sarah diesburg cop5611 advanced operating systems secure deletion of files throughout the data path...
TRANSCRIPT
![Page 1: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/1.jpg)
Sarah Diesburg
COP5611
Advanced Operating Systems
Secure Deletion of Files throughout the Data Path using TrueErase
THE FLORIDA STATE UNIVERSITY
![Page 2: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/2.jpg)
Overview
People want to delete sensitive info on storage in such a way that it cannot be recovered
Problem Existing methods may not
always work or be easy to use
Solution TrueErase brings
backwards-compatible deletion to the average user
2
![Page 3: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/3.jpg)
Motivation
Amount of stored, sensitive data is growing Financial & customer info Trade secrets Usernames Passwords Correspondence Personal media files
[Ven11] 3
1998 2000 2002 2004 2006 2008 20100
10
20
30
40
50
60
70
80
90
100
Online Shopping
Online Banking
Year
Percent Use
![Page 4: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/4.jpg)
Problem
Normal file deletion leaves data behind Even formatting the device may not erase data E.g., MSDOS format removes < 0.1% of data
Secure deletion solutions are designed to irrecoverably delete information Must delete both data and metadata, which is
information about the data such as file name
4
![Page 5: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/5.jpg)
Existing Solutions
Device- or partition-wide secure deletion Inflexible and may not work on some media
Per-file solutions Many solutions are incomplete Encryption-based solutions
Need to delete per-file keys Encryption schemes may expire (quantum computing)
Generally do not work with average users or different combinations of file systems and storage media (e.g., disks, thumb drives)
[Die08, Wei11, CWE12] 5
![Page 6: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/6.jpg)
Why Per-file?
Assists with Selective destruction
Expired data (client data, government policies) Temporarily shared trade secrets One-time-use applications
Immediate destruction Stolen computer, military applications
May be performed without turning off computer or disrupting storage access
Follow user expectations of delete6
![Page 7: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/7.jpg)
Why is it hard?
Storage components do not share info Low-level components
have no notion of files Intrusive to expand
interfaces Must retrofit secure
deletion into the entire storage data path With legacy
optimizations
7
applications
file system
storage management
storage
![Page 8: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/8.jpg)
Why is it hard?
Legacy storage components have no existing mechanisms to delete file data May require extensive changes to legacy
components How do we know if our solution works?
What is the structure of various corner cases? What if a crash occurs during deletion?
8
![Page 9: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/9.jpg)
Our Focus
Dead forensic attacks on local storage Occur after the computer has been shut down
properly Future work: backups, compromised systems,
covert channels, memory attacks Strong assumptions to simplify solution
Uncompromised, single-user, single-file-system, non-RAID, non-distributed system
9
![Page 10: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/10.jpg)
Research Question
Under the most benign environments What can we design and build to ensure that
the secure deletion of a file is honored? Throughout the legacy storage data path
Missing/complimentary piece to support more advanced secure-deletion solutions Encryption-based solutions Tainting-based solutions
10
![Page 11: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/11.jpg)
Approach
Use a parallel data path to pass file deletion information to lower storage components Leaves original data flow unmodified Backward compatible with legacy optimizations
When in doubt, handle deletion securely Simplifies hard corner cases
Avoid storing persistent states No need to recover them after crashes
11
![Page 12: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/12.jpg)
TrueErase Framework Overview User model sets files
for secure deletion Components report
secure-deletion info to TAP module
Storage management query TAP for info and issue secure-deletion commands
12
applications
file system
storage management
storage
user model
TAP
secure-deletion commands
![Page 13: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/13.jpg)
User Model
Use secure-deletion bit or extended attributes Specify files/dirs for
secure deletion Too expensive to
delete all files securely Compatible with
legacy applications With some deviations
13
applications
file system
storage management
storage
user model
secure-deletion commands
TAP
![Page 14: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/14.jpg)
User Model
Backwards-compatible semantics ‘chattr +s’ New files within a folder inherit permissions of
folder Some deviations
Once marked sensitive, always sensitive Name handling
14
![Page 15: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/15.jpg)
Name Handling Deviation
Legacy file-permission semantics
If we were to use these semantics… Sensitive status may bubble up to the root
15
dir i-node
file
filei-node
datapermission
![Page 16: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/16.jpg)
Name Handling Deviation
Legacy file-permission semantics
TrueErase’s sensitive status
16
dir i-node
file
filei-node
datapermission
dir i-node
file
filei-node
datasensitivestatus
![Page 17: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/17.jpg)
TAP Module
Type/attribute propagation module (TAP) File system reports
pending updates Uses global unique IDs
to track versions
Tracks only in-transit soft states Can be reconstructed
17
applications
file system
storage management
storage
user model
secure-deletion commands
TAP
![Page 18: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/18.jpg)
What information to track? Deletions, but this info is not enough…
At the secure-deletion time Same location of a file may be updated couple times Metadata may not reference old versions anymore Unless all updates are tracked
TrueErase deletes old versions as updates occur Secure deletion + update = secure write
Tracks all in-transit updates for verification
18
![Page 19: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/19.jpg)
Tracking: how hard can it be? Cannot rely on storage data structures, IDs,
and memory addresses due to reuse Complicated by various access granularities Also versions of storage requests in transit
Used memory page IDs and physical storage sector number to form globally unique IDs Reset at page allocation time Reused page holding different versions of a sector
has different IDs
19
![Page 20: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/20.jpg)
How to interact with TAP?
