Embed Size (px)
DESCRIPTION
Citation preview
ERASE- EntRopy-based SAnitization of Sensitive Data for Privacy Preservation
Presenter: Dr. Avinash SrinivasanAuthors: Jeffrey Medsger and Avinash Srinivasan
Contributions to the Field of Computer Media Sanitization
Goal:
Design a more efficient process for non-destructively sanitizing (overwriting) computer media.
ERASE - An entropy-based wiping method for sanitizing a target area.
ERASERS - Random sampling in tandem with the above entropy-based technique for efficiently sanitizing a target area.
Tool Implemented with aforementioned capabilities.
Medsger and Srinivasan - 2
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion
Overview of Field: Computer Media Sanitization
Deleted Files
Sanitization Destructive
Non-destructive
Data carving can recover deleted data from unallocated space and file slack.
Study performed by Garfinkel et. al. [3] With little financial expenditure, the authors were able to retrieve
thousands of credit card numbers and other personal information.
[3] S. L. Garfinkel and A. Shelat, “Remembrance of data passed: A study of disk sanitization practices,” IEEE Security and Privacy, vol. 1, pp. 17–27, 2003.
Medsger and Srinivasan - 3
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion
Problem Statement Current wipe methods use a brute force approach
[overwrite everything]
Hard drive sizes increasing
In 2011, Seagate reported 590GB avg. size HDD
Medsger and Srinivasan - 4
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion
Suppose 50% of area to be sanitized contains sensitive data [590GB HDD]:
Wipe Pattern
Current tools [dd]
14.6hrs Pseudorandom
ERASE 9.5hrs Pseudorandom
Current tools [dd]
1.584hrs Zeros
ERASERS 0.85hrs (best case) - 1.580hrs (worst case)
Zeros
New Techniques ERASE
Calculate the entropy of each disk block and if that entropy falls within a sensitive entropy range, then overwrite that disk block.
ERASERS Divide the area (population) to be sanitized into z
subpopulations. For each subpopulation, randomly sample n blocks, and if at
least one sampled block is within the sensitive entropy range, then overwrite that entire subpopulation.
Medsger and Srinivasan - 5
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion Area to be sanitized
Divide into subpopulationsRandomly sample n disk blocks from each subpopulation
Overwrite subpopulations found to have sensitive data
ERASE Designed to allow for a more efficient wipe in situations
where pseudorandom data is being used as the wipe pattern.
Reduce the number of writes by performing extra reads.
Perform a read (106.8MB/s) to possibly prevent a write using data from /dev/urandom (11.8MB/s).
Also, designed to allow for a more efficient wipe when multiple overwrites are performed.
Medsger and Srinivasan - 6
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion
ERASERS Limitation of ERASE is that if a uniform pattern is used
as the wipe pattern, such as /dev/zero, ERASE will not be more efficient when only one overwrite pass is used.
Assuming read and write speeds are similar on drive.
ERASERS was designed to allow for a more efficient wipe when a uniform wipe pattern is used.
Accomplished by randomly sampling blocks in areas on the drive and only overwriting those areas which are found to have sensitive data.
Thus, a limited number of reads are performed to possibly prevent writes.
Envision ERASERS could be used to periodically wipe unallocated space.
Medsger and Srinivasan - 7
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion
Background Sanitization Algorithms
Entropy – Compressibility of Data
Random Sampling
Medsger and Srinivasan - 8
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion
ERASE Process1. Number of wipe passes
2. Wipe pattern - e.g., /dev/zero or /dev/urandom
3. Sensitive entropy range for the target area
4. Random sampling confidence level and interval (if using ERASERS)
Medsger and Srinivasan - 9
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion
One Pass or Multiple Passes
Guttman [6] states overwritten data can be read by specialized equipment, such as magnetic microscopes. Has been severe criticism of this idea in the Forensic community.
Numerous other wipe pass recommendations Proposed Method significantly outperforms Brute Force Method
using NIST SP800-88 1 pass random recommendation Performance even better with multi-pass wipes
[6] P. Gutmann, “Secure deletion of data from magnetic and solid-state memory,” in Proceedings of the 6th USENIX Security Symposium, 1996, pp. 77–89.
Medsger and Srinivasan - 10
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
One Pass or Multiple Passes
Wiping – Zeros vs. Random Patterns
Sensitive entropy range
Performance Results
Thoroughness of Technique
Conclusion
Publication Wipe Method
NIST SP800-88 1 pass with random data
Original DoD 5220.22-M 3 pass wipe
New DoD 5220.2-M Doesn’t specify
Wiping – Zeros vs. Random Patterns
Medsger and Srinivasan - 11
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
One Pass or Multiple Passes
Wiping – Zeros vs. Random Patterns
Sensitive entropy range
Performance Results
Thoroughness of Technique
Conclusion
Pattern What does that tell the second owner of the drive/forensic analyst?
Zeros Drive has not been used
Drive has been wiped
Random Difficult to tell if wiped or just high entropy data [jpg, zip, pdf]
Sensitive entropy range User tunable parameter (0 – 8 bPB)
All blocks that have an entropy greater than zero. All blocks of a certain file type. All blocks that have an entropy between a very low entropy
and a very high entropy
Medsger and Srinivasan - 12
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
One Pass or Multiple Passes
Wiping – Zeros vs. Random Patterns
Sensitive entropy range
Performance Results
Thoroughness of Technique
Conclusion
Performance Results Test Setup
ERASE/EWNS Test – x% of blocks in the partition were filled with data within the sensitive entropy range. Tool ran in ERASE/EWNS mode.
ERASERS/EWSBC (Best Case) Test – x% of the blocks in the partition were sequentially filled with data within the sensitive entropy range. Tool ran in ERASERS/EWS mode with 95% CL and 5% CI. 8 subpopulations of 4GB. Best case because data clustered compactly and sequentially.
ERASERS/EWSWC (Worst Case) Test – x% of the blocks in the partition were filled with data within the sensitive entropy range. However, the blocks were spread out to equally fill the drive, causing all subpopulations to have data within the sensitive entropy range.
Medsger and Srinivasan - 13
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Test Setup
ERASE /EWNS vs. DD
ERASERS/EWS vs. DD
Thoroughness of Technique
Conclusion
ERASE/EWNS vs. DD (/dev/urandom)
Medsger and Srinivasan - 14
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Test Setup
ERASE /EWNS vs. DD
ERASERS/EWS vs. DD
Thoroughness of Technique
Conclusion
ERASERS/EWS vs. DD (/dev/zero)
Medsger and Srinivasan - 15
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Test Setup
ERASE /EWNS vs. DD
ERASERS/EWS vs. DD
Thoroughness of Technique
Conclusion
Thoroughness of Technique Probability of not sampling a sensitive block, when 384
blocks are randomly sampled from a population of 1048576 blocks. 384 out of 1048576 == 95% CL and 5% CI Probability evaluated for scenarios when there are 10, 100,
1000, and 10000 sensitive blocks in a population of 1048576 blocks.
Medsger and Srinivasan - 16
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion
Conclusion Presented a novel disk sanitization technique.
ERASE calculates the entropy of data blocks in the target area to decide whether the blocks need to be overwritten.
ERASERS enhances ERASE by using random sampling to further optimize the wiping process.
Medsger and Srinivasan - 17
ICITST-2012
ERASEContributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion
ICITST-201218
Questions?
Thank you!!!
