Physical NAND Flash Security: Preventing Recovery of Deleted Data

Similar documents
NAND Flash Architecture and Specification Trends

NAND Flash Architecture and Specification Trends

Solid State Drive (SSD) FAQ

Samsung emmc. FBGA QDP Package. Managed NAND Flash memory solution supports mobile applications BROCHURE

Choosing the Right NAND Flash Memory Technology

High-Performance SSD-Based RAID Storage. Madhukar Gunjan Chakhaiyar Product Test Architect

Calsoft Webinar - Debunking QA myths for Flash- Based Arrays

Nasir Memon Polytechnic Institute of NYU

O&O Defrag and Solid State Drives

SLC vs. MLC: An Analysis of Flash Memory

1 / 25. CS 137: File Systems. Persistent Solid-State Storage

Solid State Drive Technology

Comparison of NAND Flash Technologies Used in Solid- State Storage

HP FutureSmart Firmware Device Hard Disk Security

Important Differences Between Consumer and Enterprise Flash Architectures

Frequently Asked Questions March s620 SATA SSD Enterprise-Class Solid-State Device. Frequently Asked Questions

Media Disposition and Sanitation Procedure

NAND Flash Media Management Through RAIN

Trends in NAND Flash Memory Error Correction

A New Chapter for System Designs Using NAND Flash Memory

Temperature Considerations for Industrial Embedded SSDs

Database!Fatal!Flash!Flaws!No!One! Talks!About!!!

NAND Basics Understanding the Technology Behind Your SSD

Flash Memory Basics for SSD Users

Programming Matters. MLC NAND Reliability and Best Practices for Data Retention. Data I/O Corporation. Anthony Ambrose President & CEO

How To Write On A Flash Memory Flash Memory (Mlc) On A Solid State Drive (Samsung)

An Overview of Flash Storage for Databases

HP Thin Clients Flash/SSD Selection

File System Management

Addressing Fatal Flash Flaws That Plague All Flash Storage Arrays

Benefits of Solid-State Storage

Embedded Operating Systems in a Point of Sale Environment. White Paper

Technical Proposal on ATA Secure Erase Gordon Hughes+ and Tom Coughlin* +CMRR, University of California San Diego *Coughlin Associates

SLC vs MLC: Proper Flash Selection for SSDs in Industrial, Military and Avionic Applications. A TCS Space & Component Technology White Paper

Advantages of e-mmc 4.4 based Embedded Memory Architectures

Lexmark Printers and Multifunction Products: Hard Disk and Non-Volatile Memory Guide

Flash-optimized Data Progression

Embedded Multi-Media Card Specification (e MMC 4.5)

DELL SOLID STATE DISK (SSD) DRIVES

NAND Flash Memory Reliability in Embedded Computer Systems

Secure Erase of Disk Drive Data

SATA SSD Series. InnoDisk. Customer. Approver. Approver. Customer: Customer. InnoDisk. Part Number: InnoDisk. Model Name: Date:

Yaffs NAND Flash Failure Mitigation

Industrial Flash Storage Trends in Software and Security

SLC vs MLC: Which is best for high-reliability apps?

SSDs tend to be more rugged than hard drives with respect to shock and vibration because SSDs have no moving parts.

WP001 - Flash Management A detailed overview of flash management techniques

Intel Solid State Drive Toolbox

A Flash Storage Technical. and. Economic Primer. and. By Mark May Storage Consultant, By James Green, vexpert Virtualization Consultant

SLC vs MLC NAND and The Impact of Technology Scaling. White paper CTWP010

Technologies Supporting Evolution of SSDs

Data Distribution Algorithms for Reliable. Reliable Parallel Storage on Flash Memories

SSD Write Performance IOPS Confusion Due to Poor Benchmarking Techniques

SSD Performance Tips: Avoid The Write Cliff

An Oracle White Paper May Exadata Smart Flash Cache and the Oracle Exadata Database Machine

Samsung Solid State Drive TurboWrite Technology

Challenges and Solutions for Effective SSD Data Erasure

Recovers Lost or Deleted Pictures from: Any Memory Card Type Any Brand Using Any Mass Storage Reader

Technical Reference Document Summary of NIST Special Publication : Guidelines for Media Sanitization

PowerProtector: Superior Data Protection for NAND Flash

SSDs tend to be more rugged than hard drives with respect to shock and vibration because SSDs have no moving parts.

