USAGE OF EMBEDDED SENSORS FOR DATA PROTECTION IN STORAGE DEVICES

7/28/2019 USAGE OF EMBEDDED SENSORS FOR DATA PROTECTION IN STORAGE DEVICES

1/20

USAGE OF EMBEDDED SENSORS FOR DATAPROTECTION IN STORAGE DEVICES

Leonid BaryudinPrincipal Firmware Architect,

Sandforce

Dmitry Obukhov

Director, SSD Firmware Development

Western Digital07/27/2011


2/20

Agenda

Introduction

Security Sensors

Security Sensors and Data Bands Locking Tampering Attempt

Unsecure Orientation

Outside Secure Area

Motion Detection

Security Sensors and Data Hijacking

Security Sensors as Part of Bigger SecuritySystem

2


3/20

Introduction

In contemporary Storage Security protocols likeTCG (Enterprise and Opal) user of a drive mustknow Credentials (username and password

normally) to gain access to certain data. Some Credentials (perhaps of higher Admin

level) are also needed to change Credentialthemselves including modifying default (known to

everybody) Manufacturing Credentials theprocedure sometimes called Taking Ownership ofthe Drive as from this moment only those knowingnew Credentials can access Drives data.

3


4/20

Introduction (cont.)

This method is reasonably secure but beingessentially SW oriented has the followingvulnerabilities:

After data band is unlocked it normally stays this wayfor quite a long time (authentication procedure israther time consuming and cannot be done too often).During this time intruder can connect to the drive andget access to its data.

If intruder happens to know credentials (which isespecially easy for freshly manufactured drive whichhas only default ones), she can do what she wantswith drive data even remotely (using malicioussoftware).

4


5/20

Security Sensors

The solution is to equip drives with embeddedSecurity Sensors which will be able to monitorcertain Security Conditions (examples are on the

following slides) thus providing drive withadditional (to Credentials) information controllingaccess to drives data.

If drives conditions reported by some ofSecuritySensors deemed to be unsecure, certain databands may not be allowed to be unlocked evenif Credentials are correct.

5


6/20

Security Sensors (cont.)

Equally, certain management operations (likechanging Credentials) may not be allowed inunsecure conditions.

From another side, if drives conditions becameunsecure (have been secure before), at least someunlocked data bands can be locked and thusprotected from intruder.

There should be standard way to configure whatconditions are secure and unsecure for access toany particular data band or for performing anymanagement operation. Possible implementationdiscussed in TCG Storage Control Locking LBARanges Feature Set, now under review.

6


7/20

Secure Conditions Examples

The following Secure Conditions are consideredimportant enough to control drive data access.

Tampering Attempt.


Outside Secure Area

Motion Detection

7


8/20

Tampering Attempt

A Drive can have a physical signal (GPIO, I2C, etc.)connected to a sensor of any type which indicatesthat an attempt to tamper with Drives contents maybe in progress. Couple examples: Drive could be placed into a secure enclosure,

generating a tampering signal each time the secureenclosure is opened - perhaps by somebody trying toconnect his laptop in an attempt to impersonate valid hostand get access to the drive in an unlocked state.

It can be any sort of remote sensor in the building whichprovides tampering attempt signal if any sort of secureperimeter has been penetrated (doors opened, alarmstripped, etc).

8


9/20


Data band(s) can be prevented from beingunlocked if the drive is in some sort ofunnatural position (tilted beyond a certain

angle for example) or already unlocked band(s)can be locked if drives position becomes such.Simple accelerometer sensor can detect this.

Actual value of unsecure orientation (tilt) angledepends on type of installation what isdeemed to be unsecure for a drive installed inthe big RAID rack can be perfectly OK for laptop.

9


10/20

Outside Secure Area

Some data bands can be allowed to be unlockedonly if the drive is located in some sort ofSecure

Area (building, site, geographical location, etc.) andshould be locked if the drive moves outside this

area. There should be a sensor of some sort,verifying this fact, for example: Some secure signal presence sensor, constantly

receiving an encrypted radio signal on a certain frequencywhich is only available in particular building(s).

Same as previous, but radio transmitter is on a person.When this person leaves the drives vicinity (drive itselfdoesnt move) certain data bands may be locked.

GPS device, reporting whether geographical location ofthe drive is inside or outside predefined secure area.

10


11/20

Motion Detection

Drive is being moved (motion detection sensor isneeded) perhaps it is being stolen in an already-unlocked state, affected data bands must be

locked. Depending on drive usage this condition can

vary. Drives installed in server racks must not bemoved at all while those in laptops should only

lock data bands if dropped on the groundmeaning acceleration and/or speed are ratherhigh (precise definitions are beyond the scope ofthis presentation).

