trueerase: full-storage-data-path per-file secure deletion sarah diesburg christopher meyers mark...
TRANSCRIPT
![Page 1: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/1.jpg)
TrueErase: Full-storage-data-path Per-file Secure Deletion
Sarah Diesburg Christopher Meyers Mark Stanovich
Michael Mitchell Justin Marshall Julia Gould
An-I Andy Wang
Florida State University
Geoff Kuenning
Harvey Mudd College
![Page 2: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/2.jpg)
Overview
Problem Per-file secure-deletion is difficult to achieve
Important for expired data, statute of limitations, etc.
Existing solutions tend to be Limited to a segment of legacy storage data path File-system- or storage-medium-specific
TrueErase Storage-data-path-wide solution Works with common file systems & storage media
2
![Page 3: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/3.jpg)
The Problem
Most users believe that files are deleted once Files are no longer visible The trash can is emptied The partition is formatted
In reality Actual data remains
3
![Page 4: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/4.jpg)
The Problem
Decommissioned storage devices leak sensitive information
4
![Page 5: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/5.jpg)
What is secure deletion?
Rendering a file’s deleted content and metadata (e.g., name) irrecoverable
/dir/file
5
dir i-node file
filei-node
data
11110000…allocation
bitmap
![Page 6: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/6.jpg)
What is secure deletion?
Rendering a file’s deleted content and metadata (e.g., name) irrecoverable
rm /dir/file
6
dir i-node file
filei-node
11010000…allocation
bitmap
![Page 7: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/7.jpg)
How hard can this be?
Diverse threat models Attacks on backups, live systems, cold boot
attacks, covert channels, policy violations, etc. Our focus
Dead forensic attacks on local storage Occur after the computer has been shut down properly
7
![Page 8: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/8.jpg)
Basic Research Question
Under the most benign environments What can we design and build to ensure that
the secure deletion of a file is honored? Throughout the legacy storage data path
8
![Page 9: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/9.jpg)
TrueErase: A Storage-data-path-wide Framework Irrevocably deletes data and metadata Offers a unique combination of properties
Compatible with legacy apps, file systems, and storage media
Per-file deletion granularity Solution covers the entire data path Can survive common system failures Core logic systemically verified
9
![Page 10: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/10.jpg)
Legacy Storage Data Path
Limited control over metadata
Not aware of storage medium; limited control over storage locations
No access to a block’s type, file ownership, in-use status
10
applications
file system
storage management
storage
![Page 11: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/11.jpg)
Legacy Storage Data Path
Limited control over metadata
Not aware of storage medium; limited control over storage locations
No access to a block’s type, file ownership, in-use status
11
applications
file system
storage management
storage
![Page 12: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/12.jpg)
Legacy Storage Data Path
Limited control over metadata
Not aware of storage medium; limited control over storage locations
No access to a block’s type, file ownership, in-use status
12
applications
file system
storage management
storage
![Page 13: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/13.jpg)
Existing Secure-deletion Solutions
May leak metadata information
Cannot ensure in-place updates Encryption will not help
Hard to provide per-file solutions
Cross-layer solutions tend to be file-system- and medium-specific
13
applications
file system
storage management
storage
![Page 14: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/14.jpg)
Existing Secure-deletion Solutions
May leak metadata information
Cannot ensure in-place updates Encryption will not help
Hard to provide per-file solutions
Cross-layer solutions tend to be file-system- and medium-specific
14
applications
file system
storage management
storage
![Page 15: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/15.jpg)
Existing Secure-deletion Solutions
May leak metadata information
Cannot ensure in-place updates Encryption will not help
Hard to provide per-file solutions
Cross-layer solutions tend to be file-system- and medium-specific
15
applications
file system
storage management
storage
![Page 16: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/16.jpg)
Existing Secure-deletion Solutions
May leak metadata information
Cannot ensure in-place updates Encryption will not help
Hard to provide per-file solutions
Cross-layer solutions tend to be file-system- and medium-specific
16
applications
file system
storage management
storage
![Page 17: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/17.jpg)
Other Secure-deletion Challenges
No legacy requests to delete data blocks For performance
Legacy optimizations Requests can be split,
reordered, cancelled, consolidated, buffered, with versions in transit
Lack of global IDs Crashes/verification
17
applications
file system
storage management
storage
![Page 18: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/18.jpg)
TrueErase Overview
A centralized, per-file secure-deletion framework
18
applications
file system
storage management
storage
user model
TAP
secure-deletion commands
![Page 19: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/19.jpg)
TrueErase Overview
User model Use extended
attributes to specify files/dirs for secure deletion
Compatible to legacy applications
19
applications
file system
storage management
storage
user model
secure-deletion commands
TAP
![Page 20: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/20.jpg)