SSDs tend to be more rugged than hard drives with respect to shock and vibration because SSDs have no moving parts.

The What, Why and How of the Pure Storage Enterprise Flash Array

QuickSpecs. HP Solid State Drives (SSDs) for Workstations. Overview

Understanding endurance and performance characteristics of HP solid state drives

Intel Solid State Drive Toolbox

NAND Flash FAQ. Eureka Technology. apn5_87. NAND Flash FAQ

UBIFS file system. Adrian Hunter (Адриан Хантер) Artem Bityutskiy (Битюцкий Артём)

enabling Ultra-High Bandwidth Scalable SSDs with HLnand

SATA II 3Gb/s SSD. SSD630 Benefits. Enhanced Performance. Applications

Linux flash file systems JFFS2 vs UBIFS

Destroying Flash Memory-Based Storage Devices (draft v0.9)

Updating Your Firmware

Destruction and Disposal of Sensitive Data

Solid State Technology What s New?

technical brief browsing to an installation of HP Web Jetadmin. Internal Access HTTP Port Access List User Profiles HTTP Port

HP 80 GB, 128 GB, and 160 GB Solid State Drives for HP Business Desktop PCs Overview. HP 128 GB Solid State Drive (SSD)

Trabajo Memorias flash

In-Block Level Redundancy Management for Flash Storage System

SOLID STATE DRIVES AND PARALLEL STORAGE

Caching Mechanisms for Mobile and IOT Devices

Empirical Inspection of IO subsystem for Flash Storage Device at the aspect of discard

White Paper. Avoiding premature failure of NAND Flash memory. Inhalt

End to End Data Path Protection

NAND Flash Status Register Response in Cache Programming Operations

Flash Technology Update from Micron and Intel

The Technologies & Architectures. President, Demartek

NAND 201: An Update on the Continued Evolution of NAND Flash

NetApp FAS Hybrid Array Flash Efficiency. Silverton Consulting, Inc. StorInt Briefing

White Paper. NAND Evolution and its Effects on Solid State Drive (SSD) Useable Life. Western Digital WP R

How To Improve Write Speed On An Nand Flash Memory Flash Drive

Solid State Drive Architecture

IOmark- VDI. Nimbus Data Gemini Test Report: VDI a Test Report Date: 6, September

FlashOverview. Industrial Grade Flash Solutions

Transcription:

Physical NAND Flash Security: Preventing Recovery of Deleted Data Michael Abraham (mabraham@micron.com) NAND Solutions Group Architect Micron Technology, Inc. August 2011 1

Topics A brief history of data removal Data sanitization methods NAND Flash physical requirements Block management Data overwriting Secure erase Removing residual data Myths August 2011 3

A Brief History of Data Removal In early storage protocols, functions existed to read and write data, but not to remove it Deleted data typically remains on storage media after it is no longer needed The file s index record is partially overwritten The file s data is not overwritten Whole industry exists to recover deleted files or to protect against accidental deletion Volume/partition reformatting and deletion also does not remove previous data Focus of these operating systems is not security, but rather to protect the user from unintentionally removing wanted data Data sanitization focuses on removing data permanently from the storage media August 2011 4

Data Sanitization Methods Clearing Previous data may still be recoverable through laboratory attack Data overwriting Media is reusable Purging Prevents laboratory attack to recover data SECURE ERASE (for ATA disks) Media may or may not be reusable Physical destruction Disintegration, incineration, pulverization, melting, and shredding Media is no longer reusable How do these methods relate to NAND Flash-based Source: NIST 800-88, Table 2-1, p. 8 Santa Clara, storage? CA August 2011 5

NAND Flash Physical Requirements NAND Flash requires block management Erase blocks of data, consisting of multiple pages Changes a logical 0 to a logical 1 for all of the cells in the block Program pages within a block in sequential order Changes a logical 1 to a logical 0 When reusing a page, it must be erased first August 2011 6

NAND Flash Physical Requirements NAND Flash requires block management Erase blocks of data, consisting of multiple pages Changes a logical 0 to a logical 1 for all of the cells in the block Program pages within a block in sequential order Changes a logical 1 to a logical 0 When reusing a page, it must be erased first August 2011 6

NAND Flash Physical Requirements NAND Flash requires block management Erase blocks of data, consisting of multiple pages Changes a logical 0 to a logical 1 for all of the cells in the block Program pages within a block in sequential order Changes a logical 1 to a logical 0 When reusing a page, it must be erased first August 2011 6