11


12/20

Security Sensors and Data Hijacking

This is a brief description of an invention (patentapplication pending) which implementsprotection from so-called Data Hijacking using

Security Sensors. Data Hijacking Scenario

Data Hijacking Security Sensors Protection

Data Hijacking Security Sensors Use Cases

12


13/20

Data Hijacking Scenario

When a user purchases a device with securestorage on it (Hard Disc Drive, Solid State Drive,network device with internal storage, intelligent

appliance, etc) this storage is normally unlocked(secure procedures are not enabled or they areusing publicly known default credentials).

It is very important that user will take ownership of

the storage by enabling secure procedures and/orreplacing existing credentials by his/her own privateones as soon as possible and in any rate priortosaving any data on the storage.

13


14/20

Data Hijacking Scenario (cont.)

Otherwise (provided that a device is connected to networksome way which is true directly or indirectly for most ofdevices nowadays) a remote intruder equipped by malicioussoftware may be able not only to read this data but also to dowhat the lawful user failed to do in the first place enable

security procedures and replace default credentials by that ofthe remote intruder thus taking ownership of the storagecontents.

From this moment on the lawful user loses an ability to accessher own data which thus becomes hijacked by the remoteintruder. Despite the fact that the compromised device neverleft the lawful users physical possession, it is virtuallyimpossible for her to resume control over it except byresetting it to default state and losing all previously storeddata which can incur substantial financial and other losses.

14


15/20

Data Hijacking Scenario (cont.)

Alternatively the remote intruder can choose to erasestorage contents by using sanitizing or trim procedurewhich can be done very fast compared to traditionalerase.

While the entire trouble could be avoided had the lawfuluser followed the proper procedures by taking ownershipof the storage by herself before saving any data on it, itis a fact of life that many wont do so due to lack oftraining, time, etc... Number of persons and businessesvulnerable to such sort of attack will grow in immediatefuture as more and more devices with secure storage willreach the market since customer education level is nevercapable to keep up with the advance of technologicalinnovations.

15


16/20

Data Hijacking Security Sensors

Protection It is suggested to use Security Sensors to preventremote intruder from taking ownership of the storage orsanitizing/trim any significant part of it only the userhaving the device in his/her physical possession will be

able to do so. Remote intruder still will be able to do some harm andeven try to hijack the unprotected data by copying it tohis place over network and erasing original contents.

However as such a procedure will likely take very long

time (compared to taking ownership replacingcredentials may be done in milliseconds) it will likelyprove to be unpractical at least on the wide scale andthere are more chances that such an intrusion will beintercepted by standard antivirus software.

16


17/20

Data Hijacking Security Sensors

Protection (cont.) Depending on type of device, its geometry, location andeven usage patterns on particular market there aremultiple embodiments of the method suggested by thisinvention, generally having the following elements:

In various embodiments, it is some sort of Security Sensor, suchas a switch, which can be activated only intentionally by aperson who has physical access to the device.

Activation of the switch (or equivalent) raises a signal to thedevices controller indicating that certain security procedures

(like taking ownership) become possible which are forbiddenotherwise.

There could be additional switches or jumpers, configuring whatsecurity procedures are affected by the main switch (or somecombination of switches, such as one switch per feature).

17


18/20

Data Hijacking Security Sensors Use

Cases Reed switch can be installed inside device and it will be activated byapplying a magnet to a certain location on the device. This option isespecially suitable for laptop disk drives where device itself (disk) ishidden in the laptop case but the enclosure walls are rather thin andmade of plastic and therefore its easy to guess location of any spoton the drive with reasonable precision and magnetic field of a small

magnet can easy penetrate to the reed switch. For routers and network appliances in general its common to have

factory reset switch in a deep hole where it can be accessed bylong pin or needle. There can be a second switch of such sort or anexisting one can be used with different application pattern (say, 3short pushes instead of 1 long).

As an advanced version of the previous approach for less pricesensitive but security concerned markets the switch can have formof key hole of rather intricate form which requires a unique physicalkey to be applied. Such keys shall be sold with devices or even sentlater for additional price when customer decides he/she needssecurity. In big organization keys can be collected and stored in acentral place allowing only to certain people take ownership overstorage.

18


19/20

Data Hijacking Security Sensors Use

Cases (cont.) In some environments, such as extremelydistributed systems where physical access is aproblem, the switch could be some sort of wirelessdevice managed remotely (from short or long

distance depending on application) via protectedchannels. The device might include a physically secure

connection, such as a management networkcoupling multiple devices (I2C, Ethernet), and this

physically secure connection is usable to performand/or to enable (optionally for a finite time period)certain commands or procedures on the normal hostinterface.

19


20/20

Thank You!

20

USAGE OF EMBEDDED SENSORS FOR DATA PROTECTION IN STORAGE DEVICES

Documents

Transcript of USAGE OF EMBEDDED SENSORS FOR DATA PROTECTION IN STORAGE DEVICES