• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Attacks Discovered that can Corrupt MLC-based SSD Data

R-T-B

R-T-B

Supporter
Joined
Aug 20, 2007
Messages
21,720 (3.40/day)
Location
Olympia, WA
System Specs
System Name Pioneer
Processor Ryzen 9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon, Phanteks and Corsair Maglev blower fans...
Memory 64GB (2x 32GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
It appears that although MLC NAND-based SSDs have many advantages to HDD's from a physical-reliability point of view, the old spinning rust drives might still have one advantage over SSDs: A specially crafted write operation can't corrupt your data.

That's what a new report from Carnegie Mellon University, Seagate, and ETH Zürich is showing: That MLC-based SSD Drives are vulnerable to data-corrupting attacks as simple as a specially crafted write operation.




The first attack is compared to a "row hammer" attack, in which thrashing the drive with read or write operations along the border of a cell can corrupt legitimate data in nearby cells. Most attacks operate in variations of this principle, but some also rely on techniques such as special sequences of operations that will cause cached data and pages to be lost, effectively ruining your precious file the SSD was waiting to write to its media.

HDDs for their part, are not completely data safe even when they are operating correctly. They have a UBER (unrecoverable bit error rate) rating that indicates how often the HDD will make a (mostly random) mistake reading its data from the platter. This phenomenon (often referred to as "bit-rot") is not common in a correctly functioning HDD, but it does happen. The difference is it's not directly triggerable by a specially crafted write: Bit-rot errors are more or less random. Needless to say, the potential for malware to utilize this trigger-able corruption on your SSD is not a good thought at all.

If you want the technical details, they are available in the source link. For now, all you need to know is pretty much all SSDs are vulnerable to what was discovered here, but no exploits are live yet and due to there being no money in just wrecking your stuff (as opposed to say, ransoming it), there probably won't be a significant amount of malware featuring this exploit. Just practice good data hygiene as per usual and chances are all will be well. We don't mean to chase you back to HDD land just yet.

Oh, and one final caveat: SLC SSDs are immune, but good luck finding one that isn't outrageously expensive.

View at TechPowerUp Main Site
 
Last edited:
Solaris17

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
27,221 (3.83/day)
Location
Alabama
System Specs
System Name RogueOne
Processor Xeon W9-3495x
Motherboard ASUS w790E Sage SE
Cooling SilverStone XE360-4677
Memory 128gb Gskill Zeta R5 DDR5 RDIMMs
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 2TB WD SN850X | 2x 8TB GAMMIX S70
Display(s) 49" Philips Evnia OLED (49M2C8900)
Case Thermaltake Core P3 Pro Snow
Audio Device(s) Moondrop S8's on schitt Gunnr
Power Supply Seasonic Prime TX-1600
Mouse Razer Viper mini signature edition (mercury white)
Keyboard Monsgeek M3 Lavender, Moondrop Luna lights
VR HMD Quest 3
Software Windows 11 Pro Workstation
Benchmark Scores I dont have time for that.
silentbogo

silentbogo

Moderator
Staff member
Joined
Nov 20, 2013
Messages
5,612 (1.37/day)
Location
Kyiv, Ukraine
System Specs
System Name WS#1337
Processor Ryzen 7 5700X3D
Motherboard ASUS X570-PLUS TUF Gaming
Cooling Xigmatek Scylla 240mm AIO
Memory 64GB DDR4-3600(4x16)
Video Card(s) MSI RTX 3070 Gaming X Trio
Storage ADATA Legend 2TB
Display(s) Samsung Viewfinity Ultra S6 (34" UW)
Case ghetto CM Cosmos RC-1000
Audio Device(s) ALC1220
Power Supply SeaSonic SSR-550FX (80+ GOLD)
Mouse Logitech G603
Keyboard Modecom Volcano Blade (Kailh choc LP)
VR HMD Google dreamview headset(aka fancy cardboard)
Software Windows 11, Ubuntu 24.04 LTS
R-T-B

R-T-B

Supporter
Joined
Aug 20, 2007
Messages
21,720 (3.40/day)
Location
Olympia, WA
System Specs
System Name Pioneer
Processor Ryzen 9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon, Phanteks and Corsair Maglev blower fans...
Memory 64GB (2x 32GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
silentbogo said:
can?
Click to expand...

Uh, maybe. I was unaware of any HDD-based attacks when I wrote this short of sanitize commands, but @Solaris17 has an interesting article there that might beg to differ.

EDIT: Ah, I see what I did. I'm saying that's an advantage HDDs hold over SSDs, but honestly it could have been worded more clearly. The article Solaris linked while interesting, maintains that status quo.
 
