NAND flash memory chips, the building blocks of solid-state drives (SSDs), include what could be called "programming vulnerabilities" that can be exploited to alter stored data or shorten the SSD's lifespan.
During the past few years, SSDs have slowly replaced classic disk-based HDDs as the prime storage medium for the world's data, taking over not only in data centers, but our phones, tablets, laptops, and desktop PCs.
At their heart, SSDs are a collection of smaller components named NAND flash memory chips, all clustered together on rows, similar to classic RAM memory chips. Unlike classic RAM memory chips, NAND memory chips are non-volatile, meaning they don't lose their electrical charge (aka the user's data) after the computer is shut off.
The first generation of SSD storage drives used a technology called single-level cell (SLC), which used one NAND flash memory chip to store one bit of information, with "electrically charged" standing for a binary one, and "not electrically charged" standing for a binary zero.
As with all technology, things evolved over the years, and scientists and SSD vendors realized they could integrate a floating gate transistor into NAND flash memory chip, which gave them the ability to store two bits of information in the form of a range of charge voltage values representing the binary numbers of 00, 01, 10, and 11. This new technology is called multi-level cell (MLC), and has become prevalent in all SSDs since around 2015.
According to research published earlier this year, the programming logic powering MLCs is vulnerable to at least two types of attacks.
The first of these attacks, which they named a "program interference," takes place when an attacker manages to write data with a certain pattern to a target's SSD.
The exploit's data pattern causes the MLC's programming logic to cause 4.9 more errors than usual, which comes with the side-effect of triggering interference in neighboring NAND flash memory cells.
The side-effects are that an attacker can corrupt local data, or even shorten an SSD's lifetime, if he can cause repeated interference. This is because an SSD's lifetime is defined by the number of finite read-write operations it can perform on its flash memory chips before they lose their ability to remain charged between reboots.
This type of interference attack is similar to the Rowhammer attack on classic RAM memory chips, where an attacker bombards a row of RAM memory cells in repeated read-write operations, causing electrical interference that flips the bits of nearby cells.
Hmm... is this Rowhammer for SSDs? https://t.co/8RCYizDfAn— Brendan Dolan-Gavitt (@moyix) May 1, 2017
While the attack is somewhat similar, it is not the same thing, and researchers have not gone on records calling this a Rowhammer attack.
The second vulnerability researchers discovered in the programming logic of NAND flash memory chips is what they called a "read disturb."
In this attack scenario, an attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of "read disturb errors."
Researchers say these read disturb errors will "corrupt both pages already written to partially-programmed wordlines and pages that have yet to be written," ruining the SSD's ability to store data in a reliable manner in the future.
Researchers have proposed mitigations in their researcher paper that could fix and counter the effects of both attacks.
More details about this research are available in the paper entitled Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques, authored by six researchers from Carnegie Mellon University, Seagate, and the Swiss Federal Institute of Technology in Zurich.
Their work was showcased at the proceedings of the 23rd International Symposium on High-Performance Computer Architecture (HPCA) Industrial Session, held in Austin, Texas, this past February.
Image credits: Clive Darra