How to implant a malware in hidden area of SSDs with Flex Capacity feature

Researchers devised a series of attacks against SSDs that could allow to implant malware in a location that is not monitored by security solutions.

Korean researchers devised a series of attacks against solid-state drives (SSDs) that could allow to implant malware in specific memory locations bypassing security solutions.

The attacks work against drives with flex capacity features and allow to implant a malicious code in a hidden area of SSDs called over-provisioning. This memory location is used for performance optimization on NAND flash-based storage systems.

“The Micron Flex Capacity feature is designed to unleash the true capabilities of storage media by giving IT administrators the ability to tune their SSDs to meet specific workload characteristics such as performance, capacity and endurance.”

The operating system and any applications running on it have no visibility on the over-provisioning, this means that security software is not able to inspect their content looking for a malicious code.

Many storage devices can vary the size of the OP area in real-time to optimize performance. A larger size of the OP area can ensure better performance. The OP area can be set for example by a maximum of 50%. An invalidation data region is created by varying the OP area that can be changed by the user or by the firmware manager. However, a threat actor can reduce the size of the OP area using the firmware manager generating an invalid data area. This attack could lead to an information-disclosing attack.

“Assuming that the hacker can access the management table of the storage device, the hacker can access this invalid data area without any restrictions.” reads the research paper. “Without the need for special forensic equipment, as a computer user, a hacker can access these invalid data areas of the NAND flash memory. Depending on sensitive information is stored in the invalid data area, computer users can feel more or less alarmed by this”

Experts pointed out that manufacturers of SSDs usually not erase the invalid data area to save on resources, they only break the link of the mapping table to prevent ill-intentione to access it.

According to the researchers note a forensic analysis on NAND flash memory can allow to retrieve data that has not been deleted in over six months.

In a second attack model, called TEMPERING ATTACK MODEL, the user can perform arbitrary operation on the hidden area, including implanting a malware.

A user with the authority over both the firmware and the flash conversion layer can subsequently invalidate the stored secret information after storing it in the user area. The information will not physically deleted from the user area and only the mapping table entry becomes deleted.

“A hacker may hide malicious code, that is, a malware code, in the OP area. In the drawings, it is assumed that two storage devices SSD1 and SSD2 are connected to a channel in order to simplify the description. Each storage device has 50% OP area. After the hacker stores the malware code in SSD2, they immediately reduce the OP area of SSD1 to 25% and expand the OP area of SSD2 to 75%. At this time, the malware code is included in the hidden area of SSD2. A hacker who gains access to the SSD can activate the embedded malware code at any time by resizing the OP area.” reads the research paper. “Since normal users maintain 100% user area on the channel, it will not be easy to detect such malicious behavior of hackers.”

The researcher also provided recomendations against the above attacks. In order to prevent information leakage it is possible to wipe the OP area, while for the second type of attack, it is suggested to monitor any the VALID/INVLID DATA RATE MONITORING of the OP area in real-time.

A surge in the invalid data ratio could represent an indicator of malicious activity.

The experts also recommend to protecting to the SSD management app against unauthorized access.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SSDs)

[adrotate banner=”5″]

[adrotate banner=”13″]