Study: Nearly Impossible to Delete Data on SSDs

During the FAST-11 Conference in San Jose last week, researchers from the University of California at San Diego presented a paper revealing that it's nearly impossible to erase data from a solid state drive. Called "Reliably Erasing Data from Flash-Based Solid State Drives (pdf)," the study essentially blamed the Flash Translation Layer firmware interface for the way it manages data on the NAND chips, and the unpredictable nature of those very same NAND chips.

As the paper states, flash media is divided into pages and blocks. Program operations apply to pages and can only change ones (1s) to zeros (0s). Erase operations apply to blocks and set all the bits in a block to 1. Unlike physical hard drives, this makes it impossible to perform an in-place update. Thus, the FTL will write new data in a completely different area of the SSD and erase the old "left over" data (or digital remnants) whenever the disk is not in use. The problem is that it takes a long time to physically erase the data.

"Since in-place updates are not possible in SSDs, the overwrite-based erasure techniques that work well for hard drives may not work properly for SSDs," the paper reads. "Those techniques assume that overwriting a portion of the logical block address (LBA) space results in overwriting the same physical media that stored the original data. Overwriting data on an SSD results in logical sanitization (i.e., the data is not retrievable via the SATA or SCSI interface) but not digital sanitization."

The researchers tested twelve SSDs by using the built-in "Erase Unit" command. After completion, four were found to be completely void of physical data. One drive reported to be entirely clean, yet the researchers were able to access all of its "erased" data. Overwriting entire SSDs proved more successful in a separate test, with one out of eight drives showing 100-percent data deletion. Two were completely cleaned after two passes, and one still contained 1-percent of the old data after 20 passes. The other four took more than 58 hours to overwrite the data just once.

The researchers also discovered that erasing a single file proved to be just as flawed. "All single-file overwrite sanitization protocols failed: between 4 and 75-percent of the files’ contents remained on the SATA SSDs," the paper reads. "USB drives performed no better: between 0.57 and 84.9-percent of the data remained." Overwriting the free space and defragmenting the drive to "encourage" the FTL to reuse more physical storage locations proved to be ineffective.

The researchers concluded the paper by saying built-in sanitize commands are effective when implemented correctly. Software techniques to clean the entire SSD work most of the time, but are not effective when deleting individual files. The researchers have submitted three "simple" extensions to an existing FTL that should make SSDs completely erasable in the future.

To learn more about the researchers' findings, read the PDF document here.

  • K3vBot6000
    I love when researchers catch this things. I'm glad to know someone is looking for every possible feature and flaw for the devices we use.
    Reply
  • joytech22
    They should keep SSD's like this, that way if somebody does something dodgy like child *ehem, can't say that word here* then the authorities can take care of them the old fashioned way.

    I currently use a SSD and this news doesn't concern me at all.
    Reply
  • alidan
    how about just getting total drive encryption instead.
    Reply
  • _Cubase_
    The solution is in your logo... Tom's.
    Reply
  • icepick314
    _Cubase_The solution is in your logo... Tom's.
    after that, 4 seconds in a microwave should render ALL the remaining bits useless....
    Reply
  • fonzy
    This will stop people from buying used ones then.
    Reply
  • alidan
    joytech22They should keep SSD's like this, that way if somebody does something dodgy like child *ehem, can't say that word here* then the authorities can take care of them the old fashioned way.I currently use a SSD and this news doesn't concern me at all.
    i would just like to point this out. old child *ehem is bad, no question about that, 99%+ of the time, because the children were R'ed.

    however new applications of child *ehem laws make an 8 year old who gets their hands on a digital camera and takes a picture of themselves, it labels them a child *ehemographer

    now how does this apply to you?

    lets say that a someone between 15-17 takes a nude of themselves, and this is common, that is considered child *ehem, now lets say that you honestly cant tell, and unless you are a doctor who knows what they are looking for in bone structure, you probably honestly cant tell. would you want to go to jail for child *ehem because some almost adult took a nude of themselves and you cant tell? this happens FAR more often than you may realism, not the jail part, but profecionals getting tricked by underage. i believe its a 1985 issue of a famous magazine with the bunny, had a 15 year old as their centerfold, if not more.

    can you really say that all the *ehem on your computer is 100% all over 18? i can hope all of mine is, but if i ever know without a shadow of a doubt that it isnt, i want to make damn sure the picture is gone and is never coming back.
    Reply
  • jprahman
    If you really want to erase all the data on your SSD (or HDD for that matter) so no one can get to it there's a simple tool to do so.... a hammer.
    Reply
  • thrillhaus
    DBAN
    http://www.dban.org/

    Done.
    Reply
  • kilo_17
    jprahmanIf you really want to erase all the data on your SSD (or HDD for that matter) so no one can get to it there's a simple tool to do so.... a hammer.
    Lol right!
    Reply