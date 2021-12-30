MrGuvernment
Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location that's beyond the reach of the user and security solutions.
The attack models are for drives with flex capacity features and target a hidden area on the device called over-provisioning, which is widely used by SSD makers these days for performance optimization on NAND flash-based storage systems.
Hardware-level attacks offer ultimate persistence and stealth. Sophisticated actors have worked hard to implement such concepts against HDDs in the past, hiding malicious code in unreachable disk sectors.
How flex capacity worksFlex capacity is a feature in SSDs from Micron Technology that enables storage devices to automatically adjust the sizes of raw and user-allocated space to achieve better performance by absorbing write workload volumes.
It is a dynamic system that creates and adjusts a buffer of space called over-provisioning, typically taking between 7% and 25% of the total disk capacity.
The over-provisioning area is invisible to the operating system and any applications running on it, including security solutions and anti-virus tools.
As the user launches different applications, the SSD manager adjusts this space automatically against the workloads, depending on how write or read-intensive they are.
The attack modelsOne attack modeled by researchers at Korea University in Seoul targets an invalid data area with non-erased information that sits between the usable SSD space and the over-provisioning (OP) area, and whose size depends on the two.
The research paper explains that a hacker can change the size of the OP area by using the firmware manager, thus generating exploitable invalid data space.
The problem here is that many SSD manufacturers choose not to erase the invalid data area to save on resources. This space remains filled with data for extensive periods, under the assumption that breaking the link of the mapping table is enough to prevent unauthorized access.
As such, a threat actor leveraging this weakness could gain access to potentially sensitive information.