TrueErase: Secure Deletion on Flash Storage

1
TrueErase Secure Deletion on Flash Storage

• Sarah Diesburg, Chris Meyers,
• An-I Andy Wang
• 2/3/2016

2
The Problem

• Most users believe that files cannot be retrieved
  once
• Files are no longer visible
• The trashcan is emptied
• The partition is formatted
• In reality, only link to the file
  is deleted
• Actual data remains

3
The Problem

• Decommissioned storage devices leak sensitive
  information

4
What is Secure Deletion?

• Secure deletion means rendering files completely
  irrecoverable
• No forensic analysis should be able to recover
  data from media

5
Secure Deletion Complications

• Flash electronic storage can make it nearly
  impossible to erase files

6
Flash Characteristics

• Locations must first be erased before new data
  can be written
• But it can take awhile to erase a location
• Locations can only be written or erased a small
  amount of times
• The flash solution is to rotate locations for
  writes.

7
Flash Write Behavior

• Flash management software rotates the usage of
  locations

Operating System
Flash
1
2
3
4
5
6
7
7
8
Flash Write Behavior

• Flash management software rotates the usage of
  locations

Write gibberish to 2
Operating System
Flash
1
2
3
4
5
6
7
8
9
Flash Write Behavior

• Overwrites go to new location instead of original
  block
• Dead data left behind until that location is
  erased

Write gibberish to 2
Operating System
O(\ks_at_
Flash
1
2
3
4
5
6
7
9
10
Is this a problem?

• Raw flash chips can be removed and placed in a
  reader

Removal via hot air
Universal chip reader

• We must somehow erase sensitive data!

10
11
Achieving Secure Deletion

• Need to send erase command to flash to erase
  sensitive information
• Flash has no information about the security of
  the file only the file system knows this
• Currently, file systems only understand read and
  write commands, not erase commands

12
TrueErase Components

• Centralized module that passes secure deletion
  information from file system to lower layers
• Extension to storage block layer to take
  advantage of above information
• Issue secure overwrite command
• Call storage-specific secure deletion command

13
TrueErase Datapath View
Applications
User
Kernel
File System
Add
Secure Deletion Module
Check
Block
Block Layer
Block
Secure delete commands
Storage
14
TrueErase User View
Secure delete
Securely erase my file!
Secure delete
15
TrueErase Flash Behavior

• We can now tell the flash to erase locations

Securely delete 2
Operating System
Flash
1
2
3
4
5
6
7
15
16
TrueErase Flash Behavior

• The location can be securely deleted!

Operating System
Erase!
Flash
1
2
3
4
5
6
7
16
17
Why is this challenging?

• Flash management not easily changeable
• Performance implications
• Rotating the right locations
• File systems not designed for erase
• Backward compatibility issues
• Handling crashes during secure deletion
• Correctness issues

18
Current Development TrueErase
19
Current Development TrueErase

• Programming complete prototype
• Fixing final bugs
• Expected to be done for conference paper
  submission in early January

20
Questions?

• For more information about TrueErase, visit
• http//ww2.cs.fsu.edu/diesburg/trueerase.html