Reliably Erasing Data from Flash-Based Solid State Drives

of 80
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Description
Reliably Erasing Data from Flash-Based Solid State Drives Michael Wei* Laura Grupp*, Fredrick E. Spada, Steven Swanson* * Non-Volatile Systems Laboratory Department of Computer Science and Engineering
Transcript
Reliably Erasing Data from Flash-Based Solid State Drives Michael Wei* Laura Grupp*, Fredrick E. Spada, Steven Swanson* * Non-Volatile Systems Laboratory Department of Computer Science and Engineering University of California, San Diego Center for Magnetic Recording Research University of California, San Diego 2 Confidential Data sensitive information which Limited to people with need Destroyed at end of life 3 YOU have confidential data on your computer right now! CORPORATIONS 4 must protect their own data as well as client s data. GOVERNMENTS 5 must protect information to protect the state and lives of its citizens 6 * Confidential Data sensitive information which Limited to people with need Destroyed at end of life 7 What we know comes from years of research on hard drives. 8 Solid State Disks (SSDs) next generation storage Flash-based No moving parts Uses a complex controller (Flash Translation Layer) 9 SSD Shipments (in Millions) SSD Shipment Forecast Year Source: DRAMeXchange SSDs are becoming quite popular 10 You might have left confidential data and not even realized it. 11 Why is it hard to erase SSDs? Current sanitization tools are designed for hard drives. But SSDs are very different! SSD Differences 12 Recovery process is cheap Wide space of manufacturers for poor implementation Easy Disassembly / Reassembly Let s see what s on this SSD Low cost compared to hard drives Someone could steal your data overnight! Overview 13 Motivation Sanitization Background Validating Sanitization and Results Single-File Sanitization Enhancement 14 Sanitization Erasing data so that it is difficult or impossible to recover 15 * For this talk, we ll talk about the chip level. There s leftover data It s cheap The next level is much more complex 16 Physical Level Destroying Flash Memory-Based Storage Devices, Steven Swanson, University of California, San Diego Computer Science & Engineering technical report cs mm particles Good until 2022 (8nm technology node) Writing Data 17 Writing more data 18 19 Lots of stale data can be left over on the drive Overview 20 Motivation Sanitization Background Validating Sanitization and Results Single-File Sanitization Enhancement 21 We now want to measure the stale data left over. 22 First, we constructed a fingerprint that was easily identifiable. Special Identifiers Unique Patterns Checksum Second, We needed a way to see more than what the operating system sees. 23 Second, We needed a way to see more than what the operating system sees. 24 We built a custom hardware platform 25 to extract data off the chips. The drive is successfully sanitized if no stale data is left over. 26 * 27 Whole-disk sanitization Erase the whole disk so that no old data remains. Built-in Commands ATA Security Erase Unit (ATA-3), 1995 Cryptographic techniques Software Overwrite Various Standards Built-in commands 28 ATA Security Erase Unit 29 ATA Security Erase Unit (1995) Normal: Replace the contents of LBA 0 to MAX LBA with binary zeroes or ones. Enhanced: All previously written user data shall be overwritten. Predates SSDs: doesn t distinguish overwritten from erase. 