davidwr's Journal: Is it time for data-storage devices to archive changed blocks?

[original date Wed Feb 11, '15 10:52 AM ]

SSDs already use wear-leveling technology that effectively turn all file-updates into copy-on-write operations.

If SSD devices would keep track of the old copies so that an operating system or SSD-vendor-supplied data-rescue-utility could easily treat non-overwritten data as if it were a "shadow copy"
AND
if the SSD would hide that data from the host computer unless a particular switch or jumper was set,
THEN
it would aide in data recovery after a ransomware attack.

Why hide it from the host when the switch is not set? If the "shadow copy" IS visible to the OS, all the ransomware has to do is write to the disk until the data it wants to erase is no longer there in the "shadow copy." If it is invisible to the host, the ransomware has to write enough data to overwrite all existing "shadow copies" to guarantee success.

Why would a user have the switch on all the time? Backups.
Having a hardware-based "shadow copy" mechanism that the backup software or host OS understood would make backups easier without the necessity of the host OS or filesystem having to implement a shadow-copy system of its own.

--------------------------
[Followup added 5/18/2017 8:08PM UTC, see also https://slashdot.org/comments.pl?sid=10630029&cid=54443823 "You need hard-to-erase disks" which is a reply to https://linux.slashdot.org/story/17/05/18/1757205/wannacry-makes-an-easy-case-for-linux ]

Drive firmware that implemented data-preservation for 72 hours:

All logical blocks are marked as either "in use," "available to be written," or "pending until X" where "x" is a time, in seconds, that the device has received power since it was first initialized.

When a device received a request to write to a logical block, it would see if there was an available logical block. If there was, new data would be written to the new logical block and the old logical block would be marked as "pending until [72 hours from now]."

If there was no available logical block, the write would fail.

An "available logical block" is defined as one that has either never been written to or as one who is "pending until" some time in the past.

A more robust implementation would have "spare logical blocks" that could be used:

If there is no available logical block but there is an available spare logical block, the roles would be swapped:
The block containing the old block would be marked "pending until [72 hours from now]" AND it would be marked as a spare block.
A spare block would be marked as "active" (i.e. not a spare block) and the new data would be written to it.

If "spare logical blocks" are used, then all logical blocks - both spare and active - would have a unique "drive-logical block number."

Under normal circumstances, spare logical blocks and the drive-logical block number and related meta-data would not be visible to the host computer, but they might be made available in a rescue situation by shorting a jumper or issueing special commands to the firmware.

An even more robust implementation would keep a journal of when each block was written to, when each block changed state between live and active and when each one had its "pending until" value changed. This could be used for restoration of recently deleted data.

Considerations:

Host system:

Operating systems would need to be aware that drives may report "success" when deleting data but that the deletion would not result in an increase of free space. Likewise, they would need to be aware that the reported free space may increase at any time for reasons that are opaque to the host system.

Data storage technology:

In situations such as solid-state drives where data must be deleted in very large chunks, the firmware would treat all logical blocks which were in use or which had an unexpired "pending until" time as if they contained data, and treat other logical blocks as if they did not. Physical blocks which did not correspond to an active logical block would be treated as if they did not contain data.