SSDs Harder to Securely Purge of Data than HDDs
The ability to totally erase data from storage devices is a critical component of secure data management, regardless of whether the organization is just throwing away an old system or repurposing it for someone else's use. Recent research indicates, however, that sanitizing solid-state drives is not easy.
Three researchers from the Department of Computer Science and Engineering and one from the Center for Magnetic Recording and Research at the University of California have "empirically" found that existing disk sanitization techniques don't work on SSDs because the internal architecture of an SSD is very different from a that of a hard disk drive, according to a paper presented Feb. 16 at the USENIX File and Storage Technologies Conference in San Jose, Calif.
The researchers tested built-in ATA commands for erasing the entire SSD, existing software tools to erase the entire drive and software tools capable of securely erasing individual files. The researchers verified the reliability and effectiveness of the technique to determine what worked best. In the verification procedure, researchers wrote a structured data pattern to the drive, sanitized the drive using a known technique, dismantled the drive and extracted the raw data directly from the flash chips using a custom flash testing system.
"Reliable SSD sanitization requires built-in, verifiable sanitize operations," the researchers wrote.
Most modern drives have built-in commands that instruct on-board firmware to run a standard sanitization protocol on the drive to remove all data. Since the manufacturer has "full knowledge" of the drive's design, these techniques should be reliable, but researchers found that many of the implementations were flawed.
There are two standard commands, ERASE UNIT and ERASE UNIT ENH, as well as a BLOCK ERASE command defined in the ACS-2 specification, which is still in draft form, according to the paper.
Researchers tested the ERASE UNIT command on seven drives that claimed to support the ATA Security set and found only four executed it reliably, the researchers said. Two had a bug that prevented the command from executing and one claimed to have executed the command despite the fact that all the data was still intact and accessible. Researchers called that last drive's results "most disturbing."
"Standardized commands should work correctly almost indefinitely," they wrote.
While existing software applications for deleting the entire drive work "most, but not all," of the time, the researchers found that none of the available software techniques for securely removing individual files was effective on flash-based SSDs. Sanitizing single files allows the filesystem to remain usable, but it was a "more delicate operation," the researchers said. For software that sanitized drives by overwriting the drive multiple times, doing it twice was usually sufficient, the researchers found. All single-file software sanitization protocols failed, as 4 percent to 75 percent of the file's contents remained intact.
The researchers defined "sanitized" as erasing all or part of the storage device in such a way that the contained data was difficult or impossible to recover, according to the paper. "Local" sanitization, or "clearing," as defined by the National Institute of Standards and Technology, meant data could not be recoverable via standard hardware interfaces such as SATA or SCSI commands.
"Digital" sanitization meant data could not be recovered via any digital means, including "subversion of the device's controller or firmware," the researchers wrote. Analog sanitization, or "purging," as defined by NIST, degrades the analog signal that encodes the data so that it is "effectively impossible" to reconstruct. "Cryptographic" sanitization referred to encrypting and decrypting incoming and outgoing data, and then just deleting the key from the drive.