Forensic Issues and Techniques to Improve Security in SSD with Flex Capacity Feature

TL;DR

This paper investigates attack models targeting the hidden over-provisioning area in SSDs with flexible capacity, proposing forensic techniques and security enhancements to detect and counter malicious activities exploiting this feature.

Contribution

It introduces new forensic processes and security measures specifically designed for variable over-provisioning in SSDs, addressing previously overlooked attack vectors.

Findings

Identification of attack models exploiting over-provisioning

Development of forensic methods for different memory cell types

Proposed security enhancements to prevent data hiding and malware in SSDs

Abstract

Over-provisioning technology is typically introduced as a means to improve the performance of storage systems, such as databases. The over-provisioning area is both hidden and difficult for normal users to access. This paper focuses on attack models for such hidden areas. Malicious hackers use advanced over-provisioning techniques that vary capacity according to workload, and as such, our focus is on attack models that use variable over-provisioning technology. According to these attack models, it is possible to scan for invalid blocks containing original data or malware code that is hidden in the over-provisioning area. In this paper, we outline the different forensic processes performed for each memory cell type of the over-provisioning area and disclose security enhancement techniques that increase immunity to these attack models. This leads to a discussion of forensic possibilities and countermeasures for SSDs that can change the over-provisioning area. We also present information-hiding attacks and information-exposing attacks on the invalidation area of the SSD. Our research provides a good foundation upon which the performance and security of SSD-based databases can be further improved.