trueerase: full-storage-data-path per-file secure deletionawang/trueerase/nvramos2011.pdfgeoff...
TRANSCRIPT
![Page 1: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/1.jpg)
TrueErase: Full-storage-data-path
Per-file Secure Deletion
Sarah Diesburg Christopher Meyers Mark Stanovich
Michael Mitchell Justin Marshall Julia Gould
An-I Andy Wang
Florida State University
Geoff Kuenning
Harvey Mudd College
![Page 2: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/2.jpg)
Overview
Problem
Per-file secure-deletion is difficult to achieve
Important for expired data, statute of limitations, etc.
Existing solutions tend to be
Limited to a segment of legacy storage data path
File-system- or storage-medium-specific
TrueErase
Storage-data-path-wide solution
Works with common file systems & storage media
2
![Page 3: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/3.jpg)
The Problem
Most users believe that files are deleted once
Files are no longer visible
The trash can is emptied
The partition is formatted
In reality
Actual data remains
3
![Page 4: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/4.jpg)
The Problem
Decommissioned storage devices leak
sensitive information
4
![Page 5: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/5.jpg)
What is secure deletion?
Rendering a file’s deleted content and
metadata (e.g., name) irrecoverable
/dir/file
5
dir
i-node file
file
i-node
data
11110000… allocation
bitmap
![Page 6: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/6.jpg)
What is secure deletion?
Rendering a file’s deleted content and
metadata (e.g., name) irrecoverable
rm /dir/file
6
dir
i-node file
file
i-node
11010000… allocation
bitmap
![Page 7: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/7.jpg)
How hard can this be?
Diverse threat models
Attacks on backups, live systems, cold boot
attacks, covert channels, policy violations, etc.
Our focus
Dead forensic attacks on local storage
Occur after the computer has been shut down properly
7
![Page 8: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/8.jpg)
Basic Research Question
Under the most benign environments
What can we design and build to ensure that
the secure deletion of a file is honored?
Throughout the legacy storage data path
8
![Page 9: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/9.jpg)
TrueErase: A Storage-data-path-
wide Framework Irrevocably deletes data and metadata
Offers a unique combination of properties
Compatible with legacy apps, file systems, and
storage media
Per-file deletion granularity
Solution covers the entire data path
Can survive common system failures
Core logic systemically verified
9
![Page 10: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/10.jpg)
Legacy Storage Data Path
Limited control over
metadata
Not aware of storage
medium; limited
control over storage
locations
No access to a
block’s type, file
ownership, in-use
status
10
applications
file system
storage
management
storage
![Page 11: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/11.jpg)
Legacy Storage Data Path
Limited control over
metadata
Not aware of storage
medium; limited
control over storage
locations
No access to a
block’s type, file
ownership, in-use
status
11
applications
file system
storage
management
storage
![Page 12: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/12.jpg)
Legacy Storage Data Path
Limited control over
metadata
Not aware of storage
medium; limited
control over storage
locations
No access to a
block’s type, file
ownership, in-use
status
12
applications
file system
storage
management
storage
![Page 13: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/13.jpg)
Existing Secure-deletion Solutions
May leak metadata
information
Cannot ensure in-
place updates
Encryption will not help
Hard to provide per-
file solutions
Cross-layer solutions
tend to be file-system-
and medium-specific
13
applications
file system
storage
management
storage
![Page 14: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/14.jpg)
Existing Secure-deletion Solutions
May leak metadata
information
Cannot ensure in-
place updates
Encryption will not help
Hard to provide per-
file solutions
Cross-layer solutions
tend to be file-system-
and medium-specific
14
applications
file system
storage
management
storage
![Page 15: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/15.jpg)
Existing Secure-deletion Solutions
May leak metadata
information
Cannot ensure in-
place updates
Encryption will not help
Hard to provide per-
file solutions
Cross-layer solutions
tend to be file-system-
and medium-specific
15
applications
file system
storage
management
storage
![Page 16: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/16.jpg)
Existing Secure-deletion Solutions
May leak metadata
information
Cannot ensure in-
place updates
Encryption will not help
Hard to provide per-
file solutions
Cross-layer solutions
