New malware uses SSD over-provisioning to bypass security measures

Korean researchers have detected a vulnerability in SSDs that allows malware to penetrate directly into the empty over-provisioned partition of an SSD. Like reported by BleepingComputer, this allows the malware to be almost invincible to security countermeasures.

Over-provisioning is a feature included in all modern SSDs that improves the life and performance of the built-in NAND storage of the SSD. Over-provisioning in mostly empty storage space. But it does give the SSD a chance to ensure that the data is distributed evenly among all the NAND cells by mixing the data to the over-provisioning pool when needed.

While this space is supposed to be inaccessible by the operating system – and therefore antivirus tools – this new malware can infiltrate it and use it as a base of operations.

SSD Over Provisioning Malware Attack

(Image credit: BleepingComputer)

Korean researchers at the University of Korea in Seoul have modeled two attacks that use over-provisioned space. The first demonstrates a vulnerability that targets invalid data (data deleted in the operating system but not physically erased) in the SSD. To obtain more potentially sensitive data, an attacker can choose to change the size of the over-provisioned data pool to provide additional empty space to the operating system. So when a user deletes more data, the extra data remains physically intact in the SSD.

SSDs rarely physically delete data unless it is absolutely necessary to conserve resources.

SSD Over Provisioning Malware Attack

(Image credit: BleepingComputer)

The second is similar to what was discussed previously, injecting the firmware directly into the overprovisioning pool. In this example, two SSDs are connected as one device and overprovision is set to 50%. When an attacker injects malware into the OP partition of the SSD, it reduces the OP range of the first SSD to 25% of the total size of the SSD, and then increases the OP range of the second SSD to 75%.

This gives the attacker room on the 2nd SSD to inject malware directly into the OP partition while setting the OP range of the first SSD to 25%, making the OP area on both drives appear is not affected. This is because the OP range for the two SSDs combined is always 50%.

The researchers suggest implementing a pseudo-erasure algorithm that physically deletes data on an SSD without affecting real-world performance to counter the first attack pattern.

It is recommended to implement a new monitoring system capable of closely monitoring the over-provisioned size of SSDs in real time to counter the second attack model. In addition, access to SSD management tools that can change over-provisioned sizes should have more robust security features against unauthorized access.

Fortunately, these attacks were created by researchers and were not discovered by an actual attack. However, an attack like this could very well happen, so hopefully SSD makers start patching these security vulnerabilities quickly before anyone has a chance to exploit them.