lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <YIHVWySvaECveV4l@mit.edu>
Date:   Thu, 22 Apr 2021 15:58:19 -0400
From:   "Theodore Ts'o" <tytso@....edu>
To:     Andreas Dilger <adilger@...ger.ca>
Cc:     Eric Biggers <ebiggers@...nel.org>,
        Leah Rumancik <leah.rumancik@...il.com>,
        linux-ext4@...r.kernel.org
Subject: Re: [PATCH v3] ext4: wipe filename upon file deletion

On Thu, Apr 22, 2021 at 11:44:49AM -0600, Andreas Dilger wrote:
> Since the "delete-after-the-fact" method of security is always going
> to have holes in terms of recovering data from the journal, from the
> flash device, etc. why not use fscrypt for this kind of workload, if
> the data actually needs to be secure?

Wiping the journal is something that will be coming soon --- prototype
versions of that patch have been sent out, and the main controversy
has been whether it should be an ext4-specific interface, or whether
it should be done in a file system independent API, and if so, how to
define it.

Whether or not you can recover it from the block device is very block
device specific.  There are certainly situations, such as people
running VM's on AWS, Azure, GCP, etc., where they don't have physical
access to the block device, where making sure it can be wiped so it
can't be accessed via software is quite sufficient.  Even if you have
physical access to block device, recovering overwritten information
from a HDD is *not* trivial.  Not all adversaries have access to
scanning electronic microscopes, and demonstrations that overwritten
disk sectors were done decades ago, when the magnetic domains were far
larger.

Using fscrypt is certainly an option, but using encryption is not free
from a performance standpoint, and you still have to answer the
question of where the encryption keys would be stored.

Cheers,

					- Ted

P.S.  Interesting info from
https://security.stackexchange.com/questions/26132/is-data-remanence-a-myth:

    The best citation I can give is from Overwriting Hard Drive Data: The
    Great Wiping Controversy, which was published as part of the 4th
    International Conference on Information Systems Security, ICISS
    2008. You can view the full text of the paper by viewing the book on
    Google Books, and jumping to page 243.

    The following excerpt is from their conclusion:

        The purpose of this paper was a categorical settlement to the
        controversy surrounding the misconceptions involving the belief that
        data can be recovered following a wipe procedure. This study has
        demonstrated that correctly wiped data cannot reasonably retrieved
        even if it of a small size or found only over small parts of the hard
        drive. Not even with the use of a MFM or other known methods. The
        belief that a tool can be developed to retrieve gigabytes or terabytes
        of data of information from a wiped drive is in error.

        Although there is a good chance of recovery for any individual bit
        from a drive, the chance of recovery of any amount of data from a
        drive using an electron microscope are negligible. Even speculating on
        the possible recovery of an old drive, there is no likelihood that any
        data would be recoverable from the drive. The forensic recovery of
        data using electron microscopy is infeasible. This was true both on
        old drives and has become more difficult over tine. Further, there is
        a need for the data to have been written and then wiped on a raw
        unused drive for there to be any hopy of any level of recovery even at
        the bit level, which does not reflect real situations. It is unlikely
        that a recovered drive will have not been used for a period of time
        and the interaction of defragmentation, file copies and general use
        that overwrites data areas negates any chance of data recovery. The
        fallacy that data can be forensically recovered using an electron
        microscope or related means needs to be put to rest.

    NIST also seem to agree. In NIST SP 800-88, they state the following:

        Studies have shown that most of today’s media can be effectively
        cleared by one overwrite.

        Purging information is a media sanitization process that protects the
        confidentiality of information against a laboratory attack. For some
        media, clearing media would not suffice for purging. However, for ATA
        disk drives manufactured after 2001 (over 15 GB) the terms clearing
        and purging have converged.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