TrueErase Overview
Type/attribute propagation module (TAP) File system reports
pending updates Uses global unique IDs
to track versions
Tracks only soft states No need for mechanisms
to recover states
20
applications
file system
storage management
storage
user model
secure-deletion commands
TAP
![Page 21: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/21.jpg)
TrueErase Overview
Enhanced storage- management layer Can inquire about file-
system-level info Added secure-deletion
commands for various storage media
Disabled some optimizations (e.g., storage-built-in cache)
21
applications
file system
storage management
storage
user model
secure-deletion commands
TAP
![Page 22: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/22.jpg)
TrueErase Overview
After a crash All replayed and
reissued deletions are done securely
All data/metadata in the storage data path from prior session will be securely deleted
22
applications
file system
storage management
storage
user model
secure-deletion commands
TAP
![Page 23: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/23.jpg)
TrueErase Assumptions
Benign personal computing environment Laptops, cellular phones Uncompromised, single-user, single-file-system,
non-RAID, non-distributed system Dead forensics attacks Full control of storage data path Journaling file systems that adhere to the
consistency properties specified in [SIVA05] All updates are reported
23
![Page 24: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/24.jpg)
TrueErase Design
User model TAP Enhanced storage-management layer
Exploiting file-system-consistency properties to identify and handle corner cases
24
![Page 25: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/25.jpg)
User Model
Ideally, use traditional file-system permission semantics Use extended-attribute-setting tools to mark
files/dirs sensitive Which will be securely deleted from the entire storage
data path Legacy apps just operate on specified files/dirs
25
![Page 26: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/26.jpg)
Name Handling
Legacy file-permission semantics
26
dir i-node
file
filei-node
datapermission
![Page 27: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/27.jpg)
Name Handling
Legacy file-permission semantics
TrueErase’s sensitive status
27
dir i-node
file
filei-node
datapermission
dir i-node
file
filei-node
datasensitivestatus
![Page 28: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/28.jpg)
Toggling of the Sensitive Status Implications
Tracking update versions for all files at all times Or, removing old versions for all files at all times
TrueErase Enforces secure deletions for files/dirs that have
stayed sensitive since their creation
28
![Page 29: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/29.jpg)
Name Handling
By the time one can set attributes of a file File name may already be stored non-sensitively
Some remedies Inherit the sensitive status
Creating a file under a sensitive directory smkdir wrapper script
Creates a temporary name, marks it sensitive, and renames it to the sensitive name
29
![Page 30: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/30.jpg)
TAP Module
Tracks and propagates info from file-system layer to storage-management layer
Challenges Where to instantiate the deletion requests to file
content? What and how to track? How to interact with TAP?
31
![Page 31: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/31.jpg)
Where to instantiate deletion requests to file content? Can a file system
just issue zeroed blocks?
32
applications
file system
storage management
storage
TAP
datadata
0s
![Page 32: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/32.jpg)
Where to instantiate deletion requests to file content? Can a file system
just issue zeroed blocks?
33
datadata0s 0s
applications
file system
storage management
storage
TAP
![Page 33: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/33.jpg)
Where to instantiate deletion requests to file content? Instead
A file system attaches deletion reminders to other deletion requests (zeroing allocation bits)
34
datadata
applications
file system
storage management
storage
TAP
![Page 34: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/34.jpg)
Where to instantiate deletion requests to file content? Storage-management
layer can choose secure-deletion methods Match the underlying
storage medium
35
datadata
applications
file system
storage management
storage
TAP
0/1s data
explicit erase
![Page 35: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/35.jpg)
What to track?
Tracking deletion is not enough At the secure-deletion time
Versions of a file’s blocks may have been stored Metadata may not reference to old versions
Need additional persistent states to track old versions
TrueErase deletes old versions along the way Overwriting a sensitive data
= Secure deletion + update (secure write) Tracks all in-transit sensitive updates
36
![Page 36: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/36.jpg)
What to track?
Tracking sensitive updates is still not enough Metadata items are small A metadata block can be shared by files with
mixed sensitive status A non-sensitive request can make sensitive metadata
appear in the storage data path
TrueErase tracks all in-transit updates For simplicity and verification
37
![Page 37: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/37.jpg)
How to track?
Challenges Reuse of name space (i-node number), data
structures, memory addresses Versions of requests in transit
TrueErase Global unique page ID per memory page
38
![Page 38: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/38.jpg)
Tracking Granularity
TrueErase tracks physical sector numbers (e.g., 512B) Smallest update unit GUID: global unique page ID + sector number
39
![Page 39: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/39.jpg)
How to interact with TAP?
