[Cryptography] Shredding a file on a flash-based file system?

Joseph Ashwood ashwood at msn.com
Fri Jun 20 05:24:38 EDT 2014 

-----Original Message----- 
From: Thierry Moreau
Subject: [Cryptography] Shredding a file on a flash-based file system?

> Does anyone know if this assumption is reasonable?

It is actually worse than you feared, and worse than I think anyone has 
pointed out (I only glanced through the messages, apologies if someone else 
covered this).

Inherent in the design of modern SSDs is wear leveling, this makes secure 
erase an absolute nightmare. Although I am greatly simplifying the core 
problem remains the same, wear leveling goes something like:

You have block [0....n]
Each block contains not only the data, but the functional address, and 
whether or not it is the most recent data.
block[i] = <!Active, address, data>

When a write happens the controller begins where it left off, I will simply 
begin with the first write to the system, it won't matter, and assume 
n=1024, a very small disk.
write 1:
write <0x000, the quick brown fox jumped over the lazy dog> is the command 
issued
<0(active), 0x000, The quick brown fox jumped over the lazy dog> is the 
expanded version
this is written to physical sector 0

now if we want to secure erase this, the logical thing would be to write 
over block 0x000, but this is what happens
write 2:
write <0x000, 000...0000> (the overwrite)
the drive writes to physical sector 0, setting the !active bit
the drive writes to physical sector 1 <0(active), 0x000, 000...0000>

The data in physical sector 0 is untouched, effectively creating the same 
problem of a journaling file system in hardware.

There is no way of knowing for sure that you are actually overwriting a 
particular sector from the outside. You can approximate this by writing the 
sector many, many times, but this will burn out large portions of the flash 
in the drive before you actually can be certain of overwriting.

I wish I had better news for you, but as everything is today, you really 
have no way of knowing. This applies even at the flash chip level, each 
layer in the flash chip often has its own wear leveling going on, this is 
done in order to disguise that the chip has flaws, in any high capacity chip 
there are many sectors that are unusable straight from the factory.

This sucks, and it is only going to get worse for the foreseeable future. 
How do I know? My name is on the patent (US patent 8397011).
                    Joe

More information about the cryptography mailing list