TrueErase: Secure Deletion on Flash Storage Sarah Diesburg, Chris Meyers, An-I Andy Wang 5/29/2016 The Problem Most users believe that files cannot be retrieved once Files are no longer visible The trashcan is emptied The partition is formatted In reality, only link to the file deleted is Actual data remains 2 The Problem Decommissioned storage devices leak sensitive information 3 What is Secure Deletion? Secure deletion means rendering files completely irrecoverable No forensic analysis should be able to recover data from media 4 Secure Deletion Complications Flash electronic storage can make it nearly impossible to erase files 5 Flash Characteristics Locations must first be erased before new data can be written But it can take awhile to erase a location Locations can only be written or erased a small amount of times The flash solution is to rotate locations for writes. 6 Flash Write Behavior Flash management software rotates the usage of locations Operating System Flash 1 2 3 4 5 6 7 7 Flash Write Behavior Flash management software rotates the usage of locations Write gibberish to 2 Operating System Flash 1 2 3 4 5 6 7 8 Flash Write Behavior Overwrites go to new location instead of original block Dead data left behind until that location is erased Write gibberish to 2 Operating System Flash O(\ks@ 1 2 3 4 5 6 7 9 Is this a problem? Raw flash chips can be removed and placed in a reader Removal via hot air Universal chip reader We must somehow erase sensitive data! 10 Achieving Secure Deletion Need to send erase command to flash to erase sensitive information Flash has no information about the security of the file – only the file system knows this Currently, file systems only understand read and write commands, not erase commands 11 TrueErase Components 1. 2. Centralized module that passes secure deletion information from file system to lower layers Extension to storage block layer to take advantage of above information Issue secure overwrite command Call storage-specific secure deletion command 12 TrueErase Datapath View Applications User Kernel File System Secure Deletion Module Block # Block # Add Check Block Layer Secure delete commands Storage 13 TrueErase User View Secure delete Operating System Securely erase my file! Secure delete 14 TrueErase Flash Behavior We can now tell the flash to erase locations Securely delete 2 Operating System Flash 1 2 3 4 5 6 7 15 TrueErase Flash Behavior The location can be securely deleted! Operating System Erase! Flash 1 2 3 4 5 6 7 16 Why is this challenging? Flash management not easily changeable File systems not designed for erase Performance implications Rotating the right locations Backward compatibility issues Handling crashes during secure deletion Correctness issues 17 Current Development – TrueErase 18 Current Development – TrueErase Programming complete prototype Fixing final bugs Expected to be done for conference paper submission in early January 19 Questions? For more information about TrueErase, visit http://ww2.cs.fsu.edu/~diesburg/trueerase.html 20