TrueErase: Secure Deletion on Flash Storage

Sarah Diesburg, Chris Meyers, An-I Andy Wang

04/19/23

The Problem

Most users believe that files cannot be retrieved once Files are no longer visible The trashcan is emptied The partition is formatted

In reality, only link to the file is deleted Actual data remains

2

The Problem

Decommissioned storage devices leak sensitive information

3

What is Secure Deletion?

Secure deletion means rendering files completely irrecoverable No forensic analysis should be able to recover

data from media

4

Secure Deletion Complications

5

Flash electronic storage can make it nearly impossible to erase files

Flash Characteristics

Locations must first be erased before new data can be written But it can take awhile to erase a location

Locations can only be written or erased a small amount of times

The flash solution is to rotate locations for writes.

6

7

Flash Write Behavior

Flash management software rotates the usage of locations

Flash

1 2 3 4 5 6 7

7

Operating System

8

Flash Write Behavior

Flash management software rotates the usage of locations

Write gibberish

to 2

Flash

1 2 3 4 5 6 7

8

Operating System

9

Flash Write Behavior

Write gibberish

to 2

Flash

1 2 3 4 5 6 7

O(\ks@

9

Overwrites go to new location instead of original block Dead data left behind until that location is erased

Operating System

Is this a problem?

10

Removal via hot air

Universal chip reader

We must somehow erase sensitive data!

10

Raw flash chips can be removed and placed in a reader

Achieving Secure Deletion

Need to send erase command to flash to erase sensitive information Flash has no information about the security of the

file – only the file system knows this Currently, file systems only understand read and

write commands, not erase commands

11

TrueErase Components

1. Centralized module that passes secure deletion information from file system to lower layers

2. Extension to storage block layer to take advantage of above information

Issue secure overwrite command Call storage-specific secure deletion command

12

TrueErase Datapath ViewApplications

File System

BlockLayer

Storage

UserKernel

Secure Deletion Module

Block #

Add

Check

Secure delete commands

13

Block #

14

Securely erase my file!

Secure delete

Secure delete

Operating System

TrueErase User View

15

TrueErase Flash Behavior

We can now tell the flash to erase locations

Securely delete

2

Flash

1 2 3 4 5 6 7

15

Operating System

16

TrueErase Flash Behavior

Flash

1 2 3 4 5 6 7

16

The location can be securely deleted!

Operating System

Erase!

Why is this challenging?

Flash management not easily changeable Performance implications Rotating the right locations

File systems not designed for erase Backward compatibility issues

Handling crashes during secure deletion Correctness issues

17

Current Development – TrueErase

18

Current Development – TrueErase Programming complete prototype

Fixing final bugs Expected to be done for conference paper

submission in early January

19

Questions?

For more information about TrueErase, visit

http://ww2.cs.fsu.edu/~diesburg/trueerase.html

20