This placeholder is hidden from the operating system, as it is the SSD controller itself that dictates everything described above, so the operating system cannot handle anything. Only thanks to the brand’s proprietary software can this be seen and changed in size, but hardly more.
What’s the problem? Well, since the operating system does not have access to it, the antivirus cannot see said physical space either, so the introduction of malware is not only successful, but it is undetectable when it is executed.
Two vulnerabilities in SSD, how do they manage to do it?
It was not explained how to violate the security of the controller and attached software, we assume that for security reasons, since the study was carried out by Korean researchers at Korea University in Seoul, but they have shown how they can attack the OP (Over Provisioning).
The first attack would be carried out with the invalid and deleted data from the operating system, or just deleted, as this data remains in the OP and then is permanently removed and therefore does not reduce the capacity or performance of the SSD. The problem would go so far that the malware could modify the space allocated to the OP and thus obtain more confidential data.
In case you didn’t know, an SSD does not physically erase data until the controller deems it necessary or the erase is forced manually from specific software, which not everyone can do and in the first case, the data remains on the SSD for a while, which gives the malware time to act.
The second method is linked to two or more SSDs, which may or may not be in RAID, where, in order not to arouse suspicion, the malware could modify the capacity of one of the two devices to increase the size and capture the most large amount of data.
Normally, the distribution between SSDs and OPs is 50-50, but malware can cause them to vary, for example 25% in the first and 75% in the second. The operating system will not see any changes, because supposedly the distribution would remain the same and fair, but that is not true.
The solution will not like
In order for this not to be done, the researchers suggest implementing an algorithm in the controller and firmware of SSDs that performs a pseudo-erase of the OP and which permanently eliminates the data embedded in it without affecting the performance of the OP. ‘device.
In addition to this, it would require a monitoring system that warns us of the change of the OP in one or more SSDs in real time, where it is also requested that the tools from the manufacturers to vary the OPs be much safer or more restrictive with respect to the username.
Now it remains to be seen whether manufacturers will patch their SSD devices, both internal and external, because when that does reveal it is more than likely that we will see the first real attacks in no time.
The downside, logically, is that performing pseudo-deletions involves reducing the useful life of the SSD due to the wear and tear that this will imply, since it would be a logistical task scheduled at all times. The greater the number of erasures, the more degradation there will be in cells as their states and voltages change, so it’s not clear how they’ll balance something so complicated that we hardly have a reduction in duration. useful life.