30 ATA Security Erase Enhanced Some drives tested supported and passed SSD Name Controller SECURITY ERASE UNIT (ATA-3) SECURITY ERASE UNIT ENHANCED (ATA-3) Vendor Dependent ATA SECURITY ERASE UNIT ENHANCED A 1 No No ATA SECURITY ERASE UNIT B 2 No (Reports yes) No C 1 Partial (Bugged) No D 3 Partial (Bugged) No Software Overwrite E 4 Crypto Scrambles Crypto Scrambles F 5 Yes Yes G 6 Yes No H 7 Yes Yes I 8 Yes Yes 31 ATA Security Erase Unit One drive reported success, even though all data remained. SSD Name Controller SECURITY ERASE UNIT (ATA-3) SECURITY ERASE UNIT ENHANCED (ATA-3) ATA SECURITY ERASE UNIT ENHANCED A 1 No No B 2 No (Reports yes) No C 1 Partial (Bugged) No D 3 Partial (Bugged) No E 4 Crypto Scrambles Crypto Scrambles F 5 Yes Yes G 6 Yes No H 7 Yes Yes I 8 Yes Yes Vendor Dependent ATA SECURITY ERASE UNIT Software Overwrite 32 ATA Security Erase Unit Others only worked after the drive was reset SSD Name Controller SECURITY ERASE UNIT (ATA-3) SECURITY ERASE UNIT ENHANCED (ATA-3) ATA SECURITY ERASE UNIT ENHANCED A 1 No No B 2 No (Reports yes) No C 1 Partial (Bugged) No D 3 Partial (Bugged) No E 4 Crypto Scrambles Crypto Scrambles F 5 Yes Yes G 6 Yes No H 7 Yes Yes I 8 Yes Yes Vendor Dependent ATA SECURITY ERASE UNIT Software Overwrite ATA Security Erase Unit Some drives cryptoscrambled, so we could not verify them SSD Name Controller SECURITY ERASE UNIT (ATA-3) SECURITY ERASE UNIT ENHANCED (ATA-3) ATA SECURITY ERASE UNIT ENHANCED A 1 No No B 2 No (Reports yes) No C 1 Partial (Bugged) No D 3 Partial (Bugged) No E 4 Crypto Scrambles Crypto Scrambles F 5 Yes Yes G 6 Yes No H 7 Yes Yes Vendor Dependent ATA SECURITY ERASE UNIT Software Overwrite I 8 Yes Yes 33 34 * Works by deleting key Fast, but Encrypted data remains Data isn t erased Crypto scramble makes drives unverifiable Crypto-Scramble 35 Hardware Commands Wide variation in results Not supported Success Crypto-scramble Buggy implementation (works sometimes) Failure (all data leftover) Result is implementation-dependent Will not know what happens until it is tested 36 SAFE: Scramble and Finally Erase UCSD Technical Report cs Cryptography is desirable However, it is hard to verify A sanitized disk is easy to verify Why not crypto-scramble AND erase? 37 SAFE: Scramble and Finally Erase In Use ACTIVE Sanitize Disk Write Metadata INITIALIZED Traditional Sanitization Process Sanitize and Initialize in a single step Drive is INITIALIZED after a sanitize 38 SAFE: Scramble and Finally Erase Encrypted, In Use ACTIVE Delete Keys KEYLESS Write Metadata INITIALIZED Crypto-Erase Sanitization Process Delete keys Drive is INITIALIZED after a sanitize 39 SAFE: Scramble and Finally Erase Encrypted, In Use ACTIVE Sanitize Disk Delete Keys KEYLESS Block Erase VERIFIABLE Write Metadata INITIALIZED SAFE breaks this up and adds two new states: KEYLESS and VERIFIABLE 40 SAFE: Scramble and Finally Erase Encrypted, In Use ACTIVE Sanitize Disk Delete Keys KEYLESS Block Erase VERIFIABLE Write Metadata INITIALIZED Scramble: Drive is actively being encrypted On sanitize, delete the keys (KEYLESS) This step takes milliseconds 41 SAFE: Scramble and Finally Erase Encrypted, In Use ACTIVE Sanitize Disk Delete Keys KEYLESS Block Erase VERIFIABLE Write Metadata INITIALIZED Erase: Perform a block erase after scramble We can easily verify the drive (VERIFIABLE) This step takes minutes 42 SAFE: Scramble and Finally Erase We can now verify if the drive is erased Via pulling off the chips Possibly via hardware commands that don t exist yet External connector Best of both worlds Fast cryptographic scramble Slower, more secure erase 43 Myth: Flash takes a long time to erase 13 seconds to erase 4 Gbit 2.1minutes to program 4 Gbit Can work on multiple chips in parallel #of channels scales with drive size (in general) Average disk (250GB) may take ~20s to fully erase With simple optimizations, a very fast erase is possible 44 SAFE: Scramble and Finally Erase Problem: We still have to trust the firmware designer to do it right! Challenge: How do we avoid the need to trust the firmware? Software overwrite 45 Various Government Standards According to NIST (2006) Studies today have shown that most of today s media can be effectively cleared by one overwrite. Software overwrite 46 Software overwrite 47? How many times? 