tend to be file-system-
and medium-specific
16
applications
file system
storage
management
storage
![Page 17: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/17.jpg)
Other Secure-deletion Challenges
No legacy requests to
delete data blocks
For performance
Legacy optimizations
Requests can be split,
reordered, cancelled,
consolidated, buffered,
with versions in transit
Lack of global IDs
Crashes/verification
17
applications
file system
storage
management
storage
![Page 18: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/18.jpg)
TrueErase Overview
A centralized, per-file
secure-deletion
framework
18
applications
file system
storage
management
storage
user model
TAP
secure-deletion
commands
![Page 19: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/19.jpg)
TrueErase Overview
User model
Use extended
attributes to specify
files/dirs for secure
deletion
Compatible to legacy
applications
19
applications
file system
storage
management
storage
user model
secure-deletion
commands
TAP
![Page 20: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/20.jpg)
TrueErase Overview
Type/attribute
propagation module
(TAP)
File system reports
pending updates
Uses global unique IDs
to track versions
Tracks only soft states
No need for mechanisms
to recover states
20
applications
file system
storage
management
storage
user model
secure-deletion
commands
TAP
![Page 21: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/21.jpg)
TrueErase Overview
Enhanced storage-
management layer
Can inquire about file-
system-level info
Added secure-deletion
commands for various
storage media
Disabled some
optimizations (e.g.,
storage-built-in cache)
21
applications
file system
storage
management
storage
user model
secure-deletion
commands
TAP
![Page 22: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/22.jpg)
TrueErase Overview
After a crash
All replayed and
reissued deletions are
done securely
All data/metadata in
the storage data path
from prior session will
be securely deleted
22
applications
file system
storage
management
storage
user model
secure-deletion
commands
TAP
![Page 23: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/23.jpg)
TrueErase Assumptions
Benign personal computing environment
Uncompromised, single-user, single-file-system,
non-RAID, non-distributed system
Dead forensics attacks
Full control of storage data path
Journaling file systems that adhere to the
consistency properties specified in [SIVA05]
All updates are reported
Does not handle user copies (no tainting)
23
![Page 24: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/24.jpg)
TrueErase Design
User model
TAP
Enhanced storage-management layer
Exploiting file-system-consistency properties
to identify and handle corner cases
24
![Page 25: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/25.jpg)
User Model
Ideally, use traditional file-system permission
semantics
Use extended-attribute-setting tools to mark
files/dirs sensitive
Which will be securely deleted from the entire storage
data path
Legacy apps just operate on specified files/dirs
25
![Page 26: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/26.jpg)
Name Handling
Legacy file-permission semantics
26
dir
i-node file
file
i-node
data permission
![Page 27: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/27.jpg)
Name Handling
Legacy file-permission semantics
TrueErase’s sensitive status
27
dir
i-node file
file
i-node
data permission
dir
i-node file
file
i-node
data sensitive
status
![Page 28: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/28.jpg)
Toggling of the Sensitive Status
Implications
Tracking update versions for all files at all times
Or, removing old versions for all files at all times
TrueErase
Enforces secure deletions for files/dirs that have
stayed sensitive since their creation
28
![Page 29: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/29.jpg)
Name Handling
By the time one can set attributes of a file
File name may already be stored non-sensitively
Some remedies
Inherit the sensitive status
Creating a file under a sensitive directory
smkdir wrapper script
Creates a temporary name, marks it sensitive, and
renames it to the sensitive name
29
![Page 30: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/30.jpg)
TAP Module
Tracks and propagates info from file-system
layer to storage-management layer
Challenges
Where to instantiate the deletion requests to file
content?
What and how to track?
How to interact with TAP?
31
![Page 31: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/31.jpg)
Where to instantiate deletion
requests to file content? Can a file system
just issue zeroed
blocks?
32
applications
file system
storage
management
storage
TAP
data data
0s
![Page 32: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/32.jpg)
Where to instantiate deletion
requests to file content? Can a file system
just issue zeroed
blocks?
