TrueErase Flash Storage Sarah Diesburg, Chris Meyers, An-I Andy Wang

advertisement
TrueErase: Secure Deletion on
Flash Storage
Sarah Diesburg, Chris Meyers,
An-I Andy Wang
5/29/2016
The Problem


Most users believe that files cannot be retrieved
once

Files are no longer visible

The trashcan is emptied

The partition is formatted
In reality, only link to the file
deleted

is
Actual data remains
2
The Problem

Decommissioned storage devices leak
sensitive information
3
What is Secure Deletion?

Secure deletion means rendering files
completely irrecoverable

No forensic analysis should be able to recover
data from media
4
Secure Deletion Complications

Flash electronic storage can make it nearly
impossible to erase files
5
Flash Characteristics

Locations must first be erased before new
data can be written


But it can take awhile to erase a location
Locations can only be written or erased a
small amount of times
The flash solution is to rotate locations for
writes.
6
Flash Write Behavior

Flash management software rotates the usage of
locations
Operating System
Flash
1
2
3
4
5
6
7
7
Flash Write Behavior

Flash management software rotates the usage of
locations
Write
gibberish
to 2
Operating System
Flash
1
2
3
4
5
6
7
8
Flash Write Behavior


Overwrites go to new location instead of original block
Dead data left behind until that location is erased
Write
gibberish
to 2
Operating System
Flash
O(\ks@
1
2
3
4
5
6
7
9
Is this a problem?

Raw flash chips can be removed and placed in a reader
Removal via hot air

Universal chip reader
We must somehow erase sensitive data!
10
Achieving Secure Deletion

Need to send erase command to flash to
erase sensitive information


Flash has no information about the security of the
file – only the file system knows this
Currently, file systems only understand read and
write commands, not erase commands
11
TrueErase Components
1.
2.
Centralized module that passes secure
deletion information from file system to lower
layers
Extension to storage block layer to take
advantage of above information


Issue secure overwrite command
Call storage-specific secure deletion command
12
TrueErase Datapath View
Applications
User
Kernel
File System
Secure Deletion
Module
Block #
Block #
Add
Check
Block
Layer
Secure delete
commands
Storage
13
TrueErase User View
Secure delete
Operating System
Securely erase
my file!
Secure delete
14
TrueErase Flash Behavior

We can now tell the flash to erase locations
Securely
delete
2
Operating System
Flash
1
2
3
4
5
6
7
15
TrueErase Flash Behavior

The location can be securely deleted!
Operating System
Erase!
Flash
1
2
3
4
5
6
7
16
Why is this challenging?

Flash management not easily changeable



File systems not designed for erase


Performance implications
Rotating the right locations
Backward compatibility issues
Handling crashes during secure deletion

Correctness issues
17
Current Development – TrueErase
18
Current Development – TrueErase

Programming complete prototype


Fixing final bugs
Expected to be done for conference paper
submission in early January
19
Questions?
For more information about TrueErase, visit
http://ww2.cs.fsu.edu/~diesburg/trueerase.html
20
Download