MobileRead Forums - View Single Post

knc1 · 04-30-2012, 10:40 PM

The use of a eMMC device for the storage media in the Kindles brings another level of considerations into this subject.

Under a "spinning rust" storage media, just "deleting" the file name does not disturb the information stored (which is what makes "un-delete" programs possible).
The general solution in this case is a "secure delete" function, which is actually a "secure overwrite" of the data followed by a delete of the name.

Now consider that this is a eMMC device.

It can not "delete" information it can only "erase" information, and even then, only in "erase block" increments.

The visibile "delete" function is provided by the eMMC on-chip controller, which "fakes it".
How it "fakes it" depends on the programming of the micro-controller - which is often a vendor "trade secret".

But to give an example (used in some older, software controlled devices)...

To delete, say 64 bytes -
Look up the erase block that contains those 64 bytes -
Look up a "free" (and already erased) erase block -
Copy (write) all of the first block - except those 64 bytes - to the second block -
Now assign the second block as the storage area for the file with the "deleted" 64 bytes -
Then assign the first block as a "free" (and not yet erased) erase block.

See the problem?
Those 64 deleted bytes still exist in the erase block that is pending being erased (at some later time, because the erase function is very time and power consuming).

When using this type of storage media, trying to use a "secure overwrite" does nothing to the actual data - just moves that erase block (with data intact) to the "pending erase" list.

This makes it possible for someone who gains access to your eMMC device to possibly learn that "erased" information.
Note "access to your eMMC device" because they might have to pull it off the board and use special hardware to defeat the on-chip controller.

This situation is a major concern in the case of SSD devices, and some manufacturers are beginning to provide SSD devices with a command set that allows the system to be sure that stored data is really, truely "gone".

Translation: Don't write anything to an eMMC device that is of a sensitive nature (I.E: write it to /dev/null instead).

04-30-2012, 10:40 PM	#11
knc1 Going Viral Posts: 17,212 Karma: 18210809 Join Date: Feb 2012 Location: Central Texas Device: No K1, PW2, KV, KOA	Files on eMMC devices The use of a eMMC device for the storage media in the Kindles brings another level of considerations into this subject. Under a "spinning rust" storage media, just "deleting" the file name does not disturb the information stored (which is what makes "un-delete" programs possible). The general solution in this case is a "secure delete" function, which is actually a "secure overwrite" of the data followed by a delete of the name. Now consider that this is a eMMC device. It can not "delete" information it can only "erase" information, and even then, only in "erase block" increments. The visibile "delete" function is provided by the eMMC on-chip controller, which "fakes it". How it "fakes it" depends on the programming of the micro-controller - which is often a vendor "trade secret". But to give an example (used in some older, software controlled devices)... To delete, say 64 bytes - Look up the erase block that contains those 64 bytes - Look up a "free" (and already erased) erase block - Copy (write) all of the first block - except those 64 bytes - to the second block - Now assign the second block as the storage area for the file with the "deleted" 64 bytes - Then assign the first block as a "free" (and not yet erased) erase block. See the problem? Those 64 deleted bytes still exist in the erase block that is pending being erased (at some later time, because the erase function is very time and power consuming). When using this type of storage media, trying to use a "secure overwrite" does nothing to the actual data - just moves that erase block (with data intact) to the "pending erase" list. This makes it possible for someone who gains access to your eMMC device to possibly learn that "erased" information. Note "access to your eMMC device" because they might have to pull it off the board and use special hardware to defeat the on-chip controller. This situation is a major concern in the case of SSD devices, and some manufacturers are beginning to provide SSD devices with a command set that allows the system to be sure that stored data is really, truely "gone". Translation: Don't write anything to an eMMC device that is of a sensitive nature (I.E: write it to /dev/null instead). Last edited by knc1; 04-30-2012 at 10:51 PM.