Security enhancement for UBIFS with secure erase feature

Security enhancement for UBIFS with secure erase feature

[Stelling Carsten]

< Are there any plans for such a security enhancement in UBIFS?

Hello Atlant,

you're right. Writing zeroes is not applicable to all kinds of flash technology.

Are there any plans to support privacy in UBIFS?

In my opinion privacy should be guaranteed by the file system, so that any
application can rely on its security features.

There're other solutions, e.g. to encrypt the content of each file with a unique
key stored in the metadata area of that particular file. Although this solution
needs to secure erase the key associated with the deleted file too.
I see, that might be a real dilemma.

Are there any suggestions?

Regards,

Carsten

Re: Security enhancement for UBIFS with secure erase feature

[Artem Bityutskiy]

On Thu, 2011-09-08 at 16:35 +0200, Stelling Carsten wrote:
> < Are there any plans for such a security enhancement in UBIFS?
> 
> Hello Atlant,
> 
> you're right. Writing zeroes is not applicable to all kinds of flash technology.
> 
> Are there any plans to support privacy in UBIFS?
> 
> In my opinion privacy should be guaranteed by the file system, so that any
> application can rely on its security features.
> 
> There're other solutions, e.g. to encrypt the content of each file with a unique
> key stored in the metadata area of that particular file. Although this solution
> needs to secure erase the key associated with the deleted file too.
> I see, that might be a real dilemma.
> 
> Are there any suggestions?

Well, it is possible to implement secure erase, but it will be very slow
- you'll need to garbage collect all eraseblocks which contain the old
file, including all the obsolete portions of that file which might still
be on the flash media.

So basically, to secure delete a file, you'd need to scan whole flash to
find all its old (obsolete) fragments.

VS plans - no, there are no plans, UBIFS does not enjoy a lot of
developer's. You are welcome with patches, though!

-- 
Best Regards,
Artem Bityutskiy

Re: Security enhancement for UBIFS with secure erase feature

[Joel Reardon]

Greetings all:

So coincidentally I've been working on a secure deletion patch for UBIFS. (I'm a
grad student researching secure deletion here in Zurich.) I'm mostly finished
implementing it and the results are really good. It works by encrypting each
data node individually with a different key, storing the keys in a (logically)
fixed area, and then periodically atomically updating the key blocks to purge
the old
unwanted keys. A small number  erase block erasures are needed to purge all
deleted data, and since each data node is individually encrypted, there's no
overhead added in terms of seeking / random access, and truncations and
overwrites are also securely deleted. The keys are written ahead of time, and
assigned out as they are needed.

The implementation is well separated from the rest of UBIFS; it uses the
compress/decompress functions to handle cryptographic operations. The state of
keys (unused, used, deleted) is managed by the tree node cache: when adding a
node, the key is used, when removing it, then its deleted; the replay
mechanism thus also performs key management with the same code. Its a handful
of changes to UBIFS and a new data structure containing all the key
functionality. Keys are purged during checkpoint, and I was careful to make
sure that a full device scan is not needed for my modification, it works with
the commit/replay, and it can recover when power is lost during any point of
the purging proceedure.

I have a couple questions to ask the main developer, mostly about orphans for
which I found the documentation not quite clear. I'm quite keen to get
this integrated into UBIFS, however this will be the first time I've
contributed to the kernel so in this regard I'm unsure of the best practices
and so forth.

cheers,
Joel

Re: Security enhancement for UBIFS with secure erase feature

[Artem Bityutskiy]

Hi Joel,

On Thu, 2011-10-27 at 09:33 +0000, Joel Reardon wrote:
> So coincidentally I've been working on a secure deletion patch for UBIFS. (I'm a
> grad student researching secure deletion here in Zurich.) I'm mostly finished
> implementing it and the results are really good. It works by encrypting each
> data node individually with a different key, storing the keys in a (logically)
> fixed area, and then periodically atomically updating the key blocks to purge
> the old
> unwanted keys.

Sounds like a clever solution! It is curious to see how you made sure
that all this is power-cut safe.

> I have a couple questions to ask the main developer, mostly about orphans for
> which I found the documentation not quite clear. I'm quite keen to get
> this integrated into UBIFS, however this will be the first time I've
> contributed to the kernel so in this regard I'm unsure of the best practices
> and so forth.