Report_write() creates a per-sector tracking entry
Report_delete() attaches deletion reminders to a tracking entry
Report_copy() clones a tracking entry and transfers reminders
Cleanup_write() deletes a tracking entry Check_info() retrieves the sensitive status of
a sector and its reminders
40
![Page 40: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/40.jpg)
Enhanced Storage-management Layer Decide which secure-deletion method to use
Based on the underlying storage medium We used NAND flash for this demonstration
41
![Page 41: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/41.jpg)
NAND Flash Basics
Writing is slower than reading Erasure can be much slower
NAND reads/writes in flash pages Deletes in flash blocks
Consisting of contiguous pages
42
![Page 42: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/42.jpg)
NAND Flash Basics
In-place updates are not allowed Flash block containing the page needs to be
erased before being written again In-use pages are migrated elsewhere
Each location can be erased 10K -1M times
43
![Page 43: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/43.jpg)
Flash Translation Layer (FTL) To optimize performance
FTL remaps an overwrite request to an erased empty page
To prolong the lifespan Wear leveling evenly spreads the number of
erasures across storage locations
44
![Page 44: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/44.jpg)
Added NAND Secure-deletion Commands Secure_delete(pages)
Copies other in-use pages from the current flash block to elsewhere
Issue erase command on the current block Secure_write(page)
Write the new page Call Secure_delete() on the old (if applicable)
45
![Page 45: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/45.jpg)
Crash Handling
A crash may occur during a secure operation Page migration may not complete
Since copies are done first No data loss; but potential duplicates Journal recovery mechanisms will reissue the
request, and secure operations will continue
46
![Page 46: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/46.jpg)
Wear Leveling
When flash runs low on space Wear leveling compacts in-use pages into fewer
flash blocks Problem: internal storage reorganization
No respect for file boundaries, sensitive status
47
![Page 47: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/47.jpg)
Wear Leveling
TrueErase Stores a sensitive-status bit in per-page control
areas Used to enforce secure-deletion semantics
May not always be in sync with the file-system-level sensitive status E.g., short-lived files When the bit disagrees with file system’s secure status,
mark the bit sensitive and treat it as such
48
![Page 48: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/48.jpg)
File-system-consistency Properties and Secure Deletion File-system-consistency properties
A file’s metadata reference the right data and metadata versions throughout the data path
For non-journaling file systems Reuse-ordering & pointer-ordering properties Without both (e.g., ext2), a file may end up with
blocks from another file For journaling file systems
Non-rollback property
49
![Page 49: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/49.jpg)
Without Pointer-ordering Property
50
applications
file system
storage management
storage
TrueErase
![Page 50: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/50.jpg)
Without Pointer-ordering Property
51
file A’smetadata
data
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 51: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/51.jpg)
Without Pointer-ordering Property
52
file A’smetadata
data
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 52: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/52.jpg)
Without Pointer-ordering Property
53
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 53: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/53.jpg)
Without Pointer-ordering Property
54
file B’smetadata
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 54: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/54.jpg)
Without Pointer-ordering Property
55
file B’smetadata
data
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
• Secure deletion of A can end up deleting B’s block
![Page 55: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/55.jpg)
Pointer-ordering Property
56
file A’smetadata
data
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 56: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/56.jpg)
Pointer-ordering Property
57
file A’smetadata
data
data
applications
file system
storage management
storage
TrueErase
memory
storage
• Data blocks are propagated first
![Page 57: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/57.jpg)
Pointer-ordering Property
58
file A’smetadata
data
data
applications
file system
storage management
storage
TrueErase
memory
storage
• May need to perform secure write
• Need to handle crash at this point (remove unreferenced sensitive blocks at recovery time)
• Need to ensure persistence (e.g., disabling storage-built-in caches)
![Page 58: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/58.jpg)
Pointer-ordering Property
59
file A’smetadata
data
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 59: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/59.jpg)
Without Reuse-ordering Property
60
file A’smetadata
data
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 60: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/60.jpg)
Without Reuse-ordering Property
61
file A’smetadata
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 61: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/61.jpg)
Without Reuse-ordering Property
62
file A’smetadata
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
file B’smetadata
![Page 62: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/62.jpg)
Without Reuse-ordering Property
63
file A’smetadata
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
file B’smetadata
• Secure deletion of A can end up deleting B’s block
![Page 63: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/63.jpg)
Reuse-ordering Property
64
file A’smetadata
data
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
![Page 64: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/64.jpg)
Reuse-ordering Property
65
file A’smetadata
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
• A block cannot be reused until its free status is persistent
![Page 65: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/65.jpg)