Block Management Block management is used to make sure NAND physical requirements are met The Flash translation layer translates host addresses (logical) to NAND addresses (physical) Software running on a host operating system Firmware running on a NAND controller August 2011 7

Block Management Today Block management algorithms have become more complex as block sizes have increased Typical data sizes are still 512B or 4KB Page sizes are moving to 8KB or 16KB for SSDs Block management algorithms are optimized for sequential throughput and IOPS More data fragments remain on the media through use August 2011 8

Data Overwriting For hard disk drives (HDDs), the primary method to clear individual files was through data overwriting Sensitive data is overwritten with one or more data patterns to remove it Residual data may still be recoverable if overwritten only once (though unlikely with today s HDDs) Data overwriting applications/algorithms were developed around direct addressing an LBA points to the same physical location for every write Securely deleting a file is typically a tradeoff of thoroughness (number of passes) and performance (time) August 2011 9

Data Overwriting with NAND Flash Because of block management, data overwriting is not effective to clear individual LBAs of data NAND Flash uses indirect addressing an LBA points to a different physical location for every write This results in multiple copies of the data existing Current version Older versions Older versions are eventually discarded when the blocks they reside in no longer have valid data in them and are erased Data overwriting is mostly effective if the entire drive is overwritten, but some previous data typically remains in hidden blocks and can be recovered through laboratory attack Typically less sophisticated to recover than an HDD data overwrite Slow Risk is proportional to the amount of overprovisioning August 2011 10

Secure Erase Secure erase was developed to permanently purge all data from HDDs, including areas not directly addressable Secure erase implemented on many SSDs e MMC has adapted secure erase to purge data from portions of the memory device August 2011 11

Secure Erase and Block Management If purging a portion of the media, a host-issued SECURE ERASE command would be responsible for the following NAND functions Identify all physical copies of data (current and previous) representing a host LBA or LBA range Copy/move all good, valid data around the data to be purged to new locations Properly erase the blocks Time is required to perform the block management function of identifying all copies of a particular LBA and consolidating valid data If purging all drive data, then SECURE ERASE is fairly quick because no block consolidation needs to occur August 2011 12

Removing Residual Data Can data be purged from the NAND Flash to prevent recovery through a laboratory attack? This requires a better understanding of the NAND PAGE PROGRAM and BLOCK ERASE commands August 2011 13

NAND Flash Cell Fundamentals 1s and 0s are represented by the number of electrons stored on the NAND floating gate Working number of electrons on each floating gate is decreasing as NAND process shrinks Becomes harder to discern bit states Source: Micron Technology, Inc. August 2011 14

Single-Level Cell (SLC) NAND Flash Each NAND cell is mapped to one NAND page Needs fewer working electrons than MLC to distinguish bit states Programming increases effective voltage on cells Only two states represented: 1, 0 Bits states use wider cell distributions than MLC One-step program process Faster to program and erase than MLC less precise 1 August 2011 15

Single-Level Cell (SLC) NAND Flash Each NAND cell is mapped to one NAND page Needs fewer working electrons than MLC to distinguish bit states Programming increases effective voltage on cells Only two states represented: 1, 0 Bits states use wider cell distributions than MLC One-step program process Faster to program and erase than MLC less precise 1 August 2011 15 0

2-Bit Multiple-level Cell (MLC) NAND Flash Each NAND cell is mapped to two NAND pages Needs more working electrons than SLC to distinguish bit states Programming increases effective voltage on cells Four states represented: 11, 10, 00, 01 Bits states use narrower cell distributions than SLC Two-step program process: fast page then slow page Slower to program and erase than SLC more precise placement required 11 August 2011 16

2-Bit Multiple-level Cell (MLC) NAND Flash Each NAND cell is mapped to two NAND pages Needs more working electrons than SLC to distinguish bit states Programming increases effective voltage on cells Four states represented: 11, 10, 00, 01 Bits states use narrower cell distributions than SLC Two-step program process: fast page then slow page Slower to program and erase than SLC more precise placement required 11 August 2011 16

Goals of a BLOCK ERASE Operation Decrease effective voltage on all cells by removing electrons from the floating gate Increase effective voltages on deeply erased cells Tightens erase distribution Significantly reduces possibility of data recovery through laboratory attack August 2011 17