Well, ask questions, send patches. This sounds very interesting.
However, I do not know if anyone will use this, hopefully yes!

Artem.

RE: Security enhancement for UBIFS with secure erase feature

[Stelling Carsten]

> However, I do not know if anyone will use this, hopefully yes!
Opened the thread in September, I know someone who 'll use it.
Joel, I haven't started development jet, and it's fine to hear that re-inventing the wheel is not necessary.

Carsten

-----Ursprüngliche Nachricht-----
Von: linux-mtd-bounces@lists.infradead.org [mailto:linux-mtd-bounces@lists.infradead.org] Im Auftrag von Artem Bityutskiy
Gesendet: Sonntag, 30. Oktober 2011 13:52
An: Joel Reardon
Cc: linux-mtd@lists.infradead.org
Betreff: Re: Security enhancement for UBIFS with secure erase feature

Hi Joel,

On Thu, 2011-10-27 at 09:33 +0000, Joel Reardon wrote:
> So coincidentally I've been working on a secure deletion patch for 
> UBIFS. (I'm a grad student researching secure deletion here in 
> Zurich.) I'm mostly finished implementing it and the results are 
> really good. It works by encrypting each data node individually with a 
> different key, storing the keys in a (logically) fixed area, and then 
> periodically atomically updating the key blocks to purge the old 
> unwanted keys.

Sounds like a clever solution! It is curious to see how you made sure that all this is power-cut safe.

> I have a couple questions to ask the main developer, mostly about 
> orphans for which I found the documentation not quite clear. I'm quite 
> keen to get this integrated into UBIFS, however this will be the first 
> time I've contributed to the kernel so in this regard I'm unsure of 
> the best practices and so forth.

Well, ask questions, send patches. This sounds very interesting.
However, I do not know if anyone will use this, hopefully yes!

Artem.


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

RE: Security enhancement for UBIFS with secure erase feature

[Atlant Schmidt]

Carsten:

  Unfortunately, the data sheets for many Flash parts
  specifically prohibit re-writing a page, even if
  you're driving the bits towards more zeroes. I
  think you'll find this is especially true for MLC
  devices.

                                 Atlant

-----Original Message-----
From: linux-mtd-bounces@lists.infradead.org [mailto:linux-mtd-bounces@lists.infradead.org] On Behalf Of Stelling Carsten
Sent: Monday, September 05, 2011 12:01
To: linux-mtd@lists.infradead.org
Subject: Security enhancement for UBIFS with secure erase feature

Hi everybody,

When building security relevant (embedded) applications, personal privacy
is of major importance.

Therefore it would be nice to have a configuration option to invalidate the
content of a deleted file in UBIFS. This feature shall allow an application to
ensure that, when a file is deleted, its contents are fully erased from the flash.
I.e. that each time a block is marked for erase, this block is written all zeros.
Writing zeros without erasing an entire page should be possible by design.

Giving such an option on a file by file basis (ioctl) would be optimal, because
wiping out the content of a deleted file is time and resource consuming and
not acceptable for all kinds of applications using UBIFS.

Are there any plans for such a security enhancement in UBIFS?

Regards

Carsten




______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/


 Click https://www.mailcontrol.com/sr/FcTd+AJENrvTndxI!oX7UsdpzMR7Bo2KZ8LARfqDk+yP+UC7hxpimCzUyXYqwgiFbrCRFdjEt0Ad5rLFZ!o!pA==  to report this email as spam.

This e-mail and the information, including any attachments, it contains are intended to be a confidential communication only to the person or entity to whom it is addressed and may contain information that is privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the sender and destroy the original message.

Thank you.

Please consider the environment before printing this email.

Security enhancement for UBIFS with secure erase feature

[Stelling Carsten]

Hi everybody,

When building security relevant (embedded) applications, personal privacy
is of major importance.

Therefore it would be nice to have a configuration option to invalidate the
content of a deleted file in UBIFS. This feature shall allow an application to
ensure that, when a file is deleted, its contents are fully erased from the flash.
I.e. that each time a block is marked for erase, this block is written all zeros.
Writing zeros without erasing an entire page should be possible by design.

Giving such an option on a file by file basis (ioctl) would be optimal, because
wiping out the content of a deleted file is time and resource consuming and
not acceptable for all kinds of applications using UBIFS.

Are there any plans for such a security enhancement in UBIFS?

Regards

Carsten