News New Malware Uses SSD Over-Provisioning to Bypass Security Measures

[Admin]

Korean researchers have discovered two major vulnerabilities revolving around the over-provisioning feature built into all modern SSDs.

New Malware Uses SSD Over-Provisioning to Bypass Security Measures : Read more

 

[hotaru.hino]

Reading the original article, it appears this needs to have both an SSD management application installed and a so-called "flex capacity" feature. But I'm confused as to if this is a problem with the management application itself or the SSD firmware. That is, can this attack work with or without the SSD management application.

 

[Lemming Overlord]

Both the Bleeping Computer and Tom's Hardware articles don't really seem to understand what over-provisioning is, one calling it "an area of the SSD" and the other "a partition". It's neither. It's simply unused cells in a NAND module that are remapped once good flash cells are showing signs of going bad (taking over from the bad ones). Since there are no seek times to consider in an SSD, once a cell goes bad, it is simply copied/cloned to a good cell from the over-provisioning stock.

They are neither "an area" nor "a partition". They are spare cells in the NAND flash module, and usually equitatively spread out across the NAND flash modules on the PCB of the SSD (of if there were 4 Flash modules on the PCB, the over-provisioning would come equally from all 4).

Also, not all companies over-provision their SSDs. If you see a 500GB implementation of an SSD, it actually contains 500GB of partitionable Flash memory, plus 12GB set aside for over-provisioning. Cheaper brands tend to not over-provision their drives at all.

Typically you'll have:

Announced capacity	Over-provisioning	Total capacity
240 GB	16 GB	256 GB
250 GB	6 GB	256 GB
256 GB	0 GB	256 GB
480 GB	32 GB	512 GB
500 GB	12 GB	512 GB
512 GB	0 GB	512 GB
960 GB	64 GB	1024 GB
1000 GB	24 GB	1024 GB
1024 GB	0 GB	1024 GB

So, SSDs that typically display a lower storage capacity in their "band" (i.e. 256, 512, 1024), will be more reliable as they can re-allocate more data from dying NAND cells to fresh NAND cells. No over-provisioning means you might find yourself in trouble faster than you'd hope for.

Coming back to the article: it seems the malware attack targets a tiny section of the over-provisioning cells on an SSD to hide its presence, as these aren't visible to the OS.

 

[Sluggotg]

Both the Bleeping Computer and Tom's Hardware articles don't really seem to understand what over-provisioning is, one calling it "an area of the SSD" and the other "a partition". It's neither. It's simply unused cells in a NAND module that are remapped once good flash cells are showing signs of going bad (taking over from the bad ones). Since there are no seek times to consider in an SSD, once a cell goes bad, it is simply copied/cloned to a good cell from the over-provisioning stock.

They are neither "an area" nor "a partition". They are spare cells in the NAND flash module, and usually equitatively spread out across the NAND flash modules on the PCB of the SSD (of if there were 4 Flash modules on the PCB, the over-provisioning would come equally from all 4).

Also, not all companies over-provision their SSDs. If you see a 500GB implementation of an SSD, it actually contains 500GB of partitionable Flash memory, plus 12GB set aside for over-provisioning. Cheaper brands tend to not over-provision their drives at all.

Typically you'll have:

Announced capacity	Over-provisioning	Total capacity
240 GB	16 GB	256 GB
250 GB	6 GB	256 GB
256 GB	0 GB	256 GB
480 GB	32 GB	512 GB
500 GB	12 GB	512 GB
512 GB	0 GB	512 GB
960 GB	64 GB	1024 GB
1000 GB	24 GB	1024 GB
1024 GB	0 GB	1024 GB

So, SSDs that typically display a lower storage capacity in their "band" (i.e. 256, 512, 1024), will be more reliable as they can re-allocate more data from dying NAND cells to fresh NAND cells. No over-provisioning means you might find yourself in trouble faster than you'd hope for.

Coming back to the article: it seems the malware attack targets a tiny section of the over-provisioning cells on an SSD to hide its presence, as these aren't visible to the OS.

I thought the over-provisioned cells were rotated in and out with the regular cells to even out the wear and tear. I did not think that they were exclusively held in reserve until needed to replace failed cells.

 

[Deleted member 14196]

No they are not. Over provisioning are unused cells that the controller uses when it needs to move things around and they are not in a partition it is a unpartitioned space

 

[Dragos Manea]

Also they do not explain the OP area created manually by software, which you can manage, aka. Samsung Magician manually created OP area.