Study: Nearly Impossible to Delete Data on SSDs

During the FAST-11 Conference in San Jose last week, researchers from the University of California at San Diego presented a paper revealing that it's nearly impossible to erase data from a solid state drive. Called "Reliably Erasing Data from Flash-Based Solid State Drives (pdf)," the study essentially blamed the Flash Translation Layer firmware interface for the way it manages data on the NAND chips, and the unpredictable nature of those very same NAND chips.

As the paper states, flash media is divided into pages and blocks. Program operations apply to pages and can only change ones (1s) to zeros (0s). Erase operations apply to blocks and set all the bits in a block to 1. Unlike physical hard drives, this makes it impossible to perform an in-place update. Thus, the FTL will write new data in a completely different area of the SSD and erase the old "left over" data (or digital remnants) whenever the disk is not in use. The problem is that it takes a long time to physically erase the data.

"Since in-place updates are not possible in SSDs, the overwrite-based erasure techniques that work well for hard drives may not work properly for SSDs," the paper reads. "Those techniques assume that overwriting a portion of the logical block address (LBA) space results in overwriting the same physical media that stored the original data. Overwriting data on an SSD results in logical sanitization (i.e., the data is not retrievable via the SATA or SCSI interface) but not digital sanitization."

The researchers tested twelve SSDs by using the built-in "Erase Unit" command. After completion, four were found to be completely void of physical data. One drive reported to be entirely clean, yet the researchers were able to access all of its "erased" data. Overwriting entire SSDs proved more successful in a separate test, with one out of eight drives showing 100-percent data deletion. Two were completely cleaned after two passes, and one still contained 1-percent of the old data after 20 passes. The other four took more than 58 hours to overwrite the data just once.

The researchers also discovered that erasing a single file proved to be just as flawed. "All single-file overwrite sanitization protocols failed: between 4 and 75-percent of the files’ contents remained on the SATA SSDs," the paper reads. "USB drives performed no better: between 0.57 and 84.9-percent of the data remained." Overwriting the free space and defragmenting the drive to "encourage" the FTL to reuse more physical storage locations proved to be ineffective.

The researchers concluded the paper by saying built-in sanitize commands are effective when implemented correctly. Software techniques to clean the entire SSD work most of the time, but are not effective when deleting individual files. The researchers have submitted three "simple" extensions to an existing FTL that should make SSDs completely erasable in the future.

To learn more about the researchers' findings, read the PDF document here.

This thread is closed for comments
    Your comment
  • K3vBot6000
    I love when researchers catch this things. I'm glad to know someone is looking for every possible feature and flaw for the devices we use.
  • joytech22
    They should keep SSD's like this, that way if somebody does something dodgy like child *ehem, can't say that word here* then the authorities can take care of them the old fashioned way.

    I currently use a SSD and this news doesn't concern me at all.
  • alidan
    how about just getting total drive encryption instead.