I’ve posted here a number of times about the security risks inherent in keeping confidential data in digital form, citing, for example, incidents involving data base hacks and laptop carelessness. We’ve also looked at the risks of data left on discarded hardware, and even data that may be left on digital photocopiers. There are various ways of reducing these risks, ranging from encryption of the stored data to physical destruction of the media before disposal. The US government has standards for “sanitizing” hard disk devices, which typically require that data blocks be overwritten several times with binary patterns.
The introduction of new technologies often presents new problems, or old problems in a new light. According to a presentation at the Ninth USENIX Conference on File and Storage Technologies [FAST ’11], held in February, the growing use of solid-state disk [SDD] devices has added some new challenges to the job of making sure sensitive data is rendered unrecoverable. The paper [PDF], by a group of researchers at the University of California at San Diego, shows that the differences in storage technology and access methods between conventional disk drives and SSDs mean that techniques used to sanitize conventional drives are not necessarily effective for SSDs.
Rather than using rotating magnetic platters, SSDs use flash memory chips to store data. They typically also include an indirection layer between the logical [disk] block addresses used by the OS, and the idiosyncratic physical access methods used by the flash hardware. The additional indirection also enhances performance and provides more even “wear” on the SSD — the lifetime of flash memory has many fewer write cycles than a conventional disk. Furthermore, flash memory typically cannot update data in place, but has to record a new copy while marking the old version invalid. Some SSD devices also have additional shadow storage locations, not directly visible to the host system. All of these factors make the traditional overwriting approach problematic, and the tests carried out by the researchers demonstrated that, although overwriting sometimes worked, it was not viable in all cases. (They used a purpose-built flash chip reader to verify the contents of the device.)
One solution that is offered by some manufacturers is a “secure erase” command; commands of this type are part of the standard ATA and SCSI command sets. This, if implemented correctly, is a good solution; unfortunately, out of nine SSD devices the team tested, only four supported the secure erase operation and performed it correctly. Other devices either did not support secure erase, or it failed to work; one drive reported success, but left all of the data intact.
Another potential solution builds on the [good] idea of keeping the data encrypted. Some drives offer the capability of hardware encryption of all data written; the encryption key is stored in the device’s “private” storage. In principle, assuming the encryption is reasonably robust, destroying the key in private storage will render the data effectively inaccessible. One attractive feature of this approach is speed; the key destruction operation is typically an order of magnitude faster than a secure erase. This requires, though, that the device securely remove the key, without leaving open any avenues for other, side-channel attacks. Unfortunately, it is difficult or impossible to verify that this operation has been correctly performed.
Finally, the researchers found that no existing techniques were adequate to sanitize individual files on SSD devices.
In an earlier paper [PDF], two of the researchers, Michael Wei and Steven Swanson, have proposed a new technique, which they call SAFE [“Scramble and Finally Erase”], for reliably sanitizing SSDs. The procedure involves encrypted data storage; when the drive is to be sanitized, the encryption key is destroyed first, then each block on the device is erased. The authors propose this as a general approach for sanitizing SSD devices.
Solid-state disks are a relatively new technology, and I expect the implementation of capabilities like secure erasing to improve. But this should serve as a reminder that, where security is concerned, we mustn’t take anything for granted.
Oh, by the way: just as with conventional disks, a sledgehammer works nicely on SSDs.
Ars Technica also has an article summarizing some of these results.