How Does One “Zeroize” Flash Devices?

By Chris A. Ciufo, Editor Embedded Systems Engineering

Editor’s Note: This is Part 1 of a two-part article on the topic of securely erasing data in flash devices such as memories and SSDs. In Part 2, I examine the built-in flash secure erase feature intended to eradicate sensitive data and see if it meets DoD and NIST specifications.

I was recently asked the question of how to go about “zeroizing” flash memory and SSDs. I had incorrectly assumed there was a single government specification that clearly spelled out the procedure(s). Here’s what several hours of research revealed:

DoD has no current spec that I could find besides DoD 5220.22-M “National Industrial Security Program[1]. This 2006 document prefaced by the Under Secretary of Defense cancels a previous 1995 recommendation and discusses some pretty specific procedures for handling classified information. After all, the only reason to sanitize or zeroize flash memory is to eradicate classified information like data, crypto keys, or operating programs (software). The document makes reference to media—including removable media (presumably discs, CDs and USB drives at that time)—and the need to sanitize classified data. However, I was unable to identify a procedure for sanitizing the media.

There is, however, a reference to NIST document 800-88Guidelines for Media Sanitization” published in DRAFT form in 2012. A long document that goes into extensive detail on types of media and the human chain of command on handling classified data, Appendix A provides lengthy tables on how to sanitize different media. Table A-8 deals with flash memory and lists the following steps (Figure 1):

-       Clear: 1. Overwrite the data “using organizationally approved and validated overwriting technologies/methods/tools” and at least one pass through by writing zeros into all locations. 2. Leverage the “non-enhanced” ATA Secure Erase feature built into the device, if supported.

-       Purge: 1. Use the ATA sanitize command via a) block erase and b) Cryptographic Erase (aka “sanitize crypto scramble”). One can optionally apply the block erase command after the sanitize command. 2. Apply ATA Secure Erase command, but the built-in (if available) sanitize command is preferred. 3. Use the “Cryptographic Erase through TCG Opal SSC or Enterprise SSC”—which relies on media (drives, including SSDs) that use the FIPS 140-2 self-encrypting feature.

-       Shred, Disintegrate, Pulverize, or Incinerate the device. This literally means mechanically destroy the media such that if any 1’s and 0’s remain on the floating transistor gates, it’s not possible to reconstruct these bits into useful data.

Figure 1: Recommended ways to sanitize flash media per NIST 800-88 DRAFT Rev 1 (2012).

Figure 1: Recommended ways to sanitize flash media per NIST 800-88 DRAFT Rev 1 (2012).

Of note in the NIST document is a footnote that states that Clear and Purge must each be verified. Crypto Erase only needs verification if performed prior to a Clear or Purge. In all of these cases, all procedures except for mechanical eradication rely on mechanisms built into the drive/media by the manufacturer. There is some question if this is as secure as intended and the NSA—America’s gold standard for all things crypto—has only one recommended procedure.

The NSA only allows strong encryption or mechanical shredding, as specified in “NSA/CSS Storage Device Sanitization Manual.” This 2009 document is now a bit difficult to find, perhaps because the NSA is constantly revising its Information Assurance (IA) recommendations to the changing cyberspace threats due to information warfare. Visiting the NSA website on IA requires a DoD PKI certificate per TLS 1.2 and a “current DoD Root and Intermediate Certificate Authorities (CA) loaded” into a browser. Clearly the NSA follows its own recommendations.

The manual is interesting reading in that one has only the choice to cryptographically protect the data (and the keys) and hence not worry about sanitization. Or, one can render the media (drive) completely unrecognizable with zero probability of any data remaining. By “unrecognizable,” think of an industrial shredder or an iron ore blast furnace. When it’s done, there’s nothing remaining.

Recent discussions with government users on this topic reminded me of the Hainan Island Incident in 2001 where a Chinese fighter jet attempting an intercept collided with a US Navy EP-3 SIGINT aircraft. The EP-3 was forced to make an emergency landing on China-controlled Hainan, giving unauthorized access to classified US equipment, data, algorithms and crypto keys (Figure 2). It was a harrowing experience, sadly causing the death of the Chinese pilot and the near-fatalities of the 24 Navy crew.

The crew had 26 minutes to destroy sensitive equipment and data while in the air using a fire axe, hot coffee and other methods, plus another 15 minutes on the ground, but it was widely reported to be only partially successful. While this sounds far-fetched, the topic of sanitizing data is so critical—yet so unresolved, as described above—that allegedly some current-generation equipment includes a visible “Red X” indicating exactly where an operator is to aim a bullet as a last ditch effort to mechanically sanitize equipment.

