Purdue University scientists have developed a data protection technique called Reactive Redundancy for Data Destruction (R2D2) that can protect data sitting inside a virtual machine from modern data-wiping malware and even some secure file deletion methods.
R2D2 was designed with virtual machines in mind, and can't function on regular operating systems. This is because R2D2 needs to sit in a position from where it can observe the entire OS.
"Our prototype implementation of R2D2 exists within a Virtual Machine Monitor (VMM), which monitors for data destruction in a guest virtual machine through Virtual Machine Introspection (VMI)," Purdue researchers wrote in a paper published last month.
R2D2 uses the VMI interface to intercept file open and write operations on the protected OS (the Guest OS on a virtual machine).
When such operations are detected, R2D2 runs each one through a series of policies that evaluate the operation for known destructive patterns. If the scan triggers a warning, the VMM creates a temporary checkpoint that a human operator can use as a system restore point.
By design, R2D2 will ignore standard delete operations, which unlink a file and leave it on the storage medium to be overwritten at a later time when other data needs to be saved on disk.
Instead, R2D2 will look for delete operations that intentionally open and rewrite the file. Such behavior has been seen in "secure delete" applications and wiper malware.
By design, R2D2 will look for operations that attempt to rewrite the file with random data or with repetitive patterns of code. R2D2 supports 13 known "secure delete" methods that apps and malware are known to use.
The reason R2D2 supports "secure delete" applications alongside data-wiping malware is because malware authors may try to incorporate these apps into future wiper malware strains, instead of using custom techniques.
Furthermore, by supporting "secure delete" algorithms used by popular apps, R2D2 can also protect computers against malicious insiders with physical access to a vulnerable workstation, where the attacker is most likely to use a "secure delete" app instead of data-wiping malware.
R2D2 is currently only at a prototype stage, and there is no publicly available software that companies can deploy to protect their VMs.
Tests carried out by researchers showed that R2D2 is extremely accurate at detecting malicious destructive operations, but work still needs to be done on performance metrics.
For example, tests showed that from 989 destructive operations, R2D2 falsely identified two destructive overwrites as benign (false negative rate of 0.2%) and out of 989 benign writes, R2D2 identified five operations as destructive (false positive rate of 0.51%).
But the biggest problem is the latency that current versions of R2D2 introduce on protected VMs. The Purdue team says the latency overhead ranges from 1% to 4% for simple tasks and from 9% to 20% for batch operations.
But researchers say this isn't a big issue, as the current R2D2 prototype was not optimized for performance, and there's considerable room for improvement.
For example, since over 90% of the latency is because R2D2 runs inside the host OS' VMI interface, the simplest way to improve performance is to find another point where R2D2 can run, with a lower performance hit.
Because some crypto-ransomware variants sometimes work similar to some wiper malware strains, R2D2 may be useful in the detection of some ransomware strains. Nonetheless, researchers don't believe this is a good system for detection ransomware infections. They say crypto-ransomware is easier to detect by keeping an eye on high-entropy operations, a more reliable indicator that heavy data-encryption routines are currently underway, rather than keeping an eye on open and write operations.
R2D2 has only been tested on Windows 7 OS running inside a VM.
"We do not anticipate significant obstacles to using R2D2 with more recent versions of Windows," the research team said. "Conceptually, it should also port to Linux, Mac OS, and other systems."
More details about the R2D2 technique are available in a ScienceDirect journal article named "Reactive Redundancy for Data Destruction Protection (R2D2)."