[Cryptography] Shredding a file on a flash-based file system?
Thierry Moreau
thierry.moreau at connotech.com
Wed Jun 18 23:57:59 EDT 2014
Hi,
A question in the recurring issue of hiding a secret in a computing device.
Suppose you have a small computing device to do some crypto with only a
flash-based file system (no swap area, and you can afford a destructive
RAM test upon shutdown, so RAM reminiscence is a lesser issue). You
store lasting secret data in a file.
When you want to zeroize the critical file, you can not rely on the
shred utility (or do you?) due to the core flash technology (turning a
bit from "1" to "0" is a simple write, the reverse commands a full block
erasure for some flash-integrated-circuit-fixed block size).
We are dealing only with non-journalizing file systems. Also, one should
check that the file system does not keep track of access times (and
modification times) for the file since these reveals some information to
an adversary.
Here is my current concern: if one assumes that a flash file system will
optimize write operations such that turning every bits to zero will
*not* trigger allocation of new file space on disk.
Does anyone know if this assumption is reasonable?
I understand that solid state drives come with various implementations
of a low level space management system logic, over which a partitioning
logic applies before a file system (in the traditional O/S sense) is
hosted in a (more or less?) device-independent way. I would suspect that
the most fundamental optimization (not allocating new space when a write
request only turns "1" bits to "0") is applied effectively despite this
involved logic arrangement.
Generally, I don't like flash-based mass storage, but they are
cost-effective nowadays.
Maybe the best answer requires experimentation with a specific
combination of solid state drive, controller, driver, and file system
(ext2 most likely). That is, behave like an enemy (law enforcement
friend) chasing the secret data after the zeroization attempt, except
that I known the exact data values to look for. A low-level read-only
access to the block device is the basic facility for this
unsophisticated experiment. Anybody attempted this?
Let's advance the field! Thank in advance.
- Thierry Moreau
More information about the cryptography
mailing list