Posted on 02/23/2011 1:44:13 AM PST by LibWhacker
Techniques that reliably erase hard disk drives don't produce the same results for solid state drives, warn University of California at San Diego researchers.
Solid state drives (SSDs) have a small security problem: they're tough to erase.
That warning comes from researchers at the University of California at San Diego. "Sanitization is well-understood for traditional magnetic storage, such as hard drives and tapes," said the researchers' in their study summary. "Newer solid state disks, however, have a much different internal architecture, so it is unclear whether what has worked on magnetic media will work on SSDs as well."
Accordingly, the researchers tried 14 different file sanitizing techniques -- ranging from Gutman's 35-pass method to the Schneier 7-pass method -- on SSDs. To study each technique's effectiveness, the researchers didn't query the flash translation layer (FTL) that's part of an SSD, but rather accessed the chips at the lowest level possible, via their pins. (Dismantling chips is straightforward, they said.)
What they found is that every data-erasing technique left at least 10MB of recoverable data from a 100MB file. Some techniques, such as overwriting the chip with pseudorandom data or using a British HMG IS5 baseline, left nearly all data intact.
By any measure, SSDs aren't the dominant way of storing data today, but their use is increasing. According to the recent InformationWeek Analytics State of Enterprise Storage Survey, nearly one-quarter of organizations have deployed SSDs in their data center, and more than half plan to either initiate or increase their use of SSDs this year.
Meanwhile, storage market researcher iSuppli predicts that the SSD penetration rate for laptops will increase from roughly 2% in 2010 to nearly 8% by 2014.
But according to the University of California at San Diego researchers, businesses must beware how they handle SSDs, because it's tough to erase data from them. "Our results show that naïvely applying techniques designed for sanitizing hard drives on SSDs, such as overwriting and using built-in secure erase commands is unreliable and sometimes results in all the data remaining intact," they said. "Furthermore, our results also show that sanitizing single files on an SSD is much more difficult than on a traditional hard drive."
How can SSDs be effectively secured or disposed of, short of physically destroying them? The researchers propose encrypting all data from the start, then destroying the encryption keys and overwriting every page of data to securely wipe the SSD and block future key recovery.
Implementing such an approach requires planning. "To properly secure data and take advantage of the performance benefits that SSDs offer, you should always encrypt the entire disk and do so as soon as the operating system is installed," said Chester Wisniewski, a senior security advisor for Sophos Canada, in a blog post. Based on the researchers' findings, "securely erasing SSDs after they have been used unencrypted is very difficult, and may be impossible in some cases," he said.
Might try penicillin.
nice info, I didn’t know this. I’m using SSD for my primary drive and HHD for storage
I suppose you could just take them 100 or so miles out in the ocean and then blow them up.
Definitely encrypt.
But I’m kind of at a loss how new “data” can coexist with overwritten data. On magnetic disks, you analyze the disk surface around and beneath the last written data for residual magnetism since every write does not follow precisely the same path or depth of previous writes and old magnetism can spread a little. How does something analogous happen to discrete capacitors?
You’ve got me. I was as surprised by this article as anyone.
SSD cleaning info ping
I had the same question, so I checked the paper that is referenced in the article (it's at Reliably Erasing Data from Flash-Based Solid State Drives).
It turns out that the concerns are not at the physical level; it's not the old problem of stray magnetic signatures that might be reconstructed. Instead, the problem lies in the fact that when you tell the SSD to write at a given block, and then later, you tell it to overwrite the same block, it doesn't actually do that. The logical block address mappings on an SSD are more sophisticated than most traditional hard disks.
The explanation in the paper is quite lucid:
SSDs use flash memory to store data. Flash memory is divided into pages and blocks. Program operations apply to pages and can only change 1s to 0s. Erase operations apply to blocks and set all the bits in a block to 1. As a result, in-place update is not possible. There are typically 64-256 pages in a block (see Table 5).