Reuse-ordering Property
66
file A’smetadata
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
• Pending updates to the unreferenced data block should not be written
• Unreferenced in-memory data blocks need to be wiped
![Page 66: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/66.jpg)
Reuse-ordering Property
67
file A’smetadata
data
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
• By pointer ordering, all prior data updates are flushed
• Secure delete the data block before making its free status persistent
![Page 67: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/67.jpg)
Reuse-ordering Property
68
file A’smetadata
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
• A crash will show secure deletion in progress
• Recovery mechanism will reissue file deletion
![Page 68: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/68.jpg)
Reuse-ordering Property
69
file A’smetadata
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
• Need to ensure persistence (e.g., disabling storage-built-in caches)
![Page 69: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/69.jpg)
Reuse-ordering Property
70
file A’smetadata
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
• Static file types and ownerships for in-transit blocks
• Still need GUIDs to track versions
• Need to handle dynamic sensitive mode changes (once marked sensitive, always sensitive)
![Page 70: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/70.jpg)
Reuse-ordering Property
71
file A’smetadata
file A’smetadata
applications
file system
storage management
storage
TrueErase
memory
storage
file B’smetadata
![Page 71: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/71.jpg)
Non-rollback Property
Older versions of updates will not overwrite newer versions persistently
Implications An update followed by a secure deletion will be
applied in the right order Need to disable some optimizations at the
storage-management layer (e.g., built-in cache) Merging/splitting requests okay (we track sectors) A consolidated update is sensitive, if one is
sensitive
72
![Page 72: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/72.jpg)
Structure of Corner Cases
Ensuring that a secure deletion occurs before a block is persistently declared free
Hunting down the persistent sensitive blocks left behind after a crash
Making sure that secure deletion is not applied to the wrong file
Making sure that a securely deleted block is not overwritten by a buffered unref block
Handling versions of requests in transit
73
![Page 73: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/73.jpg)
Crash Handling
At recovery time Replay journal and reissue incomplete deletion
operations, with all operations handled securely For flash, securely delete the journal and sensitive
blocks not referenced by the file system For disk, securely overwrite journal and all free
space
74
![Page 74: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/74.jpg)
TrueErase Implementation
Linux 2.6.25 File system: ext3 with its jbd journaling layer
Proven to adhere to the file-system-consistency properties [SIVA05]
NAND flash: SanDisk’s DiskOnChip Lack of access to flash development environ. Dated hardware, but the same design principle
Storage-management layer: Inverse NAND File Translation Layer (INFTL)
75
![Page 75: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/75.jpg)
Implementation-level Highlights Steps in deletion sequence can be expressed
in secure write/delete data/metadata Exploited group-commit semantics
Reduced the number of secure operations Handled buffer/journal copies Handled consolidation within and across
journal transactions
76
![Page 76: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/76.jpg)
Verification
Basic cases Sanity checks PostMark with 20% sensitive files Reporting of all updates File-system-consistency-based corner cases
TAP state-space verification
77
![Page 77: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/77.jpg)
TAP State-space Verification State-space enumeration
Tracked down ~10K unique reachable states, ~2.7M state transitions
Reached depth of 16 in the state-space tree Used two-version programming for
verification One based on conceptual rules One based on the TAP kernel module Identified 4 incorrect rules and 3 bugs
78
![Page 78: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/78.jpg)
Empirical Evaluation
Workloads PostMark
Modified with up to 10% of sensitive files Sensitive files can be chosen randomly
Each file operation takes < 0.17 seconds Good enough for interactive use
OpenSSH make + sync with 27% of files that are newly created marked sensitive Overhead within a factor of two
79
![Page 79: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/79.jpg)
Related Work
TRIM command FADED Type-safe disk Modified YAFFS with secure-deletion support
TrueErase Legacy-compatible, persistent-state-light,
centralized info-propagation channel
80
![Page 80: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/80.jpg)
Lessons Learned
Retrofitting security features is more complex than we thought
The general lack of raw flash access and development environments Vendors try to hide complexities File-system consistency and secure deletion rely
on exposed controls/details for data layout/removal
81
![Page 81: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/81.jpg)
Lessons Learned
A holistic solution would not be possible Without expertise across layers and research
fields
Highlights the importance of knowledge integration
82
![Page 82: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/82.jpg)
Conclusion
We have presented the design, implementation, evaluation, and verification of TrueErase Legacy-compatible, per-file, secure-deletion
framework A secure-deletion solution that can withstand
diverse threats remains elusive TrueErase is a promising step toward this goal
83
![Page 83: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/83.jpg)
Acknowledgements
National Science Foundation Department of Education Philanthropic Educational Organization Florida State University Research Foundation
84
![Page 84: TrueErase: Full-storage-data-path Per-file Secure Deletion Sarah Diesburg Christopher Meyers Mark Stanovich Michael Mitchell Justin Marshall Julia](https://reader036.vdocuments.us/reader036/viewer/2022062518/56649ef05503460f94bffda5/html5/thumbnails/84.jpg)
Questions?
Google keyword: TrueErase
Thank you for your attention!
85