Figure 2: US Navy EP-3 SIGINT plane damaged in 2001 by collision with Chinese fighter jet. The crew did only a partial sanitization of data. (Image courtesy of Wikipedia.org and provided by Lockheed Martin Aeronautics.)

Figure 2: US Navy EP-3 SIGINT plane damaged in 2001 by collision with Chinese fighter jet. The crew did only a partial sanitization of data. (Image courtesy of Wikipedia.org and provided by Lockheed Martin Aeronautics.)

From Pulverize to Zeroize

There’s a lot of room between the DoD’s wish to have classified data and programs zeroized and the NSA’s recommendation to pulverize. The middle ground is the NIST spec listed above that relies heavily on flash memory manufacturer’s built-in secure erase options. While there are COTS recommendations for secure erase, they are driven not from a military standpoint but from the need to protect laptop information, Sarbanes-Oxley (corporate) legislation, health records per HIPAA, and financial data.

In Part 2 of this article, I’ll examine some of the COTS specifications built into ATA standards (such as Secure Erase), recommendations presented at Flash Memory Summit meetings, and raise the question of just how much trust one can place in these specifications that are essentially self-certified by the flash memory manufacturers.


[1] Previously, DoD relied on NISPOM 8-306; NSA had NSA 130-2 and NSA 9-12; Air Force had AFSSI-5020; Army had AR 380-19; and Navy had NAVSO P-5239-26. These all appear to be out of date and possibly superseded by the latest 5220.22-M. As a civilian, it’s unclear to me—perhaps a reader can shed some light?

CES Turns VPX Upside Down Using COM

Instead of putting I/O on a mezzanine, the processor is on the mezzanine and VPX is the I/O baseboard.

[ UPDATE: 19:00 hr 24 Apr 2015. Changed the interviewee's name to Wayne McGee, not Wayne Fisher. These gentlemen know each other, and Mr. McGee thankfully was polite about my misnomer. A thousand pardons! Also clarified that the ROCK-3x was previously announced. C. Ciufo ]

The computer-on-module (COM) approach puts the seldom-changing I/O on the base card and mounts the processor on a mezzanine board. The thinking is that processors change every few years (faster, more memory, from Intel to AMD to ARM, for example) but a system’s I/O remains stable for the life of the platform.

COM is common (no pun) in PICMG standards like COM Express, SGET standards like Q7 or SMARC, and PC/104 Consortium standards like PC/104 and EBX.

But to my knowledge, the COM concept has never been applied to VME or VPX. With these, the I/O is on the mezzanine “daughter board” while the CPU subsystem is on the base “mother board”.Pull quote

Until now.

Creative Electronic Solutions—CES—has plans to extend its product line into more 3U OpenVPX I/O carrier boards onto which are added “processor XMC” mezzanines. An example is the newer AVIO-2353 with VPX PCIe bus—meaning it plugs into a 3U VPX chassis and acts as a regular VPX I/O LRU.  By itself, it has MIL-STD-1553, ARINC-429, RS232/422/485, GPIO, and other avionics-grade goodies.

The CES ROCK-3210 VNX small form factor avionics chassis.

The CES ROCK-3210 VNX small form factor avionics chassis.

But there’s an XMC site for adding the processor, such as the company’s MFCC-8557 XMC board that uses a Freescale P3041 quad-core Power Architecture CPU. If you’re following this argument, the 3U VPX baseboard has all the I/O, while the XMC mezzanine holds the system CPU. This is a traditional COM stack, but it’s unusual to find it within the VME/VPX ecosystem.

“This is all part of CES’s focus on SWAP, high-rel, and safety-critical ground-up design,” said Wayne McGee, head of CES North America. The company is in the midst of rebranding itself and the shiny new website found at www.ces-swap.com makes their intentions known.

CES has been around since 1981 and serves high-rel platforms like the super-collider at CERN, the Predator UAV, and various Airbus airframes. The emphasis has been on mission- and safety-critical LRUs and systems “Designed for Safety” to achieve DAL-C under DO-178B/C and DO-254.

“We’ll be announcing three new products at AUVSI this year,” McGee told me, “and you can expect to see more COM-style VPX/XMC combinations with some of the latest processors.” Also to be announced will be extensions to the company’s complete VNX small form factor (SFF) chassis systems, such as a new version of the rugged open computer kit (ROCK-3x)—previously announced in February at Embedded World.

CES is new to me, and it’s great to see some different-from-the-pack innovation from an old-school company that clearly has new-school ideas. We’ll be watching closely for more ROCK and COM announcements, but still targeting small, deployable safety-certifiable systems.

Can industrial imaging software benefit military SIGINT analysis?

Software creates a height map from a 2D image.

Software creates a height map from a 2D image.

