Researchers from the University of California, San Diego have found that totally erasing data from SSDs is not as easy or reliable as previously thought.
The
ability to totally erase data from storage devices is a critical component of
secure data management, regardless of whether the organization is just throwing
away an old system or repurposing it for someone else's use. Recent
research indicates, however, that sanitizing solid-state drives is not
easy.
Three
researchers from the Department of Computer Science and Engineering and one
from the Center for Magnetic Recording and Research at the University of
California have "empirically" found that existing disk sanitization
techniques don't work on SSDs because the internal architecture of an SSD
is very different from a that of a hard disk drive, according to a paper
presented Feb. 16 at the USENIX
File and Storage Technologies Conference in San Jose, Calif.
The
researchers tested built-in ATA commands for erasing the entire SSD,
existing software tools to erase the entire drive and software tools capable of
securely erasing individual files. The researchers verified the reliability and
effectiveness of the technique to determine what worked best. In the
verification procedure, researchers wrote a structured data pattern to the
drive, sanitized the drive using a known technique, dismantled the drive and
extracted the raw data directly from the flash chips using a custom flash
testing system.
"Reliable
SSD sanitization requires built-in,
verifiable sanitize operations," the researchers wrote.
Most
modern drives have built-in commands that instruct on-board firmware to run a
standard sanitization protocol on the drive to remove all data. Since the
manufacturer has "full knowledge" of the drive's design, these
techniques should be reliable, but researchers found that many of the
implementations were flawed.
There
are two standard commands, ERASE UNIT and ERASE UNIT ENH,
as well as a BLOCK ERASE command defined in the ACS-2
specification, which is still in draft form, according to the paper.
Researchers
tested the ERASE UNIT command on seven drives that claimed to support the ATA
Security set and found only four executed it reliably, the researchers said.
Two had a bug that prevented the command from executing and one claimed to have
executed the command despite the fact that all the data was still intact and
accessible. Researchers called that last drive's results "most disturbing."
"Standardized
commands should work correctly almost indefinitely," they wrote.
While
existing software applications for deleting the entire drive work "most,
but not all," of the time, the researchers found that none of the
available software techniques for securely removing individual files was
effective on flash-based SSDs. Sanitizing single files allows the filesystem to
remain usable, but it was a "more delicate operation," the
researchers said. For software that sanitized drives by overwriting the drive
multiple times, doing it twice was usually sufficient, the researchers found.
All single-file software sanitization protocols failed, as 4 percent to 75
percent of the file's contents remained intact.
The
researchers defined "sanitized" as erasing all or part of the storage
device in such a way that the contained data was difficult or impossible to
recover, according to the paper. "Local" sanitization, or "clearing,"
as defined by the National Institute of Standards and Technology, meant data
could not be recoverable via standard hardware interfaces such as SATA or SCSI
commands.
"Digital"
sanitization meant data could not be recovered via any digital means, including
"subversion of the device's controller or firmware," the researchers
wrote. Analog sanitization, or "purging," as defined by NIST,
degrades the analog signal that encodes the data so that it is "effectively
impossible" to reconstruct. "Cryptographic" sanitization
referred to encrypting and decrypting incoming and outgoing data, and then just
deleting the key from the drive.
Email
Print
