Secure Deletion

News / Recent Events

- 2.4.2013: Elli Androulaki presents the paper "Evaluating User Privacy in Bitcoin" at the Financial Cryptography and Data Security Conference in Okinawa, Japan.
- 5.12.2012: Claudio Marforio and Ramya Jayaram Masti present the papers "Analysis of the Communication between Colluding Applications on Modern Smartphones" and "Enabling Trusted Scheduling in Embedded Systems" at ACSAC in Orlando, Florida.
- 18.10.2012 Elli Androulaki presents the paper "Double-Spending Fast Payments in Bitcoin" at ACM CCS in Raleigh, North Carolina.
- 11.9.2012 Aanjhan Ranganathan presents the paper "Design and Implementation of a Terrorist Fraud Resilient Distance Bounding System" at ESORICS in Pisa, Italy.
- 9.8.2012 Joel Reardon presents the paper "Data Node Encrypted File System: Efficient Secure Deletion for Flash Memory" at the USENIX Security Symposium in Bellevue, Washington.

All News / Events

All Media Coverage

In this project, we analyze solutions to the problem of secure deletion: how to make sensitive data unaccessible from a storage medium. In particular we provide methods to securely delete data from modern devices working at different levels (user-space, log-structured filesystems, flash memory, etc.)



We made the following proposals in regards of the secure deletion topic; further information and related publications are given below:

EFFICIENT SECURE DELETION ON FLASH MEMORY An efficient secure deletion solution for flash memory implemented for the flash file system UBIFS. YAFFS.
USER-LEVEL SECURE DELETION ON LOG-STRUCTURED FILE SYSTEMS Three solutions to address the problem of secure deletion on log-structured file systems such as YAFFS.

Members of the project: Joel Reardon , Claudio Marforio , Srdjan Capkun , David Basin



Secure deletion on flash memory (ubiquitously used in portable devices) is not the straightforwards solution of overwriting data becuase flash memory prohibits in-place updates. Erasure of data happens at a much larger granularity (the erase block) and each erasure incurs some physical wear on the memory.

We present the Data Node Encrypted File System (DNEFS), which securely and efficiently deletes data on flash memory; it requires only a few additional erasures that are evenly distributed over the erase blocks. DNEFS encrypts each individual data node (i.e., the unit of read/write for the file system) with a different key, and then manages the storage, use, and purging of these keys in an efficient and transparent way for both users and applications. Data nodes are encrypted before being written to the storage medium and decrypted after being read, thus DNEFS's use of encryption is no different than any encoding applied by the storage medium (e.g., error correcting codes).

The keys are stored in a reserved area of the file system called the key storage area. Each flash erase block in the key storage area is periodically purged---a new version of the erase block is written where keys corresponding to deleted data nodes are replaced with fresh random data; the old version is deleted, which ensures that data nodes encrypted by these keys are now irrecoverable.

We design and implement an instance of our solution for the file system UBIFS and call our modification UBIFSec. UBIFSec provides a guaranteed upper bound on deletion latency, fine-grained deletion for truncated or overwritten files, runs efficiently and produces little wear on the flash memory. Our implementation is easy to integrate into UBIFS's existing Linux implementation, and requires no changes to the applications using UBIFS.

Related publications:
Joel Reardon, Srdjan Capkun, David Basin
Data Node Encrypted File System: Efficient Secure Deletion for Flash Memory
USENIX Security Symposium, Bellevue, Washington 2012 [pdf]

UBIFSec Implementation:
[project page] | [kernel 3.2.1 patch] [ubifsec design doc]



We address the problem of secure data deletion on log-structured file systems. We focus on the YAFFS file system, widely used on Android smartphones. We show that these systems provide no temporal guarantees on data deletion and that deleted data still persists for nearly 44 hours with average phone use and indefinitely if the phone is not used after the deletion. Furthermore, we show that file over-writing and encryption, methods commonly used for secure deletion on block-structured file systems, do not ensure data deletion in log-structured file systems.

User-level solutions have very limited access to the flash storage medium. Such solutions can only create, modify, and delete the user's own local files. The principle behind our three solutions---purging, ballooning, and our hybrid solution---is that they reduce the file system's available free space to encourage more frequent garbage collection, thereby decreasing the deletion latency of deleted data.

Purging fills the storage medium to capacity, thus ensuring that no deleted data remains on the storage medium. Purging executes intermittently and halts after completion. It provides a guarantee of deletion but is inefficient for large storage media as the entire capacity must be filled.

Ballooning continually occupies some fraction of the storage medium's empty space with junk files to ensure the free space remains within a target range. This reduces the total number of erase blocks available for allocation, thereby reducing the expected data deletion latency; erase blocks with deleted data will be garbage collected earlier than before. It is well-suited for large storage media but it does not provide a guarantee of deletion.

Our hybrid solution combines both purging and ballooning to obtain the benefits of both approaches. At all times, ballooning is used to limit the amount of free space on the device. Periodically, purging is performed to obtain a guarantee of secure deletion. Moreover, as the space occupied by the ballooning files will not be erased, there are fewer erase blocks that need filling so purging is much quicker.

Related publication:
Joel Reardon, Claudio Marforio, Srdjan Capkun, David Basin
User-Level Secure Deletion on Log-structured File Systems
ASIACCS 2012, Seoul Korea [pdf]

Secure deletion application (Android):

Secure Deletion in the News:
Schweizer Fernsehen Einstein show: 9.6.2011


Wichtiger Hinweis:
Diese Website wird in älteren Versionen von Netscape ohne graphische Elemente dargestellt. Die Funktionalität der Website ist aber trotzdem gewährleistet. Wenn Sie diese Website regelmässig benutzen, empfehlen wir Ihnen, auf Ihrem Computer einen aktuellen Browser zu installieren. Weitere Informationen finden Sie auf
folgender Seite.

Important Note:
The content in this site is accessible to any browser or Internet device, however, some graphics will display correctly only in the newer versions of Netscape. To get the most out of our site we suggest you upgrade to a newer browser.
More information

© 2014 ETH Zurich | Imprint | Disclaimer | 29 July 2013