Goals of a BLOCK ERASE Operation Decrease effective voltage on all cells by removing electrons from the floating gate Increase effective voltages on deeply erased cells Tightens erase distribution Significantly reduces possibility of data recovery through laboratory attack August 2011 17

Goals of a BLOCK ERASE Operation Decrease effective voltage on all cells by removing electrons from the floating gate Increase effective voltages on deeply erased cells Tightens erase distribution Significantly reduces possibility of data recovery through laboratory attack August 2011 17

MLC NAND Flash Block Erase Algorithm MLC NAND Flash block erase algorithms already prevent laboratory attack, especially on the latest process nodes Pre-erase data compaction brings all cells in the block to a close level Post-erase data compaction adds electrons to deeply erased cells Does not require host involvement and occurs during the typical t BERS Note: Not all NAND vendors erase MLC NAND Flash with the same algorithms August 2011 18

SLC NAND Flash Block Erase Algorithm The SLC block erase algorithm is typically shorter than the MLC block erase, though moving toward MLC algorithms The typical SLC block erase for 20 30nm process nodes should adequately purge the cells within a NAND block For older NAND technology, the host may need to assist the NAND in purging residual data Erase the block (optional) Program all of the pages in the block to solid zeros Erase the block Can add an additional ~40ms to erase time August 2011 19

Myths: TRIM or Super Voltage TRIM is a command tells a drive which LBAs are no longer needed on a drive Drives can discard unneeded data during block management Improves performance Reduces write amplification Method of implementation on the NAND physical level is controller/firmware specific TRIM does not guarantee old data removal because of its indeterminate nature Occasionally I get questions on destroying NAND Flash using a Super Voltage Not guaranteed to destroy NAND Flash or to eliminate data in the array August 2011 20

Sanitization Summary for NAND Flash For sanitization of all data Data overwriting clears data, but some data may remain in NAND blocks used for overprovisioning Secure erase (if implemented at host interface) purges data from all NAND blocks with user data For sanitization of individual files Data overwriting is ineffective very likely to keep previous copies of data to be removed, especially if the drive is not already full Secure erase or secure delete only works if block management consolidates good data from data to be removed and uses block erase to purge the old data Effectiveness of data purging is also dependent on the effectiveness of the BLOCK ERASE command Latest 20 30nm SLC and MLC process nodes sufficiently purge data Laboratory attack may be possible on older NAND process nodes August 2011 21

Questions? Revisit the Micron FMS presentations at www.micron.com/ fms August 2011 22

References Caulfield, Adrian, et al, Secure Erase of Flash Memory, speech given at Flash Memory Summit, Santa Clara, California, August 11, 2009, http://www.flashmemorysummit.com/ English/Collaterals/Proceedings/2009/20090811_F1A_Caulfield.pdf, accessed on December 16, 2009. De Nardi, Christophe, et al, Direct Measurements of Charge in Floating Gate Transistor Channels of Flash Memories Using Scanning Capacitance Microscopy, paper presented at 32nd International Symposium for Testing and Failure Analysis, November 2006, http:// www.multiprobe.com/technology/technologyassets/ S05_1_direct_measurements_of_charge_in_floating_gate.pdf, accessed on March 16, 2010. Hughes, Gordon, CMRR Secure Erase, http://cmrr.ucsd.edu/people/hughes/ SecureErase.shtml, accessed on July 14, 2011. JEDEC Solid State Technology Association, Embedded MultiMediaCard(e MMC) e MMC/ Card Product Standard, High Capacity, including Reliable Write, Boot, Sleep Modes, Dual Data Rate, Multiple Partitions Supports, Security Enhancement, Background Operation and High Priority Interrupt (MMCA, 4.41), JEDEC Standard No. 84-A441, March 2010, http:// www.jedec.org/standards-documents/docs/jesd84-a441, accessed on July 14, 2011. August 2011 23 Kissell, Richard, et al, Guidelines for Media Sanitization: Recommendations of the

About Michael Abraham Architect in the NAND Solutions Group at Micron Covers advanced NAND and PCM interfaces and system solutions BS degree in Computer Engineering from Brigham Young University 2011 Micron Technology, Inc. All rights reserved. Products are warranted only to meet Micron s production data sheet specifications. Information, products and/or specifications are subject to change without notice. All information is provided on an AS IS basis without warranties of any kind. Dates are estimates only. Drawings not to scale. Micron and the Micron logo are trademarks of Micron Technology, Inc. All other trademarks are the property of their respective owners. August 2011 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information