P16_21: Persistent Cache Monitor to Combat Ransomware
Topic Areas: Ransomware countermeasure
Principal investigator: Dr. Yunsi Fei, Northeastern University
Co-Principal investigator: Prof. Aidong Adam Ding, Northeastern University
Shared microarchitecture on computing platforms has become an effective side-channel for information leakage, breaching the confidentiality of sensitive applications on computer systems. Cache timing attacks have broken all the common cryptographic algorithms, where the secret-dependent memory access pattern of the victim is gleaned by the spy from the state of the shared cache. However, conventional cache timing attacks require synchronization between the spy and the victim, an unrealistic assumption, particularly for malware infection such as ransomware that employs common ciphers on the host machine to “lock” important files for ransom . In this proposal, we turn the power of side-channel attacks against ransomware, enabling the host machine to retrieve its encryption key. We design a persistent cache watchdog, which runs constantly and parallel to the victim (ransomware), leveraging the common multi-core or hyper-threading environment. The monitor is able to capture much finer-grained cache access information of the victim passively. We then propose deep learning methods to analyze the monitored data to retrieve the secret key. The cache watchdog and the deep learning analysis tool can help the host machine decrypt the critical locked files instead of paying for the hefty ransom.