Presentation is loading. Please wait.

Presentation is loading. Please wait.

Full-Datapath Secure Data Deletion Sarah Diesburg 5/4/2009 1.

Published byHerbert Sanders Modified over 9 years ago

Similar presentations

Presentation on theme: "Full-Datapath Secure Data Deletion Sarah Diesburg 5/4/2009 1."— Presentation transcript:

1 Full-Datapath Secure Data Deletion Sarah Diesburg 5/4/2009 1

2 Overview Problem  Current secure deletion methods do not work State of the art  Optimistic system-wide assumptions Research  Holistic way to perform secure deletion 2

3 The Problem Decommissioned drives and storage devices leak sensitive information Problem State of the Art Research 3

4 The Problem Most users believe that files cannot be retrieved once  Files are no longer visible  The trashcan is emptied  The partition is formatted Problem State of the Art Research 4

5 Ideal Secure Deletion Irrevocably delete corresponding data and file/directory information Be easy to use Allow per-file granularity of deletion Achieve acceptable performance Behave correctly in the presence of failures Work with modern file systems Work with emerging storage media 5 Problem State of the Art Research

6 Secure Deletion Problem No ideal solution exists  Why? Conventional secure deletion methods are isolated  Make assumptions of other components  Secure deletion may fail 6 Problem State of the Art Research

7 General Secure Deletion Methods Methods include 1. Physical destruction 2. Data overwriting 3. Encryption with key erasure Physical destruction does not provide per- file deletion  Concentrate on methods (2) and (3) 7 Problem State of the Art Research

8 Layer-specific Methods Application- and file-system-layer solutions  Rely on in-place overwrites, which may not be honored by lower layers (e.g. RAID, journaling)  Write can preempt other writes to same location Storage-medium-specific solutions  Limited information from higher layers  No knowledge If block is sensitive, alive, dead  No per-file flash solutions 8 Problem State of the Art Research

9 Review of Research Goal We want easy to use, per-file, secure deletion to work with all datapath components  Type of storage should not matter  Type of file system should not matter Proposed solution: add secure semantics that span entire datapath 9 Problem State of the Art Research

10 Full Datapath Secure Deletion Components  User interaction Mark sensitive files using file system  Datapath extensions File system Storage management  Secure deletion semantics in storage management 10 Problem State of the Art Research

11 Data Path Expansion Lower layers do not know  Which files are sensitive  Which files are deleted Need to send information down somehow  Out-of-band  Hybrid  In-band 11 Problem State of the Art Research

12 Out-of-band Approach Add two FS requests to communicate out-of-band information  Secure allocate  Secure deallocate Extend storage management to handle new requests 12 Problem State of the Art Research

13 Out-of-band Challenges +Simple design – just add what we need - Crash scenarios  Metadata updated, delete request not make it  Delete request makes it, metadata not updated  Not easy to journal new requests - Files must be securely marked in both file system and flash  Problem occurs when media writes not in-place 13 Problem State of the Art Research

14 Hybrid Approach Pass secure information in-band Communicate secure delete out-of-band Tailor storage management accordingly 14 Problem State of the Art Research

15 Hybrid Challenges +Files only need to be securely marked in file system -Crash scenarios  Metadata updated, delete request not make it  Delete request makes it, metadata not updated  Not easy to journal new request or in-band info Does not discern secure info from file updates 15 Problem State of the Art Research

16 In-band Approach Write of 0’s implies secure deletion Information piggybacked on existing request structure Tailor storage management accordingly 16 Problem State of the Art Research

17 In-band Challenges + No new requests - Writing 0’s means a number of things 1. Writing data of all 0s 2. Marking file region as empty Partial FS block write 17 Problem State of the Art Research

18 Secure Deletion Semantics Concentrate on flash storage management Flash has different constraints than hard drives 18 Problem State of the Art Research

19 Flash Background Flash constraints  Data area must be explicitly erased before written  Erasures are slow  A data location can be erased up to 100,000 times Solution  Put in-place writes elsewhere on flash!  Avoid erasing data whenever possible 19 Problem State of the Art Research

20 20 Default Flash Write Behavior Flash management software rotates the usage of locations OS secrets Flash 0123456 Logical AddressPhysical Address 00 11 secrets 20 Problem State of the Art Research

21 21 Default Flash Write Behavior Flash management software rotates the usage of locations OS Logical AddressPhysical Address 00 11 Write random bits to 1 secrets Flash 0123456 secrets 21 Problem State of the Art Research

22 22 Default Flash Write Behavior Logical AddressPhysical Address 00 12 Write random bits to 1 secrets Flash 0123456 randomsecrets 22 Problem State of the Art Research OS Overwrites go to new block instead of original block Dead data left behind until that block is erased

23 Is this a problem? 23 Removal via hot airUniversal chip reader We must somehow erase sensitive data! 23 Problem State of the Art Research Raw flash chips can be removed and placed in a reader

24 Storage Management Secure Deletion Semantics Secure write Secure delete 24 Problem State of the Art Research

25 25 Secure Write We could modify the flash management software to delete dead, sensitive data on in-place update OS Logical AddressPhysical Address 00 11 Secure write new to 1 secrets Flash 0123456 secrets 25 Problem State of the Art Research