Report_write() creates a tracking entry Report_delete() associates deletion info to a
tracking entry Report_copy() clones a tracking entry and
transfers deletion info Check_info() retrieves deletion info Cleanup_write() deletes a tracking entry
20
![Page 21: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/21.jpg)
Crash Recovery
Rely on journaling file system to protect secure-deletion attributes
During recovery, apply secure ops for all Even for data and metadata of non-sensitive files
involved in the recovery phase Securely wipe the journal
And sensitive information not yet referenced by the file system
21
![Page 22: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/22.jpg)
Enhanced Storage-management Layer Enhanced storage-
management layer Can inquire about file-
system-level info Added secure-deletion
commands for various storage media Issue erase command
for flash; write random 0s and 1s for disk
Encryption-free
22
applications
file system
storage management
storage
user model
secure-deletion commands
TAP
![Page 23: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/23.jpg)
Properties of NAND Flash
Erasure is slow Reads/writes in flash pages (e.g., 2-8 KB) Deletes in flash blocks (e.g., 64-512 KB)
Consisting of contiguous pages Unlike disks, no in-place updates
Flash block containing the page needs to be explicitly erased before being written again In-use pages are moved elsewhere
23
![Page 24: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/24.jpg)
To Overcome Flash Property Challenges To optimize performance
A storage-management component remaps an overwrite request to an erased empty page Old page may stick around
24
![Page 25: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/25.jpg)
TrueErase NAND Secure-deletion Commands Secure_delete(pages)
Copies other in-use pages from the current flash block to elsewhere
Issue erase command on the current block Secure_write(page)
Write the new page Call Secure_delete() on the old (if applicable)
25
![Page 26: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/26.jpg)
Internal Reorganization (Garbage Collection) Problem
No respect for file boundaries, sensitive status Solution: store sensitive-status bit in per-
page control areas Used to enforce secure-deletion semantics during
internal flash reorganization
26
![Page 27: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/27.jpg)
File-system-consistency Properties and Secure Deletion Now that we have a system, how can we
reason about verifying it works? Three file system properties can help us
1. Pointer-ordering property (POP)
2. Reuse-ordering property (ROP)
3. Non-rollback property (NRP)
27
![Page 28: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/28.jpg)
Pointer-ordering Property (POP) File system separates data block writes from
metadata block writes Ensures that data block in memory is written
to storage Before referencing metadata block is written to
storage
28
![Page 29: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/29.jpg)
Without Pointer-ordering Property
29
applications
file system
storage management
storage
TrueErase
![Page 30: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/30.jpg)
Without Pointer-ordering Property
30
file A’smetadata
data
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 31: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/31.jpg)
Without Pointer-ordering Property
31
file A’smetadata
data
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 32: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/32.jpg)
Without Pointer-ordering Property
32
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 33: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/33.jpg)
Without Pointer-ordering Property
33
file B’smetadata
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 34: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/34.jpg)
Without Pointer-ordering Property
34
file B’smetadata
data
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
• Secure deletion of A can end up deleting B’s block
![Page 35: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/35.jpg)
Pointer-ordering Property
35
file A’smetadata
data
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 36: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/36.jpg)
Pointer-ordering Property
36
file A’smetadata
data
data
applications
file system
storage management
storage
TrueErase
memory
storage
• Data blocks are propagated first
![Page 37: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/37.jpg)
Pointer-ordering Property
37
file A’smetadata
data
data
applications
file system
storage management
storage
TrueErase
memory
storage
• Need to turn off storage built-in cache to prevent reordering
• Or issue device-specific flush commands
• Need to handle crash at this point
• Remove orphaned sensitive blocks at recovery time
![Page 38: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/38.jpg)
