Korean researchers have developed a set of assaults against some solid-state discs (SSDs) that could allow malware to be planted at a position beyond the user’s and security solutions’ reach.
For SSDs with flex capacity features, the attack models target a hidden area called overprovisioning. This is commonly used these days by NAND flash manufacturers to optimize performance.
Attacks at the hardware level are persistent and stealthy. Advanced attackers have used such techniques to hide malicious code in inaccessible sectors on HDDs in the past.
Flex capacity: How it works?
Solid-state drives (SSDs) are the latest generation of computer storage devices. SSDs employ flash memory, which is significantly faster than a mechanical hard drive.
Micron Technology’s Flex Capacity technology allows storage devices to automatically modify the sizes of raw and user-allocated space to improve performance by absorbing write workload volumes.
In over-provisioning, a buffer of space is created and adjusted in real-time, typically taking up to 25% of the total disk capacity.
SSD managers automatically adjust this space based on the workloads, as the user launches different applications.
Models of attack
According to a study from Korea University in Seoul, one attack targets an invalid data area that lies between the usable SSD space and the over-provisioning (OP) area and whose size depends on both.
Using the firmware manager, a hacker can adjust the size of the OP region, resulting in exploitable invalid data space, according to the research paper.
Unlike HDD manufacturers, many SSD manufacturers do not erase the invalid data area to save resources. Data is kept in this space for considerable periods under the assumption that removing the linking table will prevent unauthorized access to it.
A threat actor could exploit this vulnerability to access potentially sensitive information.
In their study, the researchers found that forensic activity on NAND flash memory could reveal data that hadn’t been deleted for more than six months.
In another attack model, a threat actor hides malware inside a secret location that cannot be monitored or wiped.
This attack is described as follows:
To simplify the description, two storage devices SSD1 and SSD2 are assumed to be connected to a channel. The OP area of each storage device is 50%. In addition to storing malware code in SSD2, the hacker immediately reduces SSD1’s OP area to 25% and expands SSD2’s OP area to 75%.
At the moment, the virus code is stored in SSD2’s secret section. By resizing the OP region, a hacker who gains access to the SSD can activate the embedded malware code at any moment.
Because normal users have 100 percent user area on the channel, such malicious hacking behavior will be difficult to identify.
The obvious benefit of such an attack is its stealthiness. In OP areas, malicious code is difficult to detect not simply because it takes time, but also because it necessitates highly specialized forensic techniques.
An Alternative Measures
The researchers propose that SSD manufacturers wipe the OP area with a pseudoerase method that does not affect real-time performance as a defense against the first sort of assault.
Implementing valid-invalid data rate monitoring systems that monitor the ratio inside SSDs in real-time could be an effective security measure against injecting malware in the OP area for the second type of attack.
The user may receive a warning and the choice of a verifiable data-wiping function in the OP space if the invalid data ratio suddenly grows significantly. Finally, there should be strong protection against unwanted access to the SSD management app.
“Even if you’re not a malevolent hacker, a misinformed employee can simply liberate secret information and expose it at any time by using the OP area variable firmware/software,” the researchers write.
Micron has been contacted by Bleeping Computer for a comment on the above, and we will update this story whenever we hear back.
While the research shows that the OP area on Micron SSDs