This document discusses the challenges of securely erasing data from solid state drives (SSDs) compared to traditional hard disk drives (HDDs). It explains that SSDs have different memory architecture than HDDs that impacts how data is written, read, and erased. Traditional erasure methods do not fully erase data from SSDs. The document outlines SSD-specific issues like wear leveling and firmware locks that must be addressed for complete erasure. It emphasizes the need for multi-stage, manufacturer-specific erasure processes that are verifiable and provable to fully remove data from SSDs.

1. Sponsored by
SolidStateDrives(SSD)SecureErasure
DeepDive:What itTakestoReallyMake
theDataGoAway
© 2017 Monterey Technology Group Inc.

2. Thanks to
 Made possible by

3. Preview of key
points
 Data erasure fundamentals
 Solid State Drives
 Enterprise data destruction that
 lets you forget about the technology
 provable

4. Data erasure
fundamentals
 Deletion does not equal destruction
 Security is always an after thought in hardware design
 Different technologies require different methods
 Can be a black-box

5. HowSSDs are
different than
HDDs and why
that impacts
security
You can read/write a given “page” of a magnetic HDD as many times as you like

6. HowSSDs are
different than
HDDs and why
that impacts
security
You can read/write a given “page” of a magnetic HDD as many times as you like
And there’s just 2 operations – read and write

7. HowSSDs are
different than
HDDs and why
that impacts
security
Programmed
Erased
writeerase
 NAND memory has 3 operations write (aka program), read and
erase
 Block can only be written once, then must be completely erased
and rewritten
Read many

8. HowSSDs are
different than
HDDs and why
that impacts
security
 NAND memory is bits organized into blocks
 Start off will all bits set to 1
 Write a block by setting necessary bits to 0 so that the block reflects the data you
want to store
 Now you have a “programmed” block storing the data
 You can read that block repeatedly
 (Reading it too many times will disturb nearby blocks)
 When you need to update a single bit within that block you need to first erase the
entire block and re-write the whole thing
 Technically if that the bit you want to write is a 0 you could update just that bit
 That’s a 50/50 chance
 But normally you have to update more
than one bit. So what’s the chance that
all the bits you need you to change are
going to be 0? If even one 1 bit needs to go
from 0 to 1 you have to
 Read the entire block into SSD RAM
 Update the bits or bytes or words necessary
 Erase the block
 Re-write the block

9. HowSSDs are
different than
HDDs and why
that impacts
security
 But NAND can only be programmed/erased so many times
 Each p/e cycle causes physical damage to the medium
 In real life some chunks of data get updated far more frequently
than others
 So SSD manufacturers implement
 Wear levelling
 Over-provisioning

10. HowSSDs are
different than
HDDs and why
that impacts
security
Wear levelling and over-provisioning

11. HowSSDs are
different than
HDDs and why
that impacts
security
 But to make SSDs take off really fast, they didn’t want to make
every OS manufacture implement a new physical file system
with knowledge specific to each implementation of NAND as
SSD
 So make an SSD look like a HDD and just translate it
Application
Operating System
ATA driver
ATA
commands

12. HowSSDs are
different than
HDDs and why
that impacts
security
Application
Operating System
ATA driver
ATA
commands
Flash translation
layer (FTL)
Direct, page-for-page

13. Traditional
erasure
algorithms
unsuitable for
SSDs
Military Spec Overwrite
each sector

14. Other issues
 Freeze lock
 BIOS of most modern computers blocks access to these
commands with a “freeze lock” on the drive’s security feature
set.
 Unless the freeze lock is removed, it’s extremely difficult to
conduct the necessary firmware-based erasure that scrubs
entire SSD storage

15. Other issues
 What is ATA Secure Erase?
 Set of commands embedded in
most hard drives since 2001
 Secure Erase is a command not a
physical operation
 Therefore it’s all about the
implementation (i.e. code)
behind that command
 “it’s up to each manufacturer to
implement it correctly. In their
review of the secure erase
command,Wei et al., 2011, have
shown that over the 12 models
of SSDs studied, only eight
offered the ATA Secure Erase
functionality, and over those
eight drives, three had buggy
implementations [11].” -
http://codecapsule.com/2014/02
/12/coding-for-ssds-part-4-
advanced-functionalities-and-
internal-parallelism/
https://www.usenix.org/leg
acy/event/fast11/tech/full_
papers/Wei.pdf

16. Other issues
 Cryptographic “erasure”
 Drive firmware encrypts each page
 SSD or HDD
 To “erase” drive – just overwrite the key
 In theory – great
 But encryption in theory and in practice are 2 very different
things
 Over and over again see poor encryption implementations
 “Given the bugs we found in some implementations of secure
erase commands, it is unduly optimistic to assume that SSD
vendors will properly sanitize the key store. Further, there is no
way verify that erasure has occurred”
 https://www.usenix.org/legacy/event/fast11/tech/full_papers/Wei.pdf
 Bruce Schneier says, cryptographic systems “must be
implemented exactly, perfectly, or they will fail.”
(https://www.schneier.com/essays/archives/1997/01/why_crypt
ography_is.html)
 https://www.owasp.org/images/5/57/OWASPIL2011-
ErezMetula-WhenCryptoGoesWrong.pdf

17. Bottom line
 SSD erasure
 Must deal with
 Flash translation layer
 Freeze lock
 Requires manufacturer specific logic
 OEM cooperation
 Multi-stage, multi-method
 Verifiable
 Provable
 Reporting
 Applies beyond just SSD
© 2017 Monterey Technology Group Inc.

18. Securing the
audit trail

19. Sample Report

20. SSD Erasure
Approvals
 The Finnish Communications Regulatory
Authority (FICORA) has approved Blancco
erasure software for erasing data from hard
drives and Solid State Drives.
 The AIVD is the General Intelligence and
Security Service of the Netherlands and
evaluate information security products. In their
deployment advisory for Blancco 5 they state
that, for SSD media, the “Blancco SSD
Erasure”-standard should be used.

21. Additional
Resources
 Research Study: Security Limitations of Solid State Drives
 https://www.blancco.com/resources/rs-security-limitations-of-
ssds
 Whitepaper: SSDs and the Unseen Data Destruction Risks
 https://www.blancco.com/resources/wp-a-look-inside-ssds-
unseen-data-destruction-risks
 Free Evaluation: Blancco Drive Eraser for HDDs and SSDs
 http://info.blancco.com/en-eval-blancco-5