Pointer-ordering Property
38
file A’smetadata
data
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 39: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/39.jpg)
Pointer-ordering Property
Does not mention what happens to freed in-memory sensitive data blocks Those blocks can be written to storage
persistently without file system knowing what is going on
They must not undo our secure deletion
39
![Page 40: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/40.jpg)
Reuse-ordering property (ROP) Ensures that a freed block will not be reused
before its free status is written to storage
40
![Page 41: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/41.jpg)
Without Reuse-ordering Property
41
file A’smetadata
data
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 42: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/42.jpg)
Without Reuse-ordering Property
42
file A’smetadata
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 43: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/43.jpg)
Without Reuse-ordering Property
43
file A’smetadata
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
file B’smetadata
![Page 44: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/44.jpg)
Without Reuse-ordering Property
44
file A’smetadata
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
file B’smetadata
• Regular deletion of A can end up insecurely deleting B’s block
![Page 45: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/45.jpg)
Reuse-ordering Property
45
file A’smetadata
data
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 46: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/46.jpg)
Reuse-ordering Property
46
file A’smetadata
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
• A block cannot be reused until its free status is persistent
![Page 47: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/47.jpg)
Reuse-ordering Property
47
file A’smetadata
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
• Secure delete the data block before making its free status persistent
![Page 48: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/48.jpg)
Reuse-ordering Property
48
file A’smetadata
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
• A crash will show secure deletion in progress
• Recovery mechanism will reissue file deletion
![Page 49: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/49.jpg)
Reuse-ordering Property
49
file A’smetadata
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 50: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/50.jpg)
Reuse-ordering Property
Implications for a secure deletion operation Until the free status is written, we can
Perform secure operations on the block Be guaranteed that the block will not change it’s status
(file ownership or type)
50
![Page 51: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/51.jpg)
Non-rollback Property (NRP) Ensures that older versions will not overwrite
newer versions on storage Implications for secure-deletion operations
Secure-deletion operation and normal updates will be applied in the correct order
51
![Page 52: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/52.jpg)
Structure of Corner Cases
Ensuring that a secure deletion occurs before a block is persistently declared free (ROP)
Hunting down the stored sensitive blocks left behind after a crash (POP)
Making sure that non-secure deletion is not applied to the sensitive file (POP/ROP)
Making sure that a securely deleted block is not overwritten by an old, secure unreferenced block (POP)
Handling versions of requests in transit (NRP)
52
![Page 53: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/53.jpg)
Implementation &Verification Prototyped under Linux, for disk and flash
Used ext3, which holds file-system-consistency properties
Inserted ~60 TAP calls Core framework component verified via
model-checking-like methods and two-version programming Systemically verified 10K unique states and 2.7M
state transitions Include the cases for common crashes
[Siv05] 53
![Page 54: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/54.jpg)
Flash Storage Evaluation
Evaluated using OpenSSH compilation and modified PostMark benchmarks OpenSSH: 1.6x slowdown for 27% files marked
sensitive under openbsd-compat directory PostMark: 3.4x slowdown for first 5% files
marked sensitive Performance comparable to other works that
involve tailored and extensive system changes
54[Jou06, Kat97, Wei11]
![Page 55: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/55.jpg)
Related Work
Levels Solutions F E D S L M C
Storage manage-ment
Secure delete encrypted device/partition key Specialized hard drive commands Specialized flash medium commands (page granularity)
File system
Stackable file system deletion Modified file system – deletion through overwriting Modified file system – deletion through encryption ? ?
User space
User-space solution on top of flash file system ?
