Posted on January 2, 2022 at 2:29 PM
SSD over-partitioning has a vulnerability that can be used to inject malware
Researchers from Korea have identified a bug in SSDs that enables malware to be stored directly in the empty over-provisioning partition of an SSD. By doing this, the malware can be so stealthy in its operations by avoiding security detection.
A report from Bleeping Computer noted that the malware’s mode of operation allows it to launch its attack by bypassing the security measures in place.
SSD over-provisioning
As mentioned earlier, the malware uses over-provisioning. This is a feature found in modern SSDs. Its aim is to improve the life and the performance of inbuilt NAND storage in the SSD. In layman terms, over-provisioning can be referred to as empty storage space.
While over-provisioning is essentially empty space, it has an important function because it allows the SSD to ensure data distribution. Thus, the data is distributed between the NAND cells by shuffling it to the over-provisioning tool when necessary.
The over-provisioning feature is, in essence, inaccessible by any operating system. Anti-virus tools cannot operate on this feature. However, researchers have detected a new malware that can bypass this limitation and use this space in conducting attacks.
The researchers that detected this malware were based at the Korea University in Seoul. The researchers formulated two model attacks that exploit the SS over-provisioning feature.
During the first attack, the researchers demonstrated how the vulnerability can target invalid data within the SSD. The data was deleted from the operating system, but it has not been physically wiped.
The attacker can also configure the type of data they want to retrieve when exploiting this vulnerability. To acquire sensitive and valuable data, the attacker can alter the size of the overprovisioned data pool. This allows the attacker to obtain extra space and use this on the operating system.
The attacker does this to ensure that if a use deletes more data from their system, it will still be physically available in the SSD. The attacker can retrieve it and use it to launch attacks.
The second type of attack that can be launched using this vulnerability is almost similar to the first. However, the attacker will introduce malware directly into the over-provisioned space in this case. The attacker who is launching this attack will connect two SSDS to function as one device, and the over-provisioning is set at 50%.
After that, the attacker introduces the malware into the over-provisioning partition of the SSD. This will allow the OP range of the first SSD to 25% of the entire size of the SSD. Additionally, it will increase the OP range of the second SSD to 75%.
Through this, the attacker will have space on the second SSD to launch malware directly into the over-provisioning partition. This will happen as the attacker sets the first SSD range to 25%. This configuration will make it appear like the OP area on the two drivers is unaffected despite the introduction of the malware. This is possible because the OP range of the two SSDs will remain at 50%.
Researchers give tips of protection
The researchers involved in this case have provided several techniques that users can consider to ensure they are protected from this malware attack. One recommended strategy is using a pseudo-erase algorithm that will physically delete data from an SSD.
This option is useful for a user that wants to counter the first form of attack that can be launched using the over-partitioned space. The pseudo-erase algorithm will physically delete data from the SSD without affecting the real-world performance.
The researchers have also recommended that a user employs a new monitoring system. This will monitor the over-provisioned spaces of the SSD closely. Monitoring in real-time will ensure that a user can detect the second type of attack and counter it before the attacker introduces malware into the over-partitioning.
Additionally, users also need to install SSD management tools. These tools will ensure that the over-provisioned sizes are regularly changed. As such, they will give a higher level of security to the over-partitioning and ensure those without access are locked out.
It is important to note that these attacks were modelled by the researchers. Hence, they were not discovered during an attack by a threat actor. However, this does not negate the fact that such attacks could happen in the future. To this end, SSD manufacturers need to introduce parches that will fix this security vulnerability before a threat actor exploits it and obtains sensitive data.