The National Science Foundation has awarded a pair of professors at The University of Alabama in Huntsville (UAH) a nearly $500,000, three-year grant to develop a better way to wipe data from the solid-state drives (SSDs) that are rapidly replacing hard drives in computing.
Speed and reliability are two advantages of SSDs, which use integrated circuit assemblies to store data, but removing all data from one before discarding or reselling it is a problem, says Dr. Biswajit Ray, an assistant professor of electrical and computer engineering, the principal investigator (PI) for the research who has co-authored a paper on the topic.
“The end users of today’s solid-state storage devices do not have the capability to remove sensitive information instantly,” Dr. Ray says. “This is a significant privacy threat. Our research will help the storage device manufacturer to offer instant data deletion functionality to the end users.”
Dr. Ray leads the Hardware Reliability and Security Lab at UAH and has five doctoral students doing research on secure and reliable storage system design. Dr. Aleksandar Milenkovic, a professor of electrical and computer engineering who is the project’s co-PI, leads UAH’s LaCASA laboratory, where doctoral student Prawar Poudel is working on secure storage.
“We are looking forward to attracting new students, as this project is funded for three years and provides support for three graduate research assistants,” Dr. Milenkovic says.
Under the grant, the two will work on open access SSD sanitization software using a process called analog scrubbing.
“We are committed to sharing our research findings with the community through publications in the conferences or journals,” Dr. Ray says of his laboratory. “In addition, the software codes will be made available through our website.”
People usually assume that when they delete a file, the file is physically removed from the medium and information cannot be recovered, says Dr. Milenkovic.
“For various technological and practical reasons, that is actually not true,” Dr. Milenkovic says. “The information is often fully or partially recoverable by those understanding the internals of the storage medium.”
Depending on type of flash memory chip used, Dr. Milenkovic says data can be retained on an SSD for up to 20 years.
“Our concern here is about preventing adversaries from recovering data that nominally have been deleted,” he says. “The problem we are trying to solve is how to develop cost-effective run-time data sanitization techniques, that will be applicable to different types of flash memories, will not impede their common operations of reading data and writing data, will not increase the wear level and will not require significant changes in hardware.”
Besides personal computers and servers, flash memory-based storage is found in smartphones and in Internet of Things (IoT) devices. As many as 42 percent of used SSDs sold on eBay have been inadequately wiped of data. Once hackers gain physical access to a vulnerable device they can recover that information, Dr. Milenkovic says.
“Think about this: you lose your USB drive, but you do not worry, because you deleted all files from it,” he says.
“However, unless you performed specialized procedures for physically removing any traces of information from the physical medium, they can recover a lot of information from your USB. To do this they would use low-level memory operations and expert knowledge of how flash memories work. The equipment for doing this is widely available and affordable.”
Sanitization of storage media is not always straightforward, Dr. Ray says.
“The standard sanitization methods make data inaccessible through digital interfaces, but the data remains on the storage media long after user deletion,” Dr. Ray says. “This is a significant privacy risk which is going to worsen with the increased use of IoT devices.”
The problem is more significant for emerging IoT applications like drones, which run on resource-limited hardware platforms, he says. These devices often store personal information and pose a significant privacy risk if proper data sanitization methods are not adopted.
Privacy concerns are further magnified by increasing amounts of daily data creation. In 2016, the amount of data crated per day was 44 ZB (zettabytes or 1018 bytes). That is forecast to increase by over 10 times to 466 ZB by 2025, according to an International Data Corp. study.
“We are very excited about this project,” Dr. Ray says, “and we look forward to making significant technical contribution for future data storage applications.”