A flash translation layer (FTL) [15] manages the mapping between logical block addresses (LBAs) that are visible via the ATA or SCSI interface and physical pages of flash memory. Because of the mismatch in granularity between erase operations and program operations in flash, in-place update of the sector at an LBA is not possible.
Instead, to modify a sector, the FTL will write the new contents for the sector to another location and update the map so that the new data appears at the target LBA. As a result, the old version of the data remains in digital form in the flash memory. We refer to these “left over” data as digital remnants.
The researchers did show that the built-in "Secure Erase" feature on some SSDs did correctly erase the entire drive; however, it was not present or failed on 8 of the 12 drives tested. Overwriting actually did work pretty well in many cases according to the paper, but it wasn't perfect.
There are also limitations to the numbers of times that a given cell of flash memory can be written to before the cell will no longer accept the write; something on the order of 10,000 times (give or take). To make up for this limitation, SSDs contain a great deal of “extra” storage. Memory controllers onboard the SSD monitor where data is written and parcel out writes to all the cells to prevent prematurely exhausting cells that might otherwise be subject to a large number of rewrites.
The result is that within the SSD structure a logical file’s contents will be slowly shifted from one group of cells to other cells as changes are made to the file; but content in the old cells is simply left behind, to avoid “wasting” anther write to the cell.
This write limitation is one reason one does not want to run defrag utilities on SSDs as they more rapidly exhaust the number of available write operations; and defragging a device with no moving parts is of little value in improving file read rates.
love my SSD in my M11x
This is an issue, but it can be solved.
Within a year, SSDs will have secure erase algorithms *built in* at the flash chip level. The semiconductor industry is very good about that sort of thing. I’m confident that what they come up with will make SSDs even easier to secure-erase than magnetic drives.
The challenge will be to keep the gubmint from mandating a backdoor method for THEIR access. ;-)
I’m reading this from a laptop that has (as it’s only drive) an SSD drive that is also an encrypted drive.
I’m confused as to why overrighting would not destroy the data. If you delete the file addresses and then overright the entire available space that should do the trick. I’m unaware of how a binary recording system can have ghost memory once overwritten. What am I missing here?
Missed your post first go round. I have the same question as you. How can you have residual “ghost” memory in an overwritten binary system?
I was going to post this at Information Week, but since they insist on a login I’ll do it here:
The solution is in fact physical destruction of the drive when it fails or is upgraded. It will require enough force or other destructive action to destroy the flash chips. For instance, hitting the drive repeatedly with a sledgehammer until the chips are fragmented should be more than sufficient.
Incinerating the drives would probably be even better from an information security standpoint, but would require a special high temperature device in order to eliminate toxic combustion products.
Such precautions make the risk of using SSDs no worse than unencrypted rotational media, which are also easily compromised if there is physical access to them. Drives containing classified information have received these kinds of treatments for many years.
Can you share the make and model?
Sorry. IF it had said erasing FILES, I would have gotten it. That sector translation is used for wear leveling. But it said erasing the DRIVE. That means you overwrite free space or the entire drive, sector by sector, in a way that allocates every sector to a dummy file as it goes. That way you have ultimately cleared every sector regardless of translation.
Also obviously, you can’t erase the drive at the sector level alone without allocation to a file system because the translation by sectors will hopscotch around at the physical level. That does rule out some disk clearing utilities.
“Secure” deletion of individual files is obviously pointless on an SSD and has been pointed out in the literature already. But if you properly clear the drive (magnetic or SSD) with a utility like WinHex (which does build files of “junk” data as it goes), they have no secret way to snoop and you’re good.
I know drives and encryption. I think they were deliberately ambiguous for the sensation. OTOH, this post is useful information. (I have no connection with WinHex other than reporting a few bugs over the years.)
It’s a Lenovo W510 - the encryption is not “out of the box” but rather it’s an app that IT pushes down.
See post #9 and my response in #18.
The article is sensational ambiguous BS.
My post #18 explains the issue and solution precisely.
It is what I’ve always done, so I had to start from a step back.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.