[Cryptography] Shredding a file on a flash-based file system?

Thierry Moreau thierry.moreau at connotech.com
Wed Jun 18 23:57:59 EDT 2014 

Hi,

A question in the recurring issue of hiding a secret in a computing device.

Suppose you have a small computing device to do some crypto with only a 
flash-based file system (no swap area, and you can afford a destructive 
RAM test upon shutdown, so RAM reminiscence is a lesser issue). You 
store lasting secret data in a file.

When you want to zeroize the critical file, you can not rely on the 
shred utility (or do you?) due to the core flash technology (turning a 
bit from "1" to "0" is a simple write, the reverse commands a full block 
erasure for some flash-integrated-circuit-fixed block size).

We are dealing only with non-journalizing file systems. Also, one should 
check that the file system does not keep track of access times (and 
modification times) for the file since these reveals some information to 
an adversary.

Here is my current concern: if one assumes that a flash file system will 
optimize write operations such that turning every bits to zero will 
*not* trigger allocation of new file space on disk.

Does anyone know if this assumption is reasonable?

I understand that solid state drives come with various implementations 
of a low level space management system logic, over which a partitioning 
logic applies before a file system (in the traditional O/S sense) is 
hosted in a (more or less?) device-independent way. I would suspect that 
the most fundamental optimization (not allocating new space when a write 
request only turns "1" bits to "0") is applied effectively despite this 
involved logic arrangement.

Generally, I don't like flash-based mass storage, but they are 
cost-effective nowadays.

Maybe the best answer requires experimentation with a specific 
combination of solid state drive, controller, driver, and file system 
(ext2 most likely). That is, behave like an enemy (law enforcement 
friend) chasing the secret data after the zeroization attempt, except 
that I known the exact data values to look for. A low-level read-only 
access to the block device is the basic facility for this 
unsophisticated experiment. Anybody attempted this?

Let's advance the field! Thank in advance.

- Thierry Moreau

More information about the cryptography mailing list