From: alban bernard <alban.bernard@yahoo.fr>
To: dm-crypt@saout.de
Subject: [dm-crypt] simple ideas addressing ssd TRIM security concern
Date: Sat, 14 Apr 2012 02:23:23 +0100 (BST) [thread overview]
Message-ID: <1334366603.85970.YahooMailClassic@web171303.mail.ir2.yahoo.com> (raw)
Hi,
I carefully read that page http://asalor.blogspot.fr/2011/08/trim-dm-crypt-problems.html to understand the basics behind the main security problem involved by trim commands. Simple ideas came to my mind, but I need to submit them to know how they fail (or by any chance how they may succeed).
From what I understand, TRIM commands are used to say to the SSD controller: "these sectors are discarded, so you can erase them at any time chosen by you rather than waiting an explicit rewrite from me". So, from a crytographic point of view, using TRIM commands is like replacing deleted files by "zero" files in a totally uncontrolled manner. This breaks the main purpose of cryptography: hiding as much things as possible.
After TRIM commands, the SSD controller erases blocks whenever he wants after receiving the command. Thus, it seems to not inform us back where those blocks are remapped in its LBA translation table (not sure about that).
So, what about running TRIM commands only in certain cases: on-demand / by sectors / ... ? The overall purpose being:
- to limit the TRIMed space on device
- to control the TRIMed pattern (spread it randomly as much as possible)
Here the naive things:
- send on-demand TRIM commands based on device write access rate and remaining free space
- keep a table of TRIMed blocks or just their total size (send TRIM commands only below a certain size limit threshold)
- send TRIM commands on randomly chosen deleted blocks only (not all deleted blocks)
- write garbage to fill some TRIMed "blanks" (less than a threshold critical to ssd performance)
- randomize device usage pattern when choosing blocks to TRIM (hide filesystem)
Let me know if it could lead to real life solution. Any criticism appreciated.
~Alban.
next reply other threads:[~2012-04-14 1:23 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-14 1:23 alban bernard [this message]
2012-04-14 4:15 ` [dm-crypt] simple ideas addressing ssd TRIM security concern Arno Wagner
2012-04-14 22:22 ` alban bernard
2012-04-15 1:26 ` Arno Wagner
2012-04-15 14:55 ` Sven Eschenberg
2012-04-15 16:55 ` alban bernard
2012-04-15 22:48 ` Sven Eschenberg
2012-04-16 0:28 ` alban bernard
2012-04-16 2:43 ` Arno Wagner
2012-04-16 19:53 ` Heinz Diehl
2012-04-17 2:48 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1334366603.85970.YahooMailClassic@web171303.mail.ir2.yahoo.com \
--to=alban.bernard@yahoo.fr \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.