33
data data 0s 0s
applications
file system
storage
management
storage
TAP
![Page 33: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/33.jpg)
Where to instantiate deletion
requests to file content? Instead
A file system attaches
deletion reminders to
other deletion requests
(zeroing allocation bits)
34
data data
applications
file system
storage
management
storage
TAP
![Page 34: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/34.jpg)
Where to instantiate deletion
requests to file content? Storage-management
layer can choose
secure-deletion
methods
Match the underlying
storage medium
35
data data
applications
file system
storage
management
storage
TAP
0/1s data
explicit
erase
![Page 35: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/35.jpg)
What to track?
Tracking deletion is not enough
At the secure-deletion time
Versions of a file’s blocks may have been stored
Metadata may not reference to old versions
Need additional persistent states to track old versions
TrueErase deletes old versions along the way
Overwriting a sensitive data
= Secure deletion + update (secure write)
Tracks all in-transit sensitive updates
36
![Page 36: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/36.jpg)
What to track?
Tracking sensitive updates is still not enough
Metadata items are small
A metadata block can be shared by files with
mixed sensitive status
A non-sensitive request can make sensitive metadata
appear in the storage data path
TrueErase tracks all in-transit updates
For simplicity and verification
37
![Page 37: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/37.jpg)
How to track?
Challenges
Reuse of name space (i-node number), data
structures, memory addresses
Versions of requests in transit
TrueErase
Global unique page ID per memory page
38
![Page 38: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/38.jpg)
Tracking Granularity
TrueErase tracks physical sector numbers
(e.g., 512B)
Smallest update unit
GUID: global unique page ID + sector number
39
![Page 39: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/39.jpg)
How to interact with TAP?
Report_write() creates a per-sector tracking
entry
Report_delete() attaches deletion reminders
to a tracking entry
Report_copy() clones a tracking entry and
transfers reminders
Cleanup_write() deletes a tracking entry
Check_info() retrieves the sensitive status of
a sector and its reminders
40
![Page 40: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/40.jpg)
Enhanced Storage-management
Layer Decide which secure-deletion method to use
Based on the underlying storage medium
We used NAND flash for this demonstration
41
![Page 41: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/41.jpg)
NAND Flash Basics
Writing is slower than reading
Erasure can be much slower
NAND reads/writes in flash pages
Deletes in flash blocks
Consisting of contiguous pages
42
![Page 42: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/42.jpg)
NAND Flash Basics
In-place updates are not allowed
Flash block containing the page needs to be
erased before being written again
In-use pages are migrated elsewhere
Each location can be erased 10K -1M times
43
![Page 43: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/43.jpg)
Flash Translation Layer (FTL)
To optimize performance
FTL remaps an overwrite request to an erased
empty page
To prolong the lifespan
Wear leveling evenly spreads the number of
erasures across storage locations
44
![Page 44: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/44.jpg)
Added NAND Secure-deletion
Commands Secure_delete(pages)
Copies other in-use pages from the current flash
block to elsewhere
Issue erase command on the current block
Secure_write(page)
Write the new page
Call Secure_delete() on the old (if applicable)
45
![Page 45: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/45.jpg)
Crash Handling
A crash may occur during a secure operation
Page migration may not complete
Since copies are done first
No data loss; but potential duplicates
Journal recovery mechanisms will reissue the
request, and secure operations will continue
46
![Page 46: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/46.jpg)
Wear Leveling
When flash runs low on space
Wear leveling compacts in-use pages into fewer
flash blocks
Problem: internal storage reorganization
No respect for file boundaries, sensitive status
47
![Page 47: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/47.jpg)
Wear Leveling
TrueErase
Stores a sensitive-status bit in per-page control
areas
Used to enforce secure-deletion semantics
May not always be in sync with the file-system-
level sensitive status
E.g., short-lived files
When the bit disagrees with file system’s secure status,
mark the bit sensitive and treat it as such
48
![Page 48: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/48.jpg)
File-system-consistency Properties
and Secure Deletion File-system-consistency properties
A file’s metadata reference the right data and
metadata versions throughout the data path
For non-journaling file systems
Reuse-ordering & pointer-ordering properties
Without both (e.g., ext2), a file may end up with
blocks from another file
For journaling file systems
Non-rollback property
49
![Page 49: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/49.jpg)
Without Pointer-ordering Property
50
applications
file system
storage
management
storage
TrueErase
![Page 50: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/50.jpg)
Without Pointer-ordering Property
51
file A’s
metadata
data
applications
file system
storage
management
storage
TrueErase
memory
storage
![Page 51: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/51.jpg)
Without Pointer-ordering Property
52
file A’s
metadata
data
data
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
![Page 52: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/52.jpg)
Without Pointer-ordering Property
53
data
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