I received a press release today from Olympus Industrial Equipment Group (the camera guys) about an update to their image analysis software used with industrial microscopes. Who knew Olympus made microscopes? This is not normally my area of expertise.

However…the Olympus Stream image enhancement software has some pretty awesome capabilities that make me wonder if this COTS software could be used (or adapted) to work in military/aerospace signals intelligence (SIGINT) or reconnaissance imagery analysis. After all, the key part of C4ISR is not capturing the (image) data, it’s analyzing the images to make meaningful decisions. For instance: was there a truck parked there yesterday? Has that patch of grass been matted down by a vehicle or group of humans?

As well, images often need to be enhanced due to poor lighting, dust or fog obfuscation, and finely measuring distances would be handy too.

HDR image enhancement in the Olympus Stream microscope software might benefit military image analysts. Note how this sample looks like a satellite image of a  plot of land.

HDR image enhancement in the Olympus Stream microscope software might benefit military image analysts. Note how this sample looks like a satellite image of a plot of land. (Courtesy: Olympus; YouTube.)

The 1.9 version of the Stream software adds these features: Automatic Measurement and Coating Thickness. “Automatic Measurement allows the creation of complex measurements using scanners by automatic detection of material edges and pattern recognition. This materials solution automatically measures distances, circle diameters, and angles between two lines. Automatic Measurement also supports the multiple stage location and sample alignment with OLYMPUS Stream Motion.”

A full-on (top-down) view of a sample. Image that this object is an enemy bunker.

A full-on (top-down) view of a sample. Image that this object is an enemy bunker. (Courtesy: Olympus.)

Now forget about the fact that someone is analyzing a hunk of metal covered with scratches that gouge hills and valleys out of the surface. Couldn’t this be an image of an earthscape with real hills and valleys? Might we want to measure the distance between some of these surface features? The software can also digitally adjust focus, change and enhance details in the image, and create 3D images using z-axis slices from the original image.

Image enhancement and 3D rendering from a 2D view and z-axis sensor slices.

Image enhancement and 3D rendering from a 2D view and z-axis sensor slices. (Courtesy: Olympus.)

To me, this COTS software has many features that U.S. DoD and CIA analysts need when analyzing recon images. I wonder if it could be used not in microscopes, but it tactical military scenarios.

 

Getting a bead on the bad guys: COTS-based soft information fusion merges military C4ISR data with web and other sources

A military analyst or command and control operator could soon get much better INTEL by combining military data with information from the web.

Bottom Line: I’m unaware of anyone else yet offering a COTS sensor fusion product that combines hard and soft information sources to take advantage of Internet intelligence.

[Update 4:45pm PDT 19Mar13: corrections from "data" to information; added explanation on API and MSCT output; corrected GMTI from plots to tracks.]

Cope Tiger 13

(Courtesy: US Air Force.)

Picture this scenario: a BDU khaki-uniformed DoD analyst is staring at multiple screens of intelligence (INTEL) data and images pertaining to an unmarked ship off the coast of some unnamed country. The ship’s actions have been odd, and the Coast Guard had been tracking it for some time until it went into international waters. New satellite images now show the ship at anchor in a different location than yesterday. What’s it doing there? Are the ship’s intentions nefarious? Who is aboard, and what cargo is aboard?

This kind of scenario vexes joint military forces, Homeland Security, and myriad three-letter agencies.

The challenge for any analyst is to make decisions based upon actionable intelligence by combining every scrap of information into a situational awareness picture that maximizes what the human does best: make a decision or recommendation.  The problem with data for DoD and CIA analysts is there’s either not enough of it, or there’s too much. It’s hard to make a decision with limited information; and it’s too time consuming to dedicate an analyst’s time to culling through SAR images, GMTI (ground moving target indicator) tracks, satellite photos, transcribed radio chatter, action reports, and so on.

As well, decisions are made using more than mere “data”. Sophisticated or low-level sensor outputs are “data” (such as L0/L1 trackers), but other non-traditional asymmetric information not currently in a structured data set might also be relevant and useful to an analyst’s task.

Larus Technologies aims to change all of that with the announcement of their high level information fusion engine (HLIFE) that melds a “collection of commercially available embedded software modules for C4ISR and Security systems” into an information fusion model. Based on the company’s patent-pending adaptive behavioral learning and predictive modeling algorithms, multiple sensing modalities can now be combined together to provide a more complete C4ISR and INTEL picture for analysts.

Larus Technologies' COTS sensor fusion product uses proprietary algorithms to fuse hard military data with soft, unstructured data like web pages or civilian data bases.

Larus Technologies’ COTS sensor fusion product uses proprietary algorithms to fuse hard military data with soft, unstructured data like web pages or civilian data bases.

