Risk
9/26/2013
12:44 PM
George Crump
George Crump
Commentary
50%
50%

Flash Storage Has Special Security Needs

Over-provisioning and bad-block marking can leave flash storage devices vulnerable to data theft. Here are workarounds.

7 Ways To Create E-Portfolios
7 Ways To Create E-Portfolios
(click image for larger view)
At some point, almost every storage system will be used for a role different than what it was purchased for. This could mean assigning it to a new department within the organization, transporting it to another office, or decommissioning the unit all together. In any of these scenarios the first step is typically going to be erasing the data to make sure that nothing sensitive on that storage system remains. Interestingly, when it comes to solid state disk (SSD) or flash arrays, erase might not always mean erase.

When flash is erased the process is actually a write. A block of data is read from flash, the block on the flash is cleared by writing zeros to it, then new data, if there is any, is written to that block. The flash controller knows that any block regions with zeros are eligible for new data.

Formatting an SSD, even repeatedly, might not actually erase the drive like it will a hard disk drive. There are two functions of flash that can cause a problem. The first is the very common technique of over-provisioning. Over-provisioning allows the flash to extend its life expectancy by reserving a certain percentage of flash capacity and hiding it from the operating system. It allows the flash drive to leverage wear leveling to distribute the write workload over a higher number of flash NANDs. In some drives this over-provisioning can be as much as 25% of the capacity.

[ How did thumb drives betray the National Security Agency? Read Thumb Drive Security: Snowden 1, NSA 0. ]

The problem is that a straightforward format utility won't know about these extra cells and data could still exist on them after formatting. Some flash vendors have created special utilities that are able to address these hidden areas as well as perform a destructive series of writes that includes a mixture of ones and zeros. These utilities are perfect except for one other problem: bad-block marking.

The flash system technique of bad-block marking might also trip up your attempt to destroy data. Everyone knows by now that flash storage wears out eventually. The problem is that some memory areas wear out much sooner than others. When that happens, that block area can no longer accept writes. And if it can't accept writes, you can't write to it in order to perform an erase. You can, however, still read from it and the data is still there. That means that someone with the right motivation could get to your data.

The good news is that in both of these situations, systems can be taken into a lab and read. For most organizations most of the data isn't valuable enough to be considered worth the effort. But the chance of an organization having some data that is of value to outside interests is increasingly likely.

In either case, getting to the data requires some work and some lab equipment. The problem is technology is driving the price of the equipment required to do this forensic work just like it is driving everything else down. In short, you should do something to protect the organization and its data in case it falls into the wrong hands.

At a minimum, you should make sure your SSD or flash-array vendor has some sort of erase function that allows you to get to both visible and hidden areas of flash storage. Ideally, this will also perform some sort of "one then zero" erase on the data.

For many environments, though, the answer might be always-on -- not optional -- encryption, so that the moment the flash storage is removed from the system or the key is destroyed, the data is useless. The problem with always-on encryption is that it might hurt performance, so your vendor might need to increase the system's processing power so it can perform encryption at line rate.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

CVE-2015-0528
Published: 2015-03-29
The RPC daemon in EMC Isilon OneFS 6.5.x and 7.0.x before 7.0.2.13, 7.1.0 before 7.1.0.6, 7.1.1 before 7.1.1.2, and 7.2.0 before 7.2.0.1 allows local users to gain privileges by leveraging an ability to modify system files.

CVE-2015-0996
Published: 2015-03-29
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 rely on a hardcoded cleartext password to control read access to Project files and Project Configuration files, which makes it easier for local users to obtain sensitive info...

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.