![Page 53: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/53.jpg)
Without Pointer-ordering Property
54
file B’s
metadata
data
data
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
![Page 54: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/54.jpg)
Without Pointer-ordering Property
55
file B’s
metadata
data
data
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
• Secure deletion of A
can end up deleting
B’s block
![Page 55: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/55.jpg)
Pointer-ordering Property
56
file A’s
metadata
data
applications
file system
storage
management
storage
TrueErase
memory
storage
![Page 56: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/56.jpg)
Pointer-ordering Property
57
file A’s
metadata
data
data
applications
file system
storage
management
storage
TrueErase
memory
storage
• Data blocks are
propagated first
![Page 57: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/57.jpg)
Pointer-ordering Property
58
file A’s
metadata
data
data
applications
file system
storage
management
storage
TrueErase
memory
storage
• May need to perform
secure write
• Need to handle
crash at this point
(remove
unreferenced
sensitive blocks at
recovery time)
• Need to ensure
persistence (e.g.,
disabling storage-
built-in caches)
![Page 58: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/58.jpg)
Pointer-ordering Property
59
file A’s
metadata
data
data
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
![Page 59: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/59.jpg)
Without Reuse-ordering Property
60
file A’s
metadata
data
data
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
![Page 60: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/60.jpg)
Without Reuse-ordering Property
61
file A’s
metadata
data
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
![Page 61: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/61.jpg)
Without Reuse-ordering Property
62
file A’s
metadata
data
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
file B’s
metadata
data
![Page 62: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/62.jpg)
Without Reuse-ordering Property
63
file A’s
metadata
data
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
file B’s
metadata
data
• Secure deletion of A
can end up deleting
B’s block
![Page 63: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/63.jpg)
Reuse-ordering Property
64
file A’s
metadata
data
data
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
![Page 64: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/64.jpg)
Reuse-ordering Property
65
file A’s
metadata
data
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
• A block cannot be
reused until its free
status is persistent
![Page 65: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/65.jpg)
Reuse-ordering Property
66
file A’s
metadata
data
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
• Pending updates to
the unreferenced
data block should
not be written
• Unreferenced in-
memory data blocks
need to be wiped
![Page 66: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/66.jpg)
Reuse-ordering Property
67
file A’s
metadata
data
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
• By pointer ordering,
all prior data
updates are flushed
• Secure delete the
data block before
making its free
status persistent
![Page 67: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/67.jpg)
Reuse-ordering Property
68
file A’s
metadata
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
• A crash will show
secure deletion in
progress
• Recovery
mechanism will
reissue file deletion
![Page 68: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/68.jpg)
Reuse-ordering Property
69
file A’s
metadata
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
• Need to ensure
persistence (e.g.,
disabling storage-
built-in caches)
![Page 69: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/69.jpg)
Reuse-ordering Property
70
file A’s
metadata
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
• Static file types and
ownerships for in-
transit blocks
• Still need GUIDs to
track versions
• Need to handle
dynamic sensitive
mode changes (once
marked sensitive,
always sensitive)
![Page 70: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/70.jpg)
Reuse-ordering Property
71
file A’s
metadata
file A’s
metadata
applications
file system
storage
management
storage
TrueErase
memory
storage
file B’s
metadata
data
![Page 71: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/71.jpg)
Non-rollback Property
Older versions of updates will not overwrite
newer versions persistently
Implications
An update followed by a secure deletion will be
applied in the right order
Need to disable some optimizations at the
storage-management layer (e.g., built-in cache)
Merging/splitting requests okay (we track sectors)
A consolidated update is sensitive, if one is
sensitive
72
![Page 72: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/72.jpg)
Structure of Corner Cases
Ensuring that a secure deletion occurs before
a block is persistently declared free
Hunting down the persistent sensitive blocks
left behind after a crash
Making sure that secure deletion is not
applied to the wrong file
Making sure that a securely deleted block is
not overwritten by a buffered unref block
Handling versions of requests in transit
73
![Page 73: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/73.jpg)
Crash Handling
At recovery time
Replay journal and reissue incomplete deletion
operations, with all operations handled securely
For flash, securely delete the journal and sensitive
blocks not referenced by the file system
For disk, securely overwrite journal and all free
space
74
![Page 74: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/74.jpg)
TrueErase Implementation
Linux 2.6.25
File system: ext3 with its jbd journaling layer
Proven to adhere to the file-system-consistency
properties [SIVA05]
NAND flash: SanDisk’s DiskOnChip
Lack of access to flash development environ.
