传统硬盘(HDD)还没有步马车的后尘,也就是说还没有被历史抛弃,不过鉴于固态硬盘(SSD)人气飙升,SSD成为标准、HDD被逐步淘汰是早晚的事情。考虑到固态硬盘在速度和可靠性方面具有优势,更不用说最近价格不断下滑,这种转变完全在情理之中。
然而卡内基·梅隆大学的研究人员却发现固态硬盘设计存在一处缺陷,这导致它们极容易受到某种特定类型的攻击,因而导致固态硬盘过早失效和数据损毁。这个缺陷的技术细节非常深奥,不过我会在这里尽量讲得简单明了。
很显然,这个问题只影响多层单元(MLC)固态硬盘。单层单元(SLC)固态硬盘不受影响,但是由于MLC固态硬盘速度快,因而变得更受欢迎,这个风险波及多得多的设备。虽然该研究报告没有探讨三层单元(TLC)固态硬盘,不过ExtremeTech指出,由于TLC使用了与MLC相同类型的多阶段编程周期,TLC可能也易受攻击。
这个安全漏洞源自MLC的编程方式。不像SLC固态硬盘,MLC固态硬盘从闪存单元将数据写入到缓冲器,而不是从固态硬盘的闪存控制器将数据写入到缓冲器。如果拦截这个过程,攻击者就可以破坏需要写入的数据。
显而易见的结果是,内存中存储的数据损坏,但是这还可能对固态硬盘本身造成破坏,因而缩短其使用寿命。
当然,上面这番解释高度简单化了,但如果你精通技术行话,可以上Semantic Scholar 阅读研究人员的全文下载,文章标题为《MLC NAND 闪存编程中的安全漏洞:实验性分析、漏洞利用及缓解技术/方法》。
解决这个问题来得比较简单直观。固态硬盘厂商只要改而通过闪存控制器来运行数据,就像处理SLC那样。然而,这使延迟时间增加了约5%,这多少影响了MLC固态硬盘相比SLC固态硬盘具有的主要优势之一。
如果卡内基·梅隆大学能搞清楚这个问题,黑客恐怕也有这个本事。要是黑客还没有听说过这个漏洞,他们现在应该听说了。我们还没有听到有谁报告利用这个安全漏洞的攻击;固态硬盘厂商们肯定已经在竭力寻找方法,在不影响速度的情况下堵住这个漏洞。
即使厂商确实搞清楚了如何修复新固态硬盘中的缺陷,已经用于消费类设备中的固态硬盘该怎么办?有没有软件补丁可以修复这个问题?是否可以编写病毒定义,以便检测有人是否编写了某个软件或应用程序来利用这个安全漏洞?
英文:
Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques
Abstract
Modern NAND flash memory chips provide high density by storing two bits of data in each flash cell, called a multi-level cell (MLC). An MLC partitions the threshold voltage range of a flash cell into four voltage states. When a flash cell is programmed, a high voltage is applied to the cell. Due to parasitic capacitance coupling between flash cells that are physically close to each other, flash cell programming can lead to cell-to-cell program interference, which introduces errors into neighboring flash cells. In order to reduce the impact of cell-to-cell interference on the reliability of MLC NAND flash memory, flash manufacturers adopt a two-step programming method, which programs the MLC in two separate steps. First, the flash memory partially programs the least significant bit of the MLC to some intermediate threshold voltage. Second, it programs the most significant bit to bring the MLC up to its full voltage state. In this paper, we demonstrate that two-step programming exposes new reliability and security vulnerabilities. We experimentally characterize the effects of two-step programming using contemporary 1X-nm (i.e., 15–19nm) flash memory chips. We find that a partially-programmed flash cell (i.e., a cell where the second programming step has not yet been performed) is much more vulnerable to cell-to-cell interference and read disturb than a fully-programmed cell. We show that it is possible to exploit these vulnerabilities on solid-state drives (SSDs) to alter the partially-programmed data, causing (potentially malicious) data corruption. Building on our experimental observations, we propose several new mechanisms for MLC NAND flash memory that eliminate or mitigate data corruption in partially-programmed cells, thereby removing or reducing the extent of the vulnerabilities, and at the same time increasing flash memory lifetime by 16%.