SoK: Secure Data Deletion

Secure data deletion is the task of deleting data irrecoverably from a physical medium. In the digital world, data is not securely deleted by default; instead, many approaches add secure deletion to existing physical medium interfaces. Interfaces to the physical medium exist at different layers, such as user-level applications, the file system, the device driver, etc. Depending on which interface is used, the properties of an approach can differ significantly. In this paper, we survey the related work in detail and organize existing approaches in terms of their interfaces to physical media. We further present a taxonomy of adversaries differing in their capabilities as well as a systematization for the characteristics of secure deletion approaches. Characteristics include environmental assumptions, such as how the interface's use affects the physical medium, as well as behavioural properties of the approach such as the deletion latency and physical wear. We perform experiments to test a selection of approaches on a variety of file systems and analyze the assumptions made in practice.

[1]  Mendel Rosenblum,et al.  The design and implementation of a log-structured file system , 1991, SOSP '91.

[2]  Peter Gutmann,et al.  Secure deletion of data from magnetic and solid-state memory , 1996 .

[3]  Richard J. Lipton,et al.  A Revocable Backup System , 1996, USENIX Security Symposium.

[4]  Peter T. McLean Information Technology - AT Attachment with Packet Interface Extension (ATA/ATAPI-4) , 1997 .

[5]  Ronald L. Rivest,et al.  All-or-Nothing Encryption and the Package Transform , 1997, FSE.

[6]  Peter T. McLean Information Technology - AT Attachment with Packet Interface - 5 (ATA/ATAPI-5) , 1998 .

[7]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[8]  Niels Provos,et al.  Encrypting Virtual Memory , 2000, USENIX Security Symposium.

[9]  Erez Zadok,et al.  FIST: a language for stackable file systems , 2000, OPSR.

[10]  David Woodhouse,et al.  JFFS : The Journalling Flash File System , 2001 .

[11]  Steven Bauer,et al.  Secure Data Deletion for Linux File Systems , 2001, USENIX Security Symposium.

[12]  Sandra Loosemore,et al.  The GNU C Library Reference Manual , 2001 .

[13]  R. Card,et al.  Design and Implementation of the Second Extended Filesystem , 2001 .

[14]  William Stallings,et al.  THE ADVANCED ENCRYPTION STANDARD , 2002, Cryptologia.

[15]  Abhi Shelat,et al.  Remembrance of Data Passed: A Study of Disk Sanitization Practices , 2003, IEEE Secur. Priv..

[16]  D. Koo,et al.  HIPAA privacy rule and public health; guidance from CDC and the U.S. Department of Health and Human Services , 2003 .

[17]  Yiming Yang,et al.  Introducing the Enron Corpus , 2004, CEAS.

[18]  Nikita Borisov,et al.  Off-the-record communication, or, why not to use PGP , 2004, WPES '04.

[19]  Nikolai Joukov,et al.  Adding secure deletion to your favorite file system , 2005, Third IEEE International Security in Storage Workshop (SISW'05).

[20]  Andrew Hammond,et al.  Comparison of the Canadian Industrial Security Manual and the United States National Industrial Security Program Operating Manual , 2005 .

[21]  Randal C. Burns,et al.  Secure deletion for a versioning file system , 2005, FAST'05.

[22]  Radia Perlman,et al.  The ephemerizer: making data disappear , 2005 .

[23]  Randal C. Burns,et al.  Ext3cow: a time-shifting file system for regulatory compliance , 2005, TOS.

[24]  X Li,et al.  Guidelines for Media Sanitization , 2006 .

[25]  Nikolai Joukov,et al.  Secure deletion myths, issues, and solutions , 2006, StorageSS '06.

[26]  Gerome Miklau,et al.  Threats to privacy in the forensic analysis of database systems , 2007, SIGMOD '07.

[27]  Craig S. Wright,et al.  Overwriting Hard Drive Data: The Great Wiping Controversy , 2008, ICISS.

[28]  Stephen C. Tweedie,et al.  Journaling the Linux ext2fs Filesystem , 2008 .

[29]  Amit A. Levy,et al.  Vanish: Increasing Data Privacy with Self-Destructing Data , 2009, USENIX Security Symposium.

[30]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[31]  H. Elsheshtawy,et al.  Personal Information Protection and Electronic Documents Act , 2015 .

[32]  Tom Coughlin,et al.  Disposal of Disk and Tape Data by Secure Sanitization , 2009, IEEE Security & Privacy.

[33]  Yookun Cho,et al.  An Efficient Secure Deletion Scheme for Flash File Systems , 2010, J. Inf. Sci. Eng..

[34]  Yang Tang,et al.  FADE: Secure Overlay Cloud Storage with File Assured Deletion , 2010, SecureComm.

[35]  Steven Swanson,et al.  SAFE : Fast , Verifiable Sanitization for SSDs Or : Why encryption alone is not a solution for sanitizing SSDs , 2010 .

[36]  Sarah M. Diesburg,et al.  A survey of confidential data storage and deletion methods , 2010, CSUR.

[37]  Srdjan Capkun,et al.  Keeping data secret under full compromise using porter devices , 2010, ACSAC '10.

[38]  Steven Swanson,et al.  Reliably Erasing Data from Flash-Based Solid State Drives , 2011, FAST.

[39]  Yang Tang,et al.  A Secure Cloud Backup System with Assured Deletion and Version Control , 2011, 2011 40th International Conference on Parallel Processing Workshops.

[40]  Dawn Xiaodong Song,et al.  TaintEraser: protecting sensitive data leaks using application-level taint tracking , 2011, OPSR.

[41]  Srdjan Capkun,et al.  Secure Deletion on Log-structured File Systems , 2011, ArXiv.

[42]  Roxana Geambasu,et al.  New Directions for Self-Destructing Data Systems , 2012 .

[43]  Justin Marshall,et al.  TrueErase: per-file secure deletion for the storage data path , 2012, ACSAC '12.

[44]  Srdjan Capkun,et al.  User-level secure deletion on log-structured file systems , 2012, ASIACCS '12.

[45]  Srdjan Capkun,et al.  Data Node Encrypted File System: Efficient Secure Deletion for Flash Memory , 2012, USENIX Security Symposium.