VaultFS: Write-once Software Support at the File System Level Against Ransomware Attacks

TL;DR

VaultFS is a software-based, write-once file system for Linux that protects data against ransomware and insider threats without requiring special hardware, ensuring data integrity and preventing unauthorized modifications.

Contribution

It introduces VaultFS, a novel write-once file system that enforces data immutability at the software level, eliminating the need for hardware WORM devices.

Findings

VaultFS effectively prevents data modification even under privilege escalation.

It safeguards against ransomware and insider threats by enforcing write-once semantics.

The system also offers protection against Denial-of-Service attacks caused by untrusted applications.

Abstract

The demand for data protection measures against unauthorized changes or deletions is steadily increasing. These measures are essential for maintaining the integrity and accessibility of data, effectively guarding against threats like ransomware attacks that focus on encrypting large volumes of stored data, as well as insider threats that involve tampering with or erasing system and access logs. Such protection measures have become crucial in today's landscape, and hardware-based solutions like Write-Once Read-Many (WORM) storage devices, have been put forth as viable options, which however impose hardware-level investments, and the impossibility to reuse the blocks of the storage devices after they have been written. In this article we propose VaultFS, a Linux-suited file system oriented to the maintenance of cold-data, namely data that are written using a common file system interface, are kept accessible, but are not modifiable, even by threads running with (effective)root-id. Essentially, these files are supported via the write-once semantic, and cannot be subject to the rewriting (or deletion) of their content up to the end of their (potentially infinite) protection life time. Hence they cannot be subject to ransomware attacks even under privilege escalation. This takes place with no need for any underlying WORM device -- since ValutFS is a pure software solution working with common read/write devices (e.g., hard disks and SSD). Also, VaultFS offers the possibility to protect the storage against Denial-of-Service (DOS) attacks, possibly caused by un-trusted applications that simply write on the file system to make its device blocks busy with non-removable content.