26 26 Secure Write OS Logical AddressPhysical Address 00 12 Flash 0123456 new secret secrets Erase! Secure write new to 1 26 Problem State of the Art Research Regular writes occur as normal

27 27 Secure Deletion We could modify the flash management software to delete sensitive data during file deletion OS Delete 1 secrets Flash 0123456 secrets 27 Problem State of the Art Research Logical AddressPhysical Address 00 11

28 28 Secure Deletion Just erase corresponding location OS Flash 0123456 secrets Erase! Delete 1 28 Problem State of the Art Research Logical AddressPhysical Address 00

29 Extra Challenges Atomicity of relevant file-system updates  Some operations must happen at once Dealing with asynchronous requests Incorporating journaling Optimizing future flash media management 29 Problem State of the Art Research

30 Summary This research will provide a full-datapath secure deletion model that is Easy to use With acceptable performance Crash resistant Compatible to modern file systems as well as with emerging solid-state storage 30

31 Questions? 31

32 BACKUP SLIDES 32

33 Thesis Statement Secure deletion can be accomplished through a full-datapath solution Research objectives 1. Demonstrate working full-datapath secure deletion framework 2. Optimize framework for an emerging storage media for which current methods do not work  Flash media 33 Problem State of the Art Research

34 Anticipated Challenges Correct full-datapath secure deletion model  Correct data categorization  System failures (e.g. journal, page cache, FTL) Creating efficient models for future flash management software  Acceptable performance  Reducing number of slow flash operations 34 Problem State of the Art Research

35 File System Methods Two types of secure deletion file systems exist:  Block-based file systems  Storage-specific file systems 35

36 File Systems Typical file systems expect disk  Block layer interface converts FS blocks into sectors Storage-specific file systems directly manage underlying storage units  No page cache  May implement own journal 36

37 Storage-specific FS Secure Deletion Limitations Optimized for specific type of storage  Cannot put hard drive under flash file system, etc. Deletes all files securely  User cannot specify specific files  Performance disadvantage 37

38 Crash Scenarios File system  Data erased, metadata not updated  Metadata updated, data not erased Block layer  Erase command in page cache during power- outage Flash  Copying good flash pages first during erase command 38

39 AON Transform Transform that is hard hard to invert unless all of the output is known 39 H  H  H  H  K = Encrypted data E( ) random key H( ) plaintext ciphertext tab

Download ppt "Full-Datapath Secure Data Deletion Sarah Diesburg 5/4/2009 1."

Similar presentations

Paper by: Yu Li, Jianliang Xu, Byron Choi, and Haibo Hu Department of Computer Science Hong Kong Baptist University Slides and Presentation By: Justin.

Paper by: Yu Li, Jianliang Xu, Byron Choi, and Haibo Hu Department of Computer Science Hong Kong Baptist University Slides and Presentation By: Justin.
Flash storage memory and Design Trade offs for SSD performance

Flash storage memory and Design Trade offs for SSD performance
Full-Datapath Secure Deletion Sarah Diesburg 1. Overview Problem  Current secure deletion methods do not work State of the art  Optimistic system-wide.

Full-Datapath Secure Deletion Sarah Diesburg 1. Overview Problem  Current secure deletion methods do not work State of the art  Optimistic system-wide.
Chapter 10: File-System Interface

Chapter 10: File-System Interface
Chapter 11: File System Implementation

Chapter 11: File System Implementation
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 8: Troubleshooting Storage Devices and Display Devices.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 8: Troubleshooting Storage Devices and Display Devices.
File Management Systems

File Management Systems
File System Implementation

File System Implementation
CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.
Chapter 11 Operating Systems

Chapter 11 Operating Systems
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Operating Systems.

Operating Systems.
File System Reliability. Main Points Problem posed by machine/disk failures Transaction concept Reliability – Careful sequencing of file system operations.

File System Reliability. Main Points Problem posed by machine/disk failures Transaction concept Reliability – Careful sequencing of file system operations.
CSE 451: Operating Systems Winter 2010 Module 13 Redundant Arrays of Inexpensive Disks (RAID) and OS structure Mark Zbikowski Gary Kimura.

CSE 451: Operating Systems Winter 2010 Module 13 Redundant Arrays of Inexpensive Disks (RAID) and OS structure Mark Zbikowski Gary Kimura.
File System. NET+OS 6 File System Architecture Design Goals File System Layer Design Storage Services Layer Design RAM Services Layer Design Flash Services.

File System. NET+OS 6 File System Architecture Design Goals File System Layer Design Storage Services Layer Design RAM Services Layer Design Flash Services.
Transactions and Reliability. File system components Disk management Naming Reliability  What are the reliability issues in file systems? Security.

Transactions and Reliability. File system components Disk management Naming Reliability  What are the reliability issues in file systems? Security.
Data Communications and Networks

Data Communications and Networks
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Objectives Learn what a file system does

Objectives Learn what a file system does
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.

 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.

Similar presentations

Ads by Google