Overwriting tools Remote Dedicated server(s) for encryption keys ?
Encrypted backup system ?
Data-path-wide
Modified flash file systems – device erasures and/or overwriting ? ?
Modified flash file systems – encryption with key erasure ? ?
Semantically-Smart Disk Systems [Siv03] Type-Safe Disks [Siv06] Data Node Encrypted File System [Rea12] TrueErase
55Columns: F. per-file; E. encryption-free; D. data-path-wide; S. storage-medium-agnostic; L. limited changes to legacy code; M. securely delete metadata; C. handle crashes
![Page 56: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/56.jpg)
Lessons Learned
Retrofitting security features is quite complex Need to know the entire the data path
File-systems-consistency properties crucial to make verification tractable
Propagating information is tricky Especially in the face of asynchrony Important to keep legacy flow intact Allow secure-deletion operations be defined at the
storage-management layer
56
![Page 57: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/57.jpg)
Lessons Learned
Tracking information can be challenging Unlike network, in-transit requests can be
cancelled and consolidated Tracking granularities vary throughout
Metadata blocks can be shared Access to non-sensitive file can bring sensitive info into
memory
Hard to gain raw flash access for research and development Vendors should find ways to make HW more open
57
![Page 58: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/58.jpg)
Conclusion
We have designed, implemented, evaluated, and verified a secure-deletion solution that Irrecoverably deletes file data and metadata General and backward-compatible to different
storage types and popular file systems Acceptable performance Systematically verified (rare in existing solutions) Handles common crashes
58
![Page 59: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/59.jpg)
Questions?
59
![Page 60: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/60.jpg)
References
[CWE12] CWE - CWE-327: Use of a Broken or Risky Cryptographic Algorithm (2.2): http://cwe.mitre.org/data/definitions/327.html. Accessed: 2012-09-05.
[Die08] Diesburg, S.M., Meyers, C.R., Lary, D.M. and Wang, A.I.A. 2008. When cryptography meets storage. Proceedings of the 4th ACM International Workshop on Storage Security and Survivability (2008), 11–20.
[Jou06] Joukov, N., Papaxenopoulos, H. and Zadok, E. 2006. Secure deletion myths, issues, and solutions. Proceedings of the Second ACM Workshop on Storage Security and Survivability (New York, NY, USA, 2006), 61–66.
[Kat97] Katcher, J. 1997. Postmark: A new file system benchmark. Technical Report TR3022, Network Appliance, 1997. www. netapp. com/tech_library/3022. html.
[Rea12] Reardon, J., Capkun, S. and Basin, D. 2012. Data Node Encrypted File System: Efficient Secure Deletion for Flash Memory. 21st USENIX Security Symposium (Aug. 2012).
60
![Page 61: Sarah Diesburg COP5611 Advanced Operating Systems Secure Deletion of Files throughout the Data Path using TrueErase T HE F LORIDA S TATE U NIVERSITY](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649e505503460f94b4778c/html5/thumbnails/61.jpg)
References
[Siv03] Sivathanu, M., Prabhakaran, V., Popovici, F.I., Denehy, T.E., Arpaci-Dusseau, A.C. and Arpaci-Dusseau, R.H. 2003. Semantically-smart disk systems. Proceedings of the 2nd USENIX Conference on File and Storage Technologies (2003), 73–88.
[Siv05] Sivathanu, M., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H. and Jha, S. 2005. A logic of file systems. Proceedings of the 4th USENIX Conference on File and Storage Technologies - Volume 4 (Berkeley, CA, USA, 2005), 1–1.
[Siv06] Sivathanu, G., Sundararaman, S. and Zadok, E. 2006. Type-safe disks. Proceedings of the 7th Symposium on Operating Systems Design and Implementation (Berkeley, CA, USA, 2006), 15–28.
[Ven11] Venkatesh, A., Dunkle, D. and Wortman, A. 2011. Evolving Patterns of Household Computer Use: 1999-2010. University of California, Irvine.
[Wei11] Wei, M., Grupp, L.M., Spada, F.E. and Swanson, S. 2011. Reliably erasing data from flash-based solid state drives. Proceedings of the 9th USENIX Conference on File and Stroage Technologies (Berkeley, CA, USA, 2011), 8–8.
61