gone in a flash pdf
TRANSCRIPT
© 2011 Underwriters Laboratories Inc.
Gone in a FLASH!
…. Really?
Data remenance in FLASH media
Andrew Jamieson
Verification Services
Underwriters Laboratories
@andrewrjamieson
Agenda
What is Flash?
Why Flash is Different
Securing Flash Media
Flash Disk Attack and Data Recovery
Flash Chip Structure and Examples
Summary
2
What is Flash?
Flash media is an evolution of Electrically Erasable Programmable
Read Only Memory (EEPROM)
• Flash has become the ubiquitous method for fast, mobile storage
– ‘Flash drive’ is now synonymous with USB storage
– Defacto way for carrying data on the move
• Also increasingly used as OS and boot media
– Solid State Drives (SSDs) becoming cheaper and more popular
– Considered functionally equivalent, but faster and quieter
• But operational equivalence != functional equivalence
– How do flash drives really work?
– Do traditional erasure methods work on flash drives?
– What is the best way to secure data on flash media?
3
Why is Flash Different?
Hang on … they’re based on EEPROM? But I can write and erase
data to my flash disk arbitrarily. What’s with the ‘Read Only Memory’?
• Arbitrary write and erase is not possible on Flash memory
– Made possible on flash media through an abstraction layer called the
‘Flash Transfer Layer’
• Flash media is divided into two types of logical subsections
– ‘Pages’ and ‘Blocks’
– Flash memory can only be written as a whole page
– Bits in a page can be ‘set’ but not individually ‘un-set’
– Flash memory can only be erased as a whole block
– 1 page 128kBytes to 512kBytes
– 1 block ~= 64 pages
– Flash memory = many multiple blocks
4
Flash Memory Organisation
5
Flash Disk 1 BlockUser data is
written to pages
… but erased in blocks.
=
multiple blocks=
multiple pages
Wally West
Where do all the pages go?
Why is Flash Different?
Flash memory is a fundamentally different media to magnetic storage
• Random access bit level writes are not possible
• Erasing a flash block is much slower than reading or writing to a page
– Sequential read ~ 103x < random read ~ 10x < page write ~ 10x < block erase
• Each flash block has a maximum number of erase cycles before it fails
– Usually 10,000 but may be up to 100,000 depending on flash technology used
– After this, the individual flash cells can stop working properly
• But every time you write to any file, the whole block must be erased and re-
written (no arbitrary writes) ???
– Unless it’s not …
6
Why is Flash Different?
Example:
• If a flash chip block can only be erased 10,000 times, how often can you
modify any single file on a USB disk??
– Those who said over 246 million times are right!
– How does that work?
• Flash drive controller constantly re-maps file location as it is changed
– Think of it like another file system layer
7
File
Syste
m
Fla
sh
Tra
nsfe
r
layer
PC
Ph
ysic
al M
ed
ia
Why is Flash Different?
Manipulation of written data requires ‘intelligence’ in the Flash media
• Flash memory chips do not have this intelligence themselves
– Therefore a ‘flash controller’ is required within the media
– This controller manages the USB memory interface, and ‘flash transfer layer’
– Maps external access to internal flash memory locations
– This mapping changes as new data is written, modified and erased
– Usually an ASIC with embedded general purpose micro-controller (eg 8051)
8
USB
ASIC
Flash
Memory
Chip
Changing Data on Flash Media (Example 1)
9
Andrew Jamieson
Witham Labs
Andrew Jamieson
Underwriters
Laboratories (UL)
Changing Data on Flash Media (Example 2)
10
Andrew Jamieson
Witham Labs
Andrew Jamieson
Underwriters
Laboratories (UL)
Why is Flash Different?
So what does your Flash drive do when you modify or erase a file?
• Standard industry best practice dictates that for secure erasure of a file
you should overwrite the file
– One or more times, with random or static data
• This is based on the operation of magnetic media
– And is potentially out of date with current technology even in that context
– How do you ensure that data is erased in a Flash drive?
11
?USB
ASIC
Agenda
What is Flash?
Why Flash is Different
Securing Flash Media
Flash Disk Attack and Data Recovery
Flash Chip Structure and Examples
Summary
12
Securing Flash Media
So how do you secure your Flash Media?
• Flash media is portable, robust, and ubiquitous
– ‘Portable’ + ‘robust’ + ‘ubiquitous’
– Lost media is at best embarrassing, and at worst business destroying
… and remember, it’s not just the data you think is there
It may be data you have previously erased (even ‘securely’)
• When in doubt, encrypt
– Fortunately, numerous options exist for removable media
– Can be partitioned into three types:
– Software encryption on PC, password/passphrase entered on PC
– Hardware encryption on flash disk, password/passphrase entered on PC
– Hardware encryption on flash disk, password/PIN entered on flash disk
13
│ │ ≡ ‘Losable’
Securing Flash Media
Hardware encryption, password/PIN entered on flash disk
• Flash controller integrates HW encryption core
– Encryption keys / password not exposed on PC, no software install on USB host
14
Battery
ASIC w
HW
Crypto
Flash chip only
contains
encrypted data
1
2
3
4
5
6
7
8
9
0
L
U
Securing Flash Media
Hardware encryption, password/passphrase entered on USB host (PC)
• Flash controller integrates HW encryption core
– Encryption keys may be stored on Flash disk, not be exposed on PC, OR
– Encryption keys may be derived from password, and sent to Flash disk
– Password always exposed on host platform
– Additional software probably required to allow for password transfer
– IEEE 1667 specification allows for password interface to USB drives
– Not popularly supported, and does not require encryption
15
ASIC w
HW
Crypto
Encrypted data
Plaintext data
(containing driver)
Securing Flash Media
Software encryption, password/passphrase entered on USB host (PC)
• Standard flash controller, no integrated encryption functions
– Encryption keys and password used / exposed on PC
– Data stored in encrypted ‘container’ on USB disk
– May be whole volume, sub-volume (encrypted container), or file only
– Encrypted by software on the PC before transfer to the USB
Which do you think is more secure (HW, HW hybrid, or SW encryption) ??
