This document discusses the challenges of securely erasing data from solid state drives (SSDs) compared to traditional hard disk drives (HDDs). It explains that SSDs have different memory architecture than HDDs that impacts how data is written, read, and erased. Traditional erasure methods do not fully erase data from SSDs. The document outlines SSD-specific issues like wear leveling and firmware locks that must be addressed for complete erasure. It emphasizes the need for multi-stage, manufacturer-specific erasure processes that are verifiable and provable to fully remove data from SSDs.
3. Preview of key
points
Data erasure fundamentals
Solid State Drives
Enterprise data destruction that
lets you forget about the technology
provable
4. Data erasure
fundamentals
Deletion does not equal destruction
Security is always an after thought in hardware design
Different technologies require different methods
Can be a black-box
5. HowSSDs are
different than
HDDs and why
that impacts
security
You can read/write a given “page” of a magnetic HDD as many times as you like
6. HowSSDs are
different than
HDDs and why
that impacts
security
You can read/write a given “page” of a magnetic HDD as many times as you like
And there’s just 2 operations – read and write
7. HowSSDs are
different than
HDDs and why
that impacts
security
Programmed
Erased
writeerase
NAND memory has 3 operations write (aka program), read and
erase
Block can only be written once, then must be completely erased
and rewritten
Read many
8. HowSSDs are
different than
HDDs and why
that impacts
security
NAND memory is bits organized into blocks
Start off will all bits set to 1
Write a block by setting necessary bits to 0 so that the block reflects the data you
want to store
Now you have a “programmed” block storing the data
You can read that block repeatedly
(Reading it too many times will disturb nearby blocks)
When you need to update a single bit within that block you need to first erase the
entire block and re-write the whole thing
Technically if that the bit you want to write is a 0 you could update just that bit
That’s a 50/50 chance
But normally you have to update more
than one bit. So what’s the chance that
all the bits you need you to change are
going to be 0? If even one 1 bit needs to go
from 0 to 1 you have to
Read the entire block into SSD RAM
Update the bits or bytes or words necessary
Erase the block
Re-write the block
9. HowSSDs are
different than
HDDs and why
that impacts
security
But NAND can only be programmed/erased so many times
Each p/e cycle causes physical damage to the medium
In real life some chunks of data get updated far more frequently
than others
So SSD manufacturers implement
Wear levelling
Over-provisioning
11. HowSSDs are
different than
HDDs and why
that impacts
security
But to make SSDs take off really fast, they didn’t want to make
every OS manufacture implement a new physical file system
with knowledge specific to each implementation of NAND as
SSD
So make an SSD look like a HDD and just translate it
Application
Operating System
ATA driver
ATA
commands
12. HowSSDs are
different than
HDDs and why
that impacts
security
Application
Operating System
ATA driver
ATA
commands
Flash translation
layer (FTL)
Direct, page-for-page
14. Other issues
Freeze lock
BIOS of most modern computers blocks access to these
commands with a “freeze lock” on the drive’s security feature
set.
Unless the freeze lock is removed, it’s extremely difficult to
conduct the necessary firmware-based erasure that scrubs
entire SSD storage
15. Other issues
What is ATA Secure Erase?
Set of commands embedded in
most hard drives since 2001
Secure Erase is a command not a
physical operation
Therefore it’s all about the
implementation (i.e. code)
behind that command
“it’s up to each manufacturer to
implement it correctly. In their
review of the secure erase
command,Wei et al., 2011, have
shown that over the 12 models
of SSDs studied, only eight
offered the ATA Secure Erase
functionality, and over those
eight drives, three had buggy
implementations [11].” -
http://codecapsule.com/2014/02
/12/coding-for-ssds-part-4-
advanced-functionalities-and-
internal-parallelism/
https://www.usenix.org/leg
acy/event/fast11/tech/full_
papers/Wei.pdf
16. Other issues
Cryptographic “erasure”
Drive firmware encrypts each page
SSD or HDD
To “erase” drive – just overwrite the key
In theory – great
But encryption in theory and in practice are 2 very different
things
Over and over again see poor encryption implementations
“Given the bugs we found in some implementations of secure
erase commands, it is unduly optimistic to assume that SSD
vendors will properly sanitize the key store. Further, there is no
way verify that erasure has occurred”
https://www.usenix.org/legacy/event/fast11/tech/full_papers/Wei.pdf
Bruce Schneier says, cryptographic systems “must be
implemented exactly, perfectly, or they will fail.”
(https://www.schneier.com/essays/archives/1997/01/why_crypt
ography_is.html)
https://www.owasp.org/images/5/57/OWASPIL2011-
ErezMetula-WhenCryptoGoesWrong.pdf
20. SSD Erasure
Approvals
The Finnish Communications Regulatory
Authority (FICORA) has approved Blancco
erasure software for erasing data from hard
drives and Solid State Drives.
The AIVD is the General Intelligence and
Security Service of the Netherlands and
evaluate information security products. In their
deployment advisory for Blancco 5 they state
that, for SSD media, the “Blancco SSD
Erasure”-standard should be used.
21. Additional
Resources
Research Study: Security Limitations of Solid State Drives
https://www.blancco.com/resources/rs-security-limitations-of-
ssds
Whitepaper: SSDs and the Unseen Data Destruction Risks
https://www.blancco.com/resources/wp-a-look-inside-ssds-
unseen-data-destruction-risks
Free Evaluation: Blancco Drive Eraser for HDDs and SSDs
http://info.blancco.com/en-eval-blancco-5