Korean researchers have developed a set of assaults against some solid-state discs (SSDs) that could allow malware to be planted at a position beyond the user’s and security solutions’ reach.
The attack models are designed for drives with flex capacity characteristics and target a hidden section on the device known as over-provisioning, which is extensively used by SSD manufacturers these days for performance improvement on NAND flash-based storage systems.
Attacks on the hardware level are the most persistent and stealthy. In the past, sophisticated actors worked hard to apply similar concepts against HDDs, concealing dangerous code in inaccessible drive sectors.
The initial assault
- One of the attacks uses non-erased information to target an invalid data area located between the Over-Provisioning (OP) area and usable SSD space, the size of which is determined by the two.
- With the firmware manager, an attacker can modify the size of the OP region to produce exploitable invalid data space.
- The problem is that, in order to save resources, most SSD manufacturers do not wipe the incorrect data area, assuming that severing the mapping table’s link will prevent unauthorized access.
- As a result, an attacker could exploit this flaw to get access to sensitive data. Furthermore, data that has not been removed for six months can be revealed by the NAND flash memory.
The scenario of the second assault
- The OP region is utilised as a covert location to hide malware that can be erased or monitored by a user in the second sort of assault.
- Two storage devices SSD1/SSD2 are supposed to be connected to a channel.
- Both SSDs have a 50 percent OP area, therefore if an attacker places malware code in SSD2, they can swiftly reduce SSD1’s OP area to 25% while increasing SSD2’s OP area to 75%.
- Simultaneously, the malicious code is stored in a hidden SSD2 space that may be accessed at any time by resizing the OP area. Furthermore, employing 100% area makes it more difficult to identify.
This attack is described as follows in the paper:
To simplify the discussion, two storage devices SSD1 and SSD2 are assumed to be connected to a channel. The OP area of each storage device is 50%. After storing the virus code in SSD2, the hacker quickly reduces the OP area of SSD1 to 25% and increases the OP area of SSD2 to 75%.
At the moment, the virus code is stored in SSD2’s secret section. By resizing the OP region, a hacker who gains access to the SSD can activate the embedded malware code at any moment. Because normal users have 100 percent user area on the channel, such malicious hacking behaviour will be difficult to identify.
How does flex capacity works?
Micron Technology’s Flex Capacity technology allows storage devices to automatically modify the sizes of raw and user-allocated space to improve performance by absorbing write workload volumes.
Over-provisioning is a dynamic system that produces and changes a buffer of space that normally takes between 7% and 25% of the total disc capacity.
The operating system and any applications running on it, including security solutions and anti-virus tools, are unaware of the over-provisioning area.
The SSD manager dynamically adjusts this space against the workloads as the user opens different applications, depending on how write-intensive or read-intensive they are.
Flex capacity is a feature in SSDs that allows storage devices to automatically alter the sizes of raw and user-allocated space to improve write workload efficiency.
SSD makers should clean their OP region using a pseudo-erase algorithm without compromising performance to protect against the first assault.
The recommended countermeasure for the second assault is to install valid-invalid data rate monitoring devices that monitor the ratio in SSDs in real time.
This can alert the user if the invalid data ratio unexpectedly rises, and it can erase data in the OP region in a verifiable manner.
The researchers propose that SSD manufacturers wipe the OP area with a pseudo-erase method that has no effect on real-time performance as a defence against the first sort of assault.
Implementing valid-invalid data rate monitoring systems that monitor the ratio inside SSDs in real-time could be an effective security measure against injecting malware in the OP area for the second type of attack.
The user may receive a warning and the choice of a verifiable data-wiping function in the OP space if the invalid data ratio suddenly grows significantly.
Finally, there should be strong protections against unwanted access to the SSD management app.
“Even if you’re not a malevolent hacker, a misinformed employee can simply liberate secret information and expose it at any time by using the OP area variable firmware/software,” the researchers write.
While the research shows that the OP area on Micron SSDs can be exploited to house malware, such attacks are unlikely to occur in the wild at this time.