New malware can hide in the reserved memory in the SSD

Modern SSDs today commonly use the Over-provisioning technique, which simply means that SSDs do not actually make all their capacity available in NAND Flash memory. Part of it is kept in reserve so that it can better distribute the overall load in terms of lubrication and writing operations, which is a technique to ensure longer SSD life, but it is also essentially a buffer that can help increase performance. Unfortunately, for malware, it is now also a memory where it can hide and be out of reach of antivirus software. And that’s a problem.

According to BleepingComputer such malware cannot be eliminated in the usual way, as the cells in the over-provisioning are not even accessible to the operating system. So far, however, this is not an immediate threat, but rather research from the Korean University in Seoul, where they have found two ways in which this feature of the SSD could be exploited.

In the first case, it is more a way to access potentially sensitive data. Data that has been essentially erased but actually remains in NAND Flash cells is targeted, as the SSD usually does not overwrite it, which would not do any good in terms of performance and endurance. An attacker can then access such data by changing the over-provisioning (OP) memory capacity setting within the SSD firmware, which disables certain space on the SSD from viewing the mapping table and then makes the data available.

And the second case concerns the creation of a safe place to store malware, simply by increasing the amount of space reserved for the OP, which puts the malware code in a part of the memory that is inaccessible to the OS. This can then be masked by reducing the space for the OP on the second SSD.

Of course, all this only applies if the attacker first gains the necessary access to the system, which is a big problem in the first place. And what could be done about such a danger? As for the first type of attack, it may be sufficient to simply degrade the data from time to time, ie rewrite it, of course not necessary in its entirety, and in the second case it may be a system that monitors how user and OP space ratios on the SSD change and in case of non-standard behavior, the user would be given the opportunity to completely erase the space in the OP.

Prices of related / similar products:

Source: Svět hardware by

*The article has been translated based on the content of Svět hardware by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!