16
Standard
USB ASIC
Plaintext data
Encrypted
data
Agenda
What is Flash?
Why Flash is Different
Securing Flash Media
Flash Disk Attack and Data Recovery
Flash Chip Structure and Examples
Summary
17
Flash Disk Attack and Data Recovery
Flash memory involves many layers of abstraction
• File system Flash controller (FTL) Flash chip
– Recovery of bit-level data requires only access to last ‘layer’
• How do you ensure sensitive data is rendered unrecoverable from Flash?
– File system ‘erase’ is not sufficient (of course)
– What about overwriting the data?
– Physical destruction?
– Other?
• How do you secure data at the bit level?
– Encrypt with hardware of software?
– File or volume level encryption?
18
Flash Disk Attack
Attacking hardware encrypted Flash media
• Hardware encryption open to side channel analysis
– Same ASIC found in 90% of hardware encrypted flash disks
– But requires encryption to be running, so password/PIN already entered
– Not really much point (unless one key is being used across multiple devices)
• Attack key storage location
– Not always inside the ASIC, sometimes in external memory / micro-controller
– How is key erasure performed? Can ‘deleted’ keys be recovered?
• Attack PIN verification method
– PIN must be compared internally, and different actions taken if OK / not OK
– Different actions = different current draw
– Characterise current draw for PIN not OK, and disconnect power if this starts
19
Flash Disk Attack
Attacking software encrypted Flash media
• Password / encryption key exposed on system under use
– Not a problem with hardware systems that use embedded keypads
– Is a problem on hardware encrypted devices with PC password entry
• Does this matter?
– No requirement for installed software is convenient for different platforms/PCs
…. But if you don’t trust the PC to mange the keys/passwords securely, why do you
trust it to access plaintext data?
• Therefore compromised PC used to access the USB drive succeeds against
either hardware or software encrypted systems
– Exposure of keys/passwords or plaintext data is a semantic argument
– Hardware devices with embedded key storage are arguably less secure as they
can be stolen and attacked off-site to gain access to the key
20
Flash Data Recovery
It’s not just the flash transfer layer that causes problems with erasure
• Setting bits in flash memory is like pouring water into individual slots of an
ice tray – each slot with water in it is a ‘set’ bit
– Erasing the memory block is like tipping the tray to empty out the water
– But if you don’t tip far enough, or leave it tipped for long enough, some water will
remain in the slots
• ‘Erased’ data from flash memory can be re-read by lowering the operating
voltage of the chip
– Like looking for ‘less water’ in each ice tray slot to signify a bit that it set
211 0 1 1 0 10 0 0 0 0 0
Recovering Data from Flash Media
Physical data extraction from Flash memory
• Three types of attackers
– Unfunded, unsophisticated (‘script kiddies’ of the physical world)
– Some funds, and sophisticated (data recovery labs, some law enforcement)
– High funds, high sophistication (military and governmental agencies)
• Flash chips are composed of one or more physical dies
• Bonded into chip package with good physical strength properties
– Much better than ‘standard’ processor or logic die packaging
• Makes physical destruction difficult!
– Need to make sure die is damaged
– Damage to PCB, controller, and even flash chip package is not necessarily
enough to prevent data recovery by determined attacker
22
Agenda
What is Flash?
Why Flash is Different
Securing Flash Media
Flash Disk Attack and Data Recovery
Flash Chip Structure and Examples
Summary
23
Recovering Data from Flash Media
Physical destruction requires damage to flash die
28
+ =
Damage to package only is not sufficient for Type 2 attackers
Agenda
What is Flash?
Why Flash is Different
Securing Flash Media
Flash Disk Attack and Data Recovery
Flash Chip Structure and Examples
Summary
31
Summary
Flash storage cannot be treated in the same way as magnetic storage
• Data storage methods are fundamentally different
– Therefore different recovery methods can be applied
– Different erasure/destruction methods must be used
• Overwriting of files does not necessarily remove data
– Data will be duplicated across the die for wear leveling purposes
– Bypassing of USB controller provides access to wear leveled data
• Encryption can help to secure data on the chip
– Hardware encryption/password management provides interoperability value but
no real security value in the face of compromised PC
– File level encryption can help reduce exposure window during operation
• Great care is necessary to ensure data remains secure
– Best erasure method is complete die destruction or ensuring no plaintext data is
never written to the USB (therefore, only erase the key)32