Malware Hidden in Flex Capacity Space of Modern SSDs

Malware Hidden in Flex Capacity Space of Modern SSDs

Cybersecurity researchers from Korea have devised a series of cyberattacks against some solid-state disks (SSDs) that might allow malware to be planted at a position beyond the user’s and security solutions’ reach.

The attack models are designed for drives with flex capacity characteristics and target a hidden section on the device known as over-provisioning, which SSD manufacturers have extensively employed for performance improvement on NAND flash-based storage systems. Attacks on the hardware level are the most persistent and stealthy. In the past, sophisticated actors tried hard to apply similar concepts against HDDs, concealing dangerous code in inaccessible drive sectors.

Micron Technology’s Flex Capacity technology allows storage devices to automatically modify the sizes of raw and user-allocated space to improve performance by engulfing write workload volumes. Over-provisioning is a dynamic system that produces and changes a buffer of space that usually takes between 7% and 25% of the entire disk capacity.

The operating system and any programs running on it, including security solutions and anti-virus tools, are unaware of the over-provisioning area. The SSD manager dynamically adjusts this space against the workloads when the user opens different apps, depending on how write-intensive or read-intensive they are.

Researchers at Korea University in Seoul modeled one approach that targets an invalid data region containing non-erased information that falls between useable SSD space and the over-provisioning (OP) area and whose size is dependent on both. According to the research paper, a hacker can use the firmware manager to modify the size of the OP region, resulting in exploitable invalid data space.

The issue is that many SSD manufacturers choose not to remove the incorrect data region to save resources. The idea is that breaking the link of the mapping table is adequate to prevent unauthorized access. Therefore, this area remains filled with data for long periods. As a result, a threat actor who exploits this flaw might obtain access to potentially sensitive data.

According to the researchers, forensic work on NAND flash memory can expose data that hasn’t been removed in more than six months. In a second attack strategy, the OP region is exploited as a hidden location where a threat actor may hide malware that users cannot monitor or remove. The apparent benefit of such an attack is its stealthiness. Malicious code detection in OP regions is time-consuming and needs highly sophisticated forensic techniques.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.