Date of Award

12-2017

Degree Type

Dissertation

Degree Name

Doctor of Philosophy (PhD)

Department

Computer Science

Committee Chair

Eugene H. Spafford

Committee Co-Chair

Saurabh Bagchi

Committee Member 1

Dongyan Xu

Committee Member 2

Mathias Payer

Abstract

Unauthorized data destruction results in a loss of digital information and services, a devastating issue for society and commerce that rely on the availability and integrity of such systems. Remote adversaries who seek to destroy or alter digital information persistently study the protection mechanisms and craft attacks that circumvent defense mechanisms such as data back-up or recovery. This dissertation evaluates the use of deception to enhance the preservation of data under the threat of unauthorized data destruction attacks. The motivation for the proposed solution is two-fold. (i) An honest and consistent view of the preservation mechanisms are observable and often controlled from within the system under protection, allowing the adversary to identify an appropriate attack for the given system. (ii) The adversary relies on some underlying I/O system to facilitate destruction and assumes that the components operate according to a confirmation bias based on prior interactions with similar systems. A deceptive memory system (DecMS) masks the presence of data preservation and mimics a system according to the adversary’s confirmation bias. Two proofs of concepts and several destructive threat instances evaluate the feasibility of a DecMS. The first proof of concept, DecMS-Kernel, uses rootkits’ stealth mechanisms to mask the presence of DecMS and impede potential destructive writes to enable preservation of data before destruction. The experimental results show that DecMS is effective against two common secure delete tools and an application that mimics crypto ransomware methods. Based on the results of DecMS-Kernel, several improvements are incorporated into a DecMS that uses virtual machine introspection. DecMS-VMI places the preservation mechanism out of reach from the system under protection. The virtual machine under protection does not undergo any changes or need additional software to support the deception, thus improving stealthiness. The results for DecMS-VMI demonstrate the ability to preserve data under a wide range of destructive methods: 13 di↵erent secure delete methods, four wiper malware, and one timestamp fabrication tool. Under both prototype systems, all of the detected data under destruction is successfully preserved. The overall results indicate that it is feasible to create deceptive systems to enhance data preservation methods on interactive computing systems.

Share

COinS