Secure Deletion

Secure Data Deletion from Persistend Media

We present a general approach to the design and analysis of secure deletion for persistent storage that relies on encryption and key wrapping. We define a key disclosure graph that models the adversarial knowledge of the history of key generation and wrapping. We introduce a generic update function and prove that it achieves secure deletion of data against a coercive attacker; instances of the update function implement the update behaviour of all arborescent data structures including B-Trees, extendible hash tables, linked lists, and others.

We implement a B-Tree instance of our solution. Our implementation is at the block-device layer, allowing any block-based file system to be used on top of it. Using different workloads, we find that the storage and communication overhead required for storing and retrieving B-Tree nodes is small and that this therefore constitutes a viable solution for many applications requiring secure deletion from persistent media.

Related publications:
Joel Reardon and Hubert Ritzdorf and David Basin and Srdjan Capkun
Secure Data Deletion from Persistent Media
Proceedings of the ACM Conference on Computer and Communications Security,
[DownloadPDF (PDF, 246 KB)vertical_align_bottom | Downloadslides (PDF, 276 KB)vertical_align_bottom]

Systematization of Knowledge: Secure Data Deletion

Secure data deletion is the task of deleting data irrecoverably from a physical medium. In the digital world, data is not securely deleted by default; instead, many approaches add secure deletion to existing physical medium interfaces. Interfaces to the physical medium exist at different layers, such as user-level applications, the file system, the device driver, etc. Depending on which interface is used, the properties of an approach can differ significantly.

We present the many dimensions of secure deletion, consolidating existing notions. We provide a common language to describe secure deletion that unifies the diverse efforts of many researchers and we survey and systematize the related work in detail. We present the approaches in terms of interfaces to physical media: what can be done to achieve secure deletion given a particular interface through which to achieve it? We present a taxonomy of adversaries with different capabilities - adversaries with different manners of access to the storage medium. We explain the relationships among adversaries such that an approach that defeats an adversary also defeats weaker ones; we perform a similar task for characteristics of secure deletion approaches, such as efficiency and granularity. We perform experiments to test a selection of approaches used in practice on a variety of file systems, examining corner cases such as block-unaligned truncations and sparse files. Finally, we analyze which approaches work and what are the best ways to develop a secure deletion solution.

Related publications:
Joel Reardon and David Basin and Srdjan Capkun
On Secure Data Deletion
IEEE Security & Privacy Magazine, May 2014
[DownloadPDF (PDF, 750 KB)vertical_align_bottom | external pageofficial versioncall_made]

Joel Reardon, David Basin, Srdjan Capkun
SoK: Secure Data Deletion
IEEE Symposium on Security and Privacy, San Francisco, California, 2013
[DownloadPDF (PDF, 163 KB)vertical_align_bottom | Downloadslides (PDF, 222 KB)vertical_align_bottom]

Efficient Secure Deletion on Flash Memory

Secure deletion on flash memory (ubiquitously used in portable devices) is not the straightforwards solution of overwriting data becuase flash memory prohibits in-place updates. Erasure of data happens at a much larger granularity (the erase block) and each erasure incurs some physical wear on the memory.

We present the Data Node Encrypted File System (DNEFS), which securely and efficiently deletes data on flash memory; it requires only a few additional erasures that are evenly distributed over the erase blocks. DNEFS encrypts each individual data node (i.e., the unit of read/write for the file system) with a different key, and then manages the storage, use, and purging of these keys in an efficient and transparent way for both users and applications. Data nodes are encrypted before being written to the storage medium and decrypted after being read, thus DNEFS's use of encryption is no different than any encoding applied by the storage medium (e.g. error correcting codes).

The keys are stored in a reserved area of the file system called the key storage area. Each flash erase block in the key storage area is periodically purged - a new version of the erase block is written where keys corresponding to deleted data nodes are replaced with fresh random data; the old version is deleted, which ensures that data nodes encrypted by these keys are now irrecoverable.

We design and implement an instance of our solution for the file system UBIFS and call our modification UBIFSec. UBIFSec provides a guaranteed upper bound on deletion latency, fine-grained deletion for truncated or overwritten files, runs efficiently and produces little wear on the flash memory. Our implementation is easy to integrate into UBIFS's existing Linux implementation, and requires no changes to the applications using UBIFS.

Related publications:
Joel Reardon, Srdjan Capkun, David Basin
Data Node Encrypted File System: Efficient Secure Deletion for Flash Memory
USENIX Security Symposium, Bellevue, Washington 2012 [DownloadPDF (PDF, 404 KB)vertical_align_bottom]

UBIFSec Implementation:
Downloadkernel 3.2.1 patch (PATCH, 80 KB) (PATCH, 80 KB)vertical_align_bottom | Downloadubifsec design doc (TXT, 18 KB)vertical_align_bottom]