News New Malware Uses SSD Over-Provisioning to Bypass Security Measures

Reading the original article, it appears this needs to have both an SSD management application installed and a so-called "flex capacity" feature. But I'm confused as to if this is a problem with the management application itself or the SSD firmware. That is, can this attack work with or without the SSD management application.
 
Jan 2, 2022
1
0
10
Both the Bleeping Computer and Tom's Hardware articles don't really seem to understand what over-provisioning is, one calling it "an area of the SSD" and the other "a partition". It's neither. It's simply unused cells in a NAND module that are remapped once good flash cells are showing signs of going bad (taking over from the bad ones). Since there are no seek times to consider in an SSD, once a cell goes bad, it is simply copied/cloned to a good cell from the over-provisioning stock.

They are neither "an area" nor "a partition". They are spare cells in the NAND flash module, and usually equitatively spread out across the NAND flash modules on the PCB of the SSD (of if there were 4 Flash modules on the PCB, the over-provisioning would come equally from all 4).

Also, not all companies over-provision their SSDs. If you see a 500GB implementation of an SSD, it actually contains 500GB of partitionable Flash memory, plus 12GB set aside for over-provisioning. Cheaper brands tend to not over-provision their drives at all.

Typically you'll have:

Announced capacityOver-provisioningTotal capacity
240 GB16 GB256 GB
250 GB6 GB256 GB
256 GB0 GB256 GB
480 GB32 GB512 GB
500 GB12 GB512 GB
512 GB0 GB512 GB
960 GB64 GB1024 GB
1000 GB24 GB1024 GB
1024 GB0 GB1024 GB

So, SSDs that typically display a lower storage capacity in their "band" (i.e. 256, 512, 1024), will be more reliable as they can re-allocate more data from dying NAND cells to fresh NAND cells. No over-provisioning means you might find yourself in trouble faster than you'd hope for.

Coming back to the article: it seems the malware attack targets a tiny section of the over-provisioning cells on an SSD to hide its presence, as these aren't visible to the OS.
 

Sluggotg

Honorable
Feb 17, 2019
144
88
10,660
Both the Bleeping Computer and Tom's Hardware articles don't really seem to understand what over-provisioning is, one calling it "an area of the SSD" and the other "a partition". It's neither. It's simply unused cells in a NAND module that are remapped once good flash cells are showing signs of going bad (taking over from the bad ones). Since there are no seek times to consider in an SSD, once a cell goes bad, it is simply copied/cloned to a good cell from the over-provisioning stock.

They are neither "an area" nor "a partition". They are spare cells in the NAND flash module, and usually equitatively spread out across the NAND flash modules on the PCB of the SSD (of if there were 4 Flash modules on the PCB, the over-provisioning would come equally from all 4).

Also, not all companies over-provision their SSDs. If you see a 500GB implementation of an SSD, it actually contains 500GB of partitionable Flash memory, plus 12GB set aside for over-provisioning. Cheaper brands tend to not over-provision their drives at all.

Typically you'll have:

Announced capacityOver-provisioningTotal capacity
240 GB16 GB256 GB
250 GB6 GB256 GB
256 GB0 GB256 GB
480 GB32 GB512 GB
500 GB12 GB512 GB
512 GB0 GB512 GB
960 GB64 GB1024 GB
1000 GB24 GB1024 GB
1024 GB0 GB1024 GB

So, SSDs that typically display a lower storage capacity in their "band" (i.e. 256, 512, 1024), will be more reliable as they can re-allocate more data from dying NAND cells to fresh NAND cells. No over-provisioning means you might find yourself in trouble faster than you'd hope for.

Coming back to the article: it seems the malware attack targets a tiny section of the over-provisioning cells on an SSD to hide its presence, as these aren't visible to the OS.
I thought the over-provisioned cells were rotated in and out with the regular cells to even out the wear and tear. I did not think that they were exclusively held in reserve until needed to replace failed cells.
 
D

Deleted member 14196

Guest
No they are not. Over provisioning are unused cells that the controller uses when it needs to move things around and they are not in a partition it is a unpartitioned space
 

TRENDING THREADS