Researchers in Korea discovered a weakness in SSDs that allows the malware to infect an SSD’s empty over-provisioning partition directly. This makes the malware practically immune to security countermeasures, according to BleepingComputer.
Over-provisioning is a function found in all current SSDs that extends the SSD’s built-in NAND storage life and improves its performance. Overprovisioning results in a lot of vacant storage space. However, it allows the SSD to ensure that data is spread evenly across all NAND cells by shuffling data to the over-provisioning pool when needed.
While the operating system — and hence anti-virus solutions — are intended to be unable to reach this region, this new malware can infiltrate it and utilize it as a base of operations. Two attacks based on the over-provisioned space were designed by Korean academics at Korea University in Seoul. The first shows a vulnerability in the SSD that targets invalid data (data that has been erased in the OS but not physically cleaned).
To get access to more potentially sensitive data, the attacker can increase the size of the over-provisioned data pool to provide the operating system with more space. As a result, when a user tries to erase more data from the SSD, the excess data stays physically intact.
To tackle the first assault scenario, the researchers recommend designing a pseudo-erase method that physically deletes data on an SSD without harming real-world performance.
To fight the second assault type, it is advised that a new monitoring system be implemented that can closely monitor the over-provisioned size of the SSDs in real-time. Furthermore, unauthorized access to SSD management tools that can change over-provisioned sizes should be protected by more robust security mechanisms.
Thankfully, these techniques were devised by researchers rather than being found as a result of a real-world attack. However, an attack like this might very well occur, thus SSD makers should begin correcting these security flaws as soon as possible before someone exploits them.