When the lesso software is aborted, SSD-Insider can also recover lost files through the unique properties of SSD.
The article pointed out that before being covered by the new data, the solid state memory will always retain the previously deleted data until the subsequent main control and firmware garbage collection mechanism is cleaned.
SSD-INSIDER is also subject to the old version of the data in the drive by using SSD’s built-backup function. These data will not be completely deleted before the decision of the UNSD detection algorithm is not affected by the lesser software.
SSD-INSIDER test performance
The true uniqueness of SSD-Insider is that it can even run in firmware levels. In that, even if there is no corresponding security software installed on the system, users can also obtain benefits against the lesser attack.
In addition, the disadvantages of traditional software defense methods have been mentioned, such as the CPU overhead of anti-Relie Software, and some futon software may escape the detection of anti-virus software. In contrast, the time overhead of SSD-INSIDER is only around 147 to 254 ns.
SSD-INSIDER is a unreasonable error in the sale of Wannacry, and the SSD-INSIDER is to let go of any futon software. In all test scenarios, its error reject rate (FRR) is zero, and the error acceptance rate (FAR) is almost zero.
Test training use of the losssso software / application
The researchers pointed out: For FRR, the worst “background noise” is derived from the IO / CPU-intensive working environment. As for FAR, the worst situation is also a working scenario for DataWiping and databases.
Of course, for antivirus researchers, such methods of SSD-Insider are not unlucky.
After all, after lesso software developers know the existence of the program, the corresponding bypassing method can still be developed, so everyone should still develop a good habit of regular backup data.