Embed Size (px)
Citation preview
Sponsored bySolid State Drives (SSD) Secure Erasure Deep Dive: What it Takes
to Really Make the Data Go Away
© 2017 Monterey Technology Group Inc.
Thanks to Made possible by
Preview of key points
Data erasure fundamentals Solid State Drives Enterprise data destruction that
lets you forget about the technology provable
Data erasure fundamentals
Deletion does not equal destruction Security is always an after thought in hardware
design Different technologies require different methods
Can be a black-box
How SSDs are different than HDDs and why that impacts security
You can read/write a given “page” of a magnetic HDD as many times as you like
How SSDs are different than HDDs and why that impacts security
You can read/write a given “page” of a magnetic HDD as many times as you likeAnd there’s just 2 operations – read and write
How SSDs are different than HDDs and why that impacts security
Programmed
Erased
writeerase
NAND memory has 3 operations write (aka program), read and erase
Block can only be written once, then must be completely erased and rewritten
Read many
How SSDs are different than HDDs and why that impacts security
NAND memory is bits organized into blocks Start off will all bits set to 1 Write a block by setting necessary bits to 0 so that the block reflects the
data you want to store Now you have a “programmed” block storing the data You can read that block repeatedly (Reading it too many times will disturb nearby blocks) When you need to update a single bit within that block you need to first
erase the entire block and re-write the whole thing Technically if that the bit you want to write is a 0 you could update just
that bit That’s a 50/50 chance But normally you have to update more
than one bit. So what’s the chance thatall the bits you need you to change aregoing to be 0? If even one 1 bit needs to gofrom 0 to 1 you have to
Read the entire block into SSD RAM Update the bits or bytes or words necessary Erase the block Re-write the block
How SSDs are different than HDDs and why that impacts security
But NAND can only be programmed/erased so many times
Each p/e cycle causes physical damage to the medium
In real life some chunks of data get updated far more frequently than others
So SSD manufacturers implement Wear levelling Over-provisioning
How SSDs are different than HDDs and why that impacts security
Wear levelling and over-provisioning
How SSDs are different than HDDs and why that impacts security
But to make SSDs take off really fast, they didn’t want to make every OS manufacture implement a new physical file system with knowledge specific to each implementation of NAND as SSD
So make an SSD look like a HDD and just translate it
Application
Operating System
ATA driver
ATA comman
ds
How SSDs are different than HDDs and why that impacts security
Application
Operating System
ATA driver
ATA comman
ds
Flash translation layer (FTL)
Direct, page-for-page
Traditional erasure algorithms unsuitable for SSDs
Military Spec Overwrite each
sector
Other issues
Freeze lock BIOS of most modern computers blocks access to
these commands with a “freeze lock” on the drive’s security feature set.
Unless the freeze lock is removed, it’s extremely difficult to conduct the necessary firmware-based erasure that scrubs entire SSD storage
Other issues
What is ATA Secure Erase? Set of commands embedded
in most hard drives since 2001
Secure Erase is a command not a physical operation
Therefore it’s all about the implementation (i.e. code) behind that command
“it’s up to each manufacturer to implement it correctly. In their review of the secure erase command, Wei et al., 2011, have shown that over the 12 models of SSDs studied, only eight offered the ATA Secure Erase functionality, and over those eight drives, three had buggy implementations [11].” - http://codecapsule.com/2014/02/12/coding-for-ssds-part-4-advanced-functionalities-and-internal-parallelism/
https://www.usenix.org/legacy/event/fast11/tech/full_papers/Wei.pdf
Other issues
Cryptographic “erasure” Drive firmware encrypts each page
SSD or HDD To “erase” drive – just overwrite the key In theory – great But encryption in theory and in practice are 2 very
different things Over and over again see poor encryption implementations
“Given the bugs we found in some implementations of secure erase commands, it is unduly optimistic to assume that SSD vendors will properly sanitize the key store. Further, there is no way verify that erasure has occurred”
https://www.usenix.org/legacy/event/fast11/tech/full_papers/Wei.pdf
Bruce Schneier says, cryptographic systems “must be implemented exactly, perfectly, or they will fail.” (https://www.schneier.com/essays/archives/1997/01/why_cryptography_is.html)
https://www.owasp.org/images/5/57/OWASPIL2011-ErezMetula-WhenCryptoGoesWrong.pdf
Bottom line
SSD erasure Must deal with
Flash translation layer Freeze lock
Requires manufacturer specific logic OEM cooperation
Multi-stage, multi-method Verifiable Provable Reporting
Applies beyond just SSD
© 2017 Monterey Technology Group Inc.
Securing the audit trail
Sample Report
SSD Erasure Approvals
The Finnish Communications Regulatory Authority (FICORA) has approved Blancco erasure software for erasing data from hard drives and Solid State Drives.
The AIVD is the General Intelligence and Security Service of the Netherlands and evaluate information security products. In their deployment advisory for Blancco 5 they state that, for SSD media, the “Blancco SSD Erasure”-standard should be used.
Additional Resources
Research Study: Security Limitations of Solid State Drives
https://www.blancco.com/resources/rs-security-limitations-of-ssds
Whitepaper: SSDs and the Unseen Data Destruction Risks
https://www.blancco.com/resources/wp-a-look-inside-ssds-unseen-data-destruction-risks
Free Evaluation: Blancco Drive Eraser for HDDs and SSDs
http://info.blancco.com/en-eval-blancco-5
