Reactive redundancy for data destruction protection (R2D2)

Abstract

Data destruction programs, such as Wiper Malware, cause substantial damage by overwriting critical digital assets on compromised machines, denying users access to computing resources. Our system, called R2D2, analyzes write buffers before they can reach a storage medium, determines if the write is destructive, and preserves the data under destruction. We interpose the inspection in the Virtual Machine Monitor (VMM) through a technique known as Virtual Machine Introspection (VMI). This has the benefit that it does not rely on the entire OS as a root of trust. We demonstrate the effectiveness of our prototype implementation by preserving data targeted for destruction by Wiper Malware such as Shamoon and Stonedrill, and a host of secure delete tools. We discover that R2D2 detects data destruction with high accuracy (99.8% true negative and true positive rates) and preserves critical data for all the Wiper Malware samples in the wild that we experimented with. While our prototype is not optimized for performance, we show that it is applicable for common user tasks in an office or home setting, with a latency increase of 1%–4% and 9%–20% to complete batch tasks and interactive tasks respectively. VMI accounts for 90.7%–98.5% of the latency overhead and thus R2D2 incurs a small cost for environments already using VMI.