SSD Data Purging Presents Security Difficulties

The ability to totally erase data from storage devices is a critical component of secure data management, regardless of whether the organisation is just throwing away an old system or repurposing it for someone else’s use. Recent research indicates, however, that sanitising solid-state drives is not easy.

Three researchers from the Department of Computer Science and Engineering and one from the Centre for Magnetic Recording and Research at the University of California have “empirically” found that existing disk sanitisation techniques don’t work on SSDs because the internal architecture of an SSD is very different from a that of a hard disk drive, according to a paper presented on 16 February at the USENIX File and Storage Technologies Conference in San Jose, California.

ATA commands

The researchers tested built-in ATA commands for erasing the entire SSD, existing software tools to erase the entire drive and software tools capable of securely erasing individual files. The researchers verified the reliability and effectiveness of the technique to determine what worked best. In the verification procedure, researchers wrote a structured data pattern to the drive, sanitised the drive using a known technique, dismantled the drive and extracted the raw data directly from the flash chips using a custom flash testing system.

“Reliable SSD sanitisation requires built-in, verifiable sanitise operations,” the researchers wrote.

Most modern drives have built-in commands that instruct on-board firmware to run a standard sanitisation protocol on the drive to remove all data. Since the manufacturer has “full knowledge” of the drive’s design, these techniques should be reliable, but researchers found that many of the implementations were flawed.

There are two standard commands, ERASE UNIT and ERASE UNIT ENH, as well as a BLOCK ERASE command defined in the ACS-2 specification, which is still in draft form, according to the paper.

Researchers tested the ERASE UNIT command on seven drives that claimed to support the ATA Security set and found only four executed it reliably, the researchers said. Two had a bug that prevented the command from executing and one claimed to have executed the command despite the fact that all the data was still intact and accessible. Researchers called that last drive’s results “most disturbing”.

“Standardised commands should work correctly almost indefinitely,” they wrote.

Delicate operation

While existing software applications for deleting the entire drive work “most, but not all” of the time, the researchers found that none of the available software techniques for securely removing individual files was effective on flash-based SSDs. Sanitising single files allows the filesystem to remain usable, but it was a “more delicate operation”, the researchers said. For software that sanitised drives by overwriting the drive multiple times, doing it twice was usually sufficient, the researchers found. All single-file software sanitisation protocols failed, as 4 percent to 75 percent of the file’s contents remained intact.

The researchers defined “sanitised” as erasing all or part of the storage device in such a way that the contained data was difficult or impossible to recover, according to the paper. “Local” sanitisation, or “clearing”, as defined by the National Institute of Standards and Technology, meant data could not be recoverable via standard hardware interfaces such as SATA or SCSI commands.

“Digital” sanitisation meant data could not be recovered via any digital means, including “subversion of the device’s controller or firmware,” the researchers wrote. Analog sanitisation, or “purging,” as defined by NIST, degrades the analog signal that encodes the data so that it is “effectively impossible” to reconstruct. “Cryptographic” sanitisation referred to encrypting and decrypting incoming and outgoing data, and then just deleting the key from the drive.