Dated hardware, but the same design principle
Storage-management layer: Inverse NAND
File Translation Layer (INFTL)
75
![Page 75: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/75.jpg)
Implementation-level Highlights
Steps in deletion sequence can be expressed
in secure write/delete data/metadata
Exploited group-commit semantics
Reduced the number of secure operations
Handled buffer/journal copies
Handled consolidation within and across
journal transactions
76
![Page 76: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/76.jpg)
Verification
Basic cases
Sanity checks
PostMark with 20% sensitive files
Reporting of all updates
File-system-consistency-based corner cases
TAP state-space verification
77
![Page 77: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/77.jpg)
TAP State-space Verification
State-space enumeration
Tracked down ~10K unique reachable states,
~2.7M state transitions
Reached depth of 16 in the state-space tree
Used two-version programming for
verification
One based on conceptual rules
One based on the TAP kernel module
Identified 4 incorrect rules and 3 bugs
78
![Page 78: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/78.jpg)
Empirical Evaluation
Workloads
PostMark
Modified with up to 10% of sensitive files
Sensitive files can be chosen randomly
Each file operation takes < 0.17 seconds
Good enough for interactive use
OpenSSH make + sync with 27% of files that are
newly created marked sensitive
Overhead within a factor of two
79
![Page 79: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/79.jpg)
Related Work
TRIM command
FADED
Type-safe disk
Modified YAFFS with secure-deletion support
TrueErase
Legacy-compatible, persistent-state-light,
centralized info-propagation channel
80
![Page 80: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/80.jpg)
Lessons Learned
Retrofitting security features is more complex
than we thought
The general lack of raw flash access and
development environments
Vendors try to hide complexities
File-system consistency and secure deletion rely
on exposed controls/details for data
layout/removal
81
![Page 81: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/81.jpg)
Lessons Learned
A holistic solution would not be possible
Without expertise across layers and research
fields
Highlights the importance of knowledge
integration
82
![Page 82: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/82.jpg)
Conclusion
We have presented the design,
implementation, evaluation, and verification
of TrueErase
Legacy-compatible, per-file, secure-deletion
framework
A secure-deletion solution that can withstand
diverse threats remains elusive
TrueErase is a promising step toward this goal
83
![Page 83: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/83.jpg)
Acknowledgements
National Science Foundation
Department of Education
Philanthropic Educational Organization
Florida State University Research Foundation
84
![Page 84: TrueErase: Full-storage-data-path Per-file Secure Deletionawang/trueerase/nvramos2011.pdfGeoff Kuenning Harvey Mudd College Overview Problem Per-file secure-deletion is difficult to](https://reader035.vdocuments.mx/reader035/viewer/2022070218/6125393e3469fc0c055eaf8b/html5/thumbnails/84.jpg)
Questions?
Google keyword: TrueErase
Thank you for your attention!
85