48 * Our experiments show 2 passes are typically necessary But even on the same drive, the number of required passes varied between 2 to more than 20. Unreliable - hardware commands are best, if they are correctly implemented. 49 Single-File Sanitization Erasing single files while leaving other parts of the drive intact 50 We want to sanitize only part of the disk. Let s try overwriting it 51 And again 52 We tested with a 1000MB file, and got pretty bad results MB Recovery (MB) 100 MB 10 MB 1 MB 54 We tried to augment the existing procedures to do better - Wipe the free space - Defragment and wipe but that didn t help at all. 55 We d like a hardware command that would tell the controller to delete stale data Overview 56 Motivation Sanitization Background Validating Sanitization and Results Single-File Sanitization Enhancement 57 Scrubbing An enhancement to the FTL to sanitize single files Unfortunately, it s not that easy. 58 59 First, flash is arranged into areas we can write to called pages. And pages are arranged into larger sections we can erase called blocks. 60 Erasing one piece of data would erase everything else in that block 61 62 One method to get around the limitation is to copy.. But that s slow! We can overwrite individual pages 63 We can overwrite individual pages 64 We can overwrite individual pages 65 We can overwrite individual pages 66 67 The datasheet says we have to program pages in order though Our research has shown that it s 68 okay, with specific restrictions. We call this a scrub. Low density, high reliability SLC 69 memory: No caveat. MLC: 70 High Density MLC: We are limited by a scrub budget Typical Safe BER Sanitizing single files with scrub When do we do it? Immediate: Right away Background: When we re free Scan: When we re told to 71 Immediate & Background Automatically scrubs stale data from SSD Immediate Maximum Security Writes don t complete until scrub is done Background Good Security Better performance, writes finish immediately 72 log Rel. Write Latency Background SLC Immediate SLC Background MLC 0 Immediate MLC 0 Background MLC 16 Immediate MLC 16 Background MLC 64 Immediate MLC 64 Scrub Mode (for MLC, Scrub Budget) Harm. Mean of Financial, Software Devel., Patch, OLTP, Berkeley DB, BTreeSwap 73 log Rel. Write Latency Background SLC Immediate SLC Background MLC 0 Immediate MLC 0 Background MLC 16 Immediate MLC 16 Background MLC 64 Immediate MLC 64 Scrub Mode (for MLC, Scrub Budget) Harm. Mean of Financial, Software Devel., Patch, OLTP, Berkeley DB, BTreeSwap 74 log Rel. Write Latency Background SLC Immediate SLC Background MLC 0 Immediate MLC 0 Background MLC 16 Immediate MLC 16 Background MLC 64 Immediate MLC 64 Scrub Mode (for MLC, Scrub Budget) Harm. Mean of Financial, Software Devel., Patch, OLTP, Berkeley DB, BTreeSwap 75 76 Scan is what we wanted earlier: A built-in command to sanitize individual files. 77 In MLC, we still have to manage the scrub budget with copies. 78 Scan Latency 25 Relative Latency (s) SLC MLC 0 MLC 16 MLC 32 MLC 64 MLC Benchmark 79 Scrubbing The solution for single-file sanitization Sanitization level is selectable On-demand with scan mode Conclusion Sanitizing storage media is essential for data security Need to verify sanitization effectiveness Built-in mechanisms are reliable when implemented correctly Hard-drive techniques don t necessarily work SAFE allows us to verify encrypted drives Sanitizing single files (in place) is difficult Software overwrite cannot reliably sanitize Scrubbing allows us to sanitize files by modifying the FTL 80
Advertisements
Related Documents
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x