Risk
9/26/2013
12:44 PM
George Crump
George Crump
Commentary
50%
50%

Flash Storage Has Special Security Needs

Over-provisioning and bad-block marking can leave flash storage devices vulnerable to data theft. Here are workarounds.

7 Ways To Create E-Portfolios
7 Ways To Create E-Portfolios
(click image for larger view)
At some point, almost every storage system will be used for a role different than what it was purchased for. This could mean assigning it to a new department within the organization, transporting it to another office, or decommissioning the unit all together. In any of these scenarios the first step is typically going to be erasing the data to make sure that nothing sensitive on that storage system remains. Interestingly, when it comes to solid state disk (SSD) or flash arrays, erase might not always mean erase.

When flash is erased the process is actually a write. A block of data is read from flash, the block on the flash is cleared by writing zeros to it, then new data, if there is any, is written to that block. The flash controller knows that any block regions with zeros are eligible for new data.

Formatting an SSD, even repeatedly, might not actually erase the drive like it will a hard disk drive. There are two functions of flash that can cause a problem. The first is the very common technique of over-provisioning. Over-provisioning allows the flash to extend its life expectancy by reserving a certain percentage of flash capacity and hiding it from the operating system. It allows the flash drive to leverage wear leveling to distribute the write workload over a higher number of flash NANDs. In some drives this over-provisioning can be as much as 25% of the capacity.

[ How did thumb drives betray the National Security Agency? Read Thumb Drive Security: Snowden 1, NSA 0. ]

The problem is that a straightforward format utility won't know about these extra cells and data could still exist on them after formatting. Some flash vendors have created special utilities that are able to address these hidden areas as well as perform a destructive series of writes that includes a mixture of ones and zeros. These utilities are perfect except for one other problem: bad-block marking.

The flash system technique of bad-block marking might also trip up your attempt to destroy data. Everyone knows by now that flash storage wears out eventually. The problem is that some memory areas wear out much sooner than others. When that happens, that block area can no longer accept writes. And if it can't accept writes, you can't write to it in order to perform an erase. You can, however, still read from it and the data is still there. That means that someone with the right motivation could get to your data.

The good news is that in both of these situations, systems can be taken into a lab and read. For most organizations most of the data isn't valuable enough to be considered worth the effort. But the chance of an organization having some data that is of value to outside interests is increasingly likely.

In either case, getting to the data requires some work and some lab equipment. The problem is technology is driving the price of the equipment required to do this forensic work just like it is driving everything else down. In short, you should do something to protect the organization and its data in case it falls into the wrong hands.

At a minimum, you should make sure your SSD or flash-array vendor has some sort of erase function that allows you to get to both visible and hidden areas of flash storage. Ideally, this will also perform some sort of "one then zero" erase on the data.

For many environments, though, the answer might be always-on -- not optional -- encryption, so that the moment the flash storage is removed from the system or the key is destroyed, the data is useless. The problem with always-on encryption is that it might hurt performance, so your vendor might need to increase the system's processing power so it can perform encryption at line rate.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.