Last edited:
lexluthermiester

lexluthermiester

Joined
Jul 5, 2013
Messages
29,007 (6.85/day)
Having read the details of this problem[ https://people.inf.ethz.ch/omutlu/pub/flash-memory-programming-vulnerabilities_hpca17.pdf ] I can't help but ask if this is something easy to pull off.

First, you need to create code that can directly access the SSD controller as most OS's disallow such access by default. Second, you need the code for interfacing with the SSD controller of target, not easy as there are literally 1000's of different controllers out there. Third, you would need to write your code for the host OS[generally]. Fourth, you need to engineer an injection method to the host system. Any code that matches these characteristics is going to be flagged by any competent AntiMalware/AntiVirus. This would be near impossible to pull off unless you had direct physical access to the system you want to affect.
 
silentbogo

silentbogo

Moderator
Staff member
Joined
Nov 20, 2013
Messages
5,612 (1.37/day)
Location
Kyiv, Ukraine
System Specs
System Name WS#1337
Processor Ryzen 7 5700X3D
Motherboard ASUS X570-PLUS TUF Gaming
Cooling Xigmatek Scylla 240mm AIO
Memory 64GB DDR4-3600(4x16)
Video Card(s) MSI RTX 3070 Gaming X Trio
Storage ADATA Legend 2TB
Display(s) Samsung Viewfinity Ultra S6 (34" UW)
Case ghetto CM Cosmos RC-1000
Audio Device(s) ALC1220
Power Supply SeaSonic SSR-550FX (80+ GOLD)
Mouse Logitech G603
Keyboard Modecom Volcano Blade (Kailh choc LP)
VR HMD Google dreamview headset(aka fancy cardboard)
Software Windows 11, Ubuntu 24.04 LTS
R-T-B said:
Uh, maybe. I was unaware of any HDD-based attacks when I wrote this short of sanitize commands, but @Solaris17 has an interesting article there that might beg to differ.

EDIT: Ah, I see what I did. I'm saying that's an advantage HDDs hold over SSDs, but honestly it could have been worded more clearly. The article Solaris linked while interesting, maintains that status quo.
Click to expand...
Just move it to the same paragraph as the rest of the sentence - it will make more sense.
Seeing this line separately completely threw my brain off balance.
 
R-T-B

R-T-B

Supporter
Joined
Aug 20, 2007
Messages
21,720 (3.40/day)
Location
Olympia, WA
System Specs
System Name Pioneer
Processor Ryzen 9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon, Phanteks and Corsair Maglev blower fans...
Memory 64GB (2x 32GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
PowerPC said:
And all this doesn't apply to TLC-NAND drives?
Click to expand...

Hard to say. Some reports I've read say it does, some say it does not. Admittedly it's a bit too over my head to tell you either way.

lexluthermiester said:
Having read the details of this problem[ https://people.inf.ethz.ch/omutlu/pub/flash-memory-programming-vulnerabilities_hpca17.pdf ] I can't help but ask if this is something easy to pull off.

First, you need to create code that can directly access the SSD controller as most OS's disallow such access by default. Second, you need the code for interfacing with the SSD controller of target, not easy as there are literally 1000's of different controllers out there. Third, you would need to write your code for the host OS[generally]. Fourth, you need to engineer an injection method to the host system. Any code that matches these characteristics is going to be flagged by any competent AntiMalware/AntiVirus. This would be near impossible to pull off unless you had direct physical access to the system you want to affect.
Click to expand...

Thanks for the insight. Yes I read it but a lot of the low level logistics of it go over my head. Your insight here is appreciated. I'm way too used to thinking of storage as just a logical block device. :)
 
lexluthermiester

lexluthermiester

Joined
Jul 5, 2013
Messages
29,007 (6.85/day)
PowerPC said:
And all this doesn't apply to TLC-NAND drives?
Click to expand...
As the information is presented, no. TLC is accessed a different way. Same for SLC. This problem seems exclusive to MLC. And it's going to be corrected in firmware updates as well.
 
lexluthermiester

lexluthermiester

Joined
Jul 5, 2013
Messages
29,007 (6.85/day)
R-T-B said:
Thanks for the insight. Yes I read it but a lot of the low level logistics of it go over my head. Your insight here is appreciated. I'm way too used to thinking of storage as just a logical block device. :)
Click to expand...
Same here, which is what motivated the deeper read. Generally, it is difficult to target a device within a system. So while this vulnerability exists and CAN be attacked, it would take a serious effort. This is not likely to turn into a problem.. But it is good to be aware of.
 
ypsylon

ypsylon

Joined
Dec 10, 2011
Messages
443 (0.09/day)
This is nothing really ground breaking. Any kind of electronic can be compromised in such way, its just matter of determination and resources. Fortunately it would require physical access to the system in question and plenty of time to do the shenanigans without risk of getting caught.

If somebody is terrified then winning the lottery comes with same odds as this ^ one.
 
You must log in or register to reply here.
Top