Hidden in Plain Sight: Filesystem View Separation for Data Integrity and Deception

• Published in: Detection of Intrusions and Malware, and Vulnerability Assessment Vol. 10885; pp. 256 - 278
• Main Authors: Taylor, Teryl, Araujo, Frederico, Kohlbrenner, Anne, Stoecklin, Marc Ph
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer International Publishing AG 2018; Springer International Publishing
• Series: Lecture Notes in Computer Science
• Subjects: Cyber deception; Filesystems; Intrusion detection and prevention
• ISBN: 3319934104; 9783319934105
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-319-93411-2_12

Cybercrime has become a big money business with sensitive data being a hot commodity on the dark web. In this paper, we introduce and evaluate a filesystem (DcyFS) capable of curtailing data theft and ensuring file integrity protection by providing subject-specific views of the filesystem. The deceptive filesystem transparently creates multiple levels of stacking to protect the base filesystem and monitor file accesses, hide and redact sensitive files with baits, and inject decoys onto fake system views purveyed to untrusted subjects, all while maintaining a pristine state to legitimate processes. A novel security domain model groups applications into filesystem views and eliminates the need for filesystem merging. Our prototype implementation leverages a kernel hot-patch to seamlessly integrate the new filesystem module into live and existing environments. We demonstrate the utility of our approach through extensive performance benchmarks and use cases on real malware samples, including ransomware, rootkits, binary modifiers, backdoors, and library injectors. Our results show that DcyFS adds no significant performance overhead to the filesystem, preserves the filesystem data, and offers a potent new tool to characterize the impact of malicious activities and expedite forensic investigations.