But the company’s product is not just one Big Data MUX.  Instead, it intelligently combines a mixture of DoD, government and other “hard” and structured data sources with “soft” unstructured sources such as weather reports, search and rescue operator reports, human intelligence (HUMINT), flight schedules, web sites, and myriad other web-based information.

The company’s Total::Insight product is a commercial solution that can immediately leverage high level information fusion and computation intelligence based upon the DoD’s Joint Director of Labs (JDL) data fusion Model. The software performs behavior analysis through predictive modeling, and is “capable of dealing with heterogeneous (multi-source, multi-sensor) data.” The HLIF engine fuses: anomaly detection, trajectory prediction, intent assessment, threat assessment, adaptive learning (situational and procedural). Details on these algorithm components can be found in their white paper “Total Maritime Domain Awareness“, which requires registraion.

This company is new to me, but the concept of offloading an operator/analyst by providing more upstream intelligence is not. Raytheon’s multi-source correlator tracker (MSCT) does something similar with military data sources such as tactical sensors. In contrast, Larus says that they are a neutral COTS vendor that can take output from products like MSCT as well as provide an API so customers can “direct the output (i.e. alerts, warnings, suggested actions) out to their favorite command and control systems.”

Still, I’m unaware of anyone yet offering a COTS product that combines hard and soft data–rather, information–sources to take advantage of Internet-based intelligence. I’ll be watching Larus Technologies; you should too.

Rugged Shoebox Computers Still Popular; GE does an about “FACE”

Hint: Bottom line? US Army realizes h/w changes faster than s/w, so FACE tries to make software portable by defining standard interfaces. This may be bad for the h/w vendors, though, as it cuts both ways.

 

GE Intelligent Platforms has introduced a rugged “shoebox” computer for mil systems called the FACEREF1. I’m scratching my head over the wisdom of the name, but it stands for Future Airborne Capability Environment and is based upon the FACE Consortium’s specs for an open reference architecture. A sub-group of the Open Group (actually “Open Group Managed Consortium”), the FACE Consortium “provides a vendor neutral forum” where industry and government work together to develop best practices and open standards for avionics. (Note to self: Isn’t that what PICMG and VITA do?)

This isn’t the first time GE has developed a rugged shoebox. Back in 2005, SBS Technologies – later acquired by GE if memory serves – rolled out the Rugged Operation Computer (ROC) shown in Figure 1. Launched at AUSA DC in 2005, this 5.75 pound “palm-sized” rugged shoebox was really unique in its day because it bucked the trend of sticking 6U VME cards in ATR boxes. Then about the smallest you could deploy using rugged COTS was a 1/2 ATR (short) whereas the ROC measured 3.5  (H) x 4.2 (D) x 6.8 (W).

Figure 1: The SBS Technologies ROC was among the first COTS rugged shoeboxes, weighing a mere 5.75 pounds in 2006 and was equipped with either a Pentium M or PowerPC CPU in 2006.

That’s roughly one quarter the size of the equivalent VME ATR box. ROC also used proprietary cards inside, though an industry standard PMC card was a factory option. While companies like Dy4, Radstone, Curtiss-Wright and others were relying exclusively on open standards, SBS realized the value was at the system or box level, not the card. Why not put whatever worked inside?  This theory is common today, but not seven years ago.

In 2011, GE also introduced a similar rugged shoebox family – the CRS-C2P-3CC1 and CRS-C3P-3CB1 (what’s with the names, guys?) which this time were based upon standards: 3U CompactPCI from PICMG (Figure 2). They also ran Freescale PowerPCs with a Wind River operating system.

 

Figure 2: GE’s 3U CompactPCI CRS-C2P-xxx and -C3P-xxx were 2- and 3-slot open standard-based rugged shoeboxes. They were introduced in 2011.

Today’s FACEREF1 shoebox uses GE’s SBC312 SBC (Freescale P4080 8-core), plus a PMCCG1 graphics PMC (S3 2300E GPU) shown in Figure 3. What makes this shoebox unique isn’t really the card, it’s the software premise behind FACE making GE’s rugged shoebox a software reference platform supported by a Wind River hypervisor, Presagis OpenGL for graphics, and the venerable VAPS XT object-oriented HMI tool from Presagis (formerly Virtual Prototypes, or VPI). FACE is sponsored by the US Army’s PEO Aviation, undoubtedly as a way of abstracting hardware to ensure software portability as COTS technology changes much faster than the certified code running it.

Figure 3: GE’s latest rugged shoebox conforms to Future Airborne Capability Environment (FACE), an open platform that defines software interfaces and emphasizes portability to maximize warfighter value.