Korean researchers discovered a vulnerability in solid-state drives that enables malware to infect an SSD's empty over-provisioning partition directly. This enables the malware to be practically impervious to security defenses.
Over-provisioning is a function present in all current SSDs that extends the SSD's built-in NAND storage's life and performance. Provisioning excessively in essentially empty storage space. However, it enables the SSD to ensure that data is distributed evenly across all NAND cells by redistributing data to the over-provisioning pool as needed. While the operating system — and hence anti-virus solutions — are not meant to be able to access this region, this new malware can infiltrate it and utilize it as a base of operations.
Korea University researchers in Seoul modeled two attacks that take advantage of the over-provisioned space. The first one exhibits a vulnerability that targets incorrect data on the SSD (data that has been erased in the OS but has not been physically cleaned). To obtain extra potentially sensitive data, the attacker can increase the size of the over-provisioned data pool in order to give the operating system with additional vacant space. As a result, when a user attempts to erase further data, the additional data stays physically intact within the SSD.
The second method is similar to the previous one in that it involves directly putting firmware into the over-provisioning pool. Two SSDs are connected as a single device in this example, and over-provisioning is set to 50%. When an attacker injects malware into the SSD's OP partition, they limit the OP range of the first SSD to 25% of its total size and then boost the OP range of the second SSD to 75%.
This allows the attacker to insert malware directly into the OP partition on the second SSD while reducing the OP range on the first SSD to 25%, creating the illusion that the OP area on both drives has remained undamaged. This is because the combined OP range of both SSDs remains 50%.
To tackle the first assault scenario, the researchers recommend designing a pseudo-erase method that physically deletes data on an SSD without impairing real-world performance. To counter the second assault-type, it is recommended to create a new monitoring system that can precisely monitor the over-provisioned size of the SSDs in real-time. Additionally, access to SSD management tools that allow for the adjustment of over-provisioned sizes should have stronger security safeguards to prevent unauthorized access.
Fortunately, these attacks were designed by researchers and not uncovered during a real-world attack. However, such an assault is entirely possible, and SSD manufacturers should begin addressing these security flaws immediately before someone has a chance to exploit them.
New Malware Bypasses Security Measures by Using SSD Over-Provisioning