02-22-2011 11:56 AM
Aloha,
Just read the materials at the bottom of this site:
http://nvsl.ucsd.edu/sanitize/ http://nvsl.ucsd.edu/sanitize/
(NOTE: Please read the papers at the bottom of this site in their entirety before you reply to this post with an opinion.)
Couldn't help but notice a few things. First of all, this quote:
"We conclude that the complexity of SSDs relative to hard drives requires that they provide built-in sanitization commands. Our tests show that since manufacturers do not always implement these commands correctly, the commands should be verifiable as well. Current and proposed ATA and SCSI standards provide no mechanism for verification and the current trend toward encrypting SSDs makes verification even harder."
Also, noticed one of the SSDs they tested was an SLC 32GB (no model or manufacturer specifiec, but could be the X25-E series).
A key point here is that even though Intel (SSD Toolbox) or CMRR (HDDErase) has supplied tools for "erasing" your SSDs, it does NOT mean those SSDs should ever be released or tossed in the trash if they ever held confidential information (which they mostly like have, if you consider passwords, credit card numbers, or SSNs confidential). In the case of government, it means you shouldn't use a classified SSD and re-use it on an unclassified system, even after sanitizing.
Intel, can you provide some insight to this issue regarding your products? Specifically, will the SSD Toolbox verify and confirm all data is erased from an SSD, including any and all over-provisioned or "marked bad" data blocks? And, are there any tools which can let us, the end-user, visually check every writable bit of flash memory on the SSD?
Thanks to all for any input.
02-22-2011 01:37 PM
5 Conclusion
Sanitizing storage media to reliably destroy data is an essential aspect of overall data security. We have empirically measured the effectiveness of hard drive-centric sanitization techniques on flash-based SSDs. For sanitizing entire disks, built-in sanitize commands are effective when implemented correctly, and software techniques work most, but not all, of the time.
I want to point out the above.What tool do you propose to check every readable bit of NAND? (Writable bit does not cover everything.) How would that tool work... what data would it present in an end-user usable form?
02-22-2011 03:56 PM
The conclusion (which you pointed out) only emphasizes purging techniques need more attention. Key phrases are "when implemented correctly" and in this context they are discussing the manufacturer's implementation, not the end-user's execution of it. "..most, but not all, of the time" is unacceptable when dealing with confidential or classified data. In other words, we (the end-users) should not (and cannot) trust the manufacturer to securely erase our data from their SSD without an additional verification process.
You asked about a proposed tool. As a mere example, a good start would be something similar to a forensic analyzer (such as you'd use to examine sectors on, or nibble bytes from, an HDD) but one which understands the addressable and non-addressable space within the SSD. It's because of this lacking area that the scientists literally tore out the chips and built a hardware analyzer. You read the entire article, right?
At the very minimum, a verification tool should check and count every writeable bit (or byte) to confirm it erased or not erased, including any over-provisioned space (used for extending life expectancy of the SSD) which is normally NOT accessible to the end-user, as well as any "bad" pages or blocks remapped by the firmware. "Secure erase" does not do this, thus the very fast "completion" of the command.
02-23-2011 10:48 AM
Here's some media attention on this issue.
http://news.google.com/news/more?pz=1&cf=all&cf=all&ncl=dqqwI8SjLOamzvMdO_bFm4X2VsYNM http://news.google.com/news/more?pz=1&cf=all&cf=all&ncl=dqqwI8SjLOamzvMdO_bFm4X2VsYNM
Intel, any response?
02-24-2011 01:21 AM
In theory, SSDs are easier to "secure erase" than HDDs, and the result will be much safer.
If all the NAND cells of a SSD are set to their "cleared" or "read to write to" state, there is no chance of recovering the data that was previously written on them. A single over-write of anything ('0', 'Z', etc) to the full capacity of an SSD will cause most if not all of the previous contents to be gone forever.
In HDDs, when the magnetic material used to store data is over-written, a remnant of the previous state the bit was in remains, and with the appropriate equipment can be retrieved. Apparently, that can be done even with several writes on top of the old data, as the DOD's specification for erasing data from HDDs calls for, I believe, 10 or more over-writes of the data before the other data can no longer be read forensically.
The question then becomes, do any of the "secure erase" tools actually perform a full clearing (for lack of a better term) of all the NAND cells. Or is there a lesser but equally effective equivalent to that. Add to that, the apparent issue of the SSD's controller or the FTL stopping a complete clearing of the NAND from occurring, as implied in the article.
For example, when the Intel SSD Toolbox Secure Erase option is said to "erase all data on the selected secondary SSD", and we assume the SSD will be put into it's "new, factory fresh" state, are both of those things actually happening? I would say the chances of that are much better with the Toolbox than with other programs. We should actually be educated as to what "erase" and "factory fresh state" actually is.
But as always with things in the world of computers, it is blissfully easy to conjecture, point fingers, and pass judgements upon extremely complicated things from our ivory tower of ignorance.
Regardless, if one wants to secure erase their SSD before disposing of it, I recommend giving it to a group of children or teenagers and challenge them to break it, or just give it a good shot with a hammer. Easier than a HDD, like I said earlier.