We address the problem of secure data deletion on log-structured file systems. We focus on the YAFFS file system, widely used on Android smartphones. We show that these systems provide no temporal guarantees on data deletion and that deleted data still persists for nearly 44 hours with average phone use and indefinitely if the phone is not used after the deletion. Furthermore, we show that file overwriting and encryption, methods commonly used for secure deletion on block-structured file systems, do not ensure data deletion in log-structured file systems. We propose three mechanisms for secure deletion on log-structured file systems. Purging is a user-level mechanism that guarantees secure deletion at the cost of negligible device wear. Ballooning is a user-level mechanism that runs continuously and gives probabilistic improvements to secure deletion. Zero overwriting is a kernel-level mechanism that guarantees immediate secure deletion without device wear. We implement these mechanisms on Nexus One smartphones and show that they succeed in secure deletion and neither prohibitively reduce the longevity of the flash memory nor noticeably reduce the device's battery lifetime. These techniques provide mobile phone users more confidence that data they delete from their phones are indeed deleted.
翻译:我们解决了在日志结构文件系统中安全删除数据的问题。 我们侧重于日志结构文件系统, 该系统在Android智能手机上广泛使用。 我们显示, 这些系统对数据删除没有提供时间保障, 被删除的数据仍然持续了近44小时, 平均使用电话, 如果在删除后不使用, 则被删除的数据将无限期使用。 此外, 我们显示, 文件覆盖和加密, 通常用于在区块结构文件系统中安全删除数据的方法, 无法确保在日志结构文件系统中安全删除数据 。 我们建议了三个机制, 用于在日志结构文件系统中安全删除数据 。 净化是一个用户级机制, 保证以可忽略设备穿戴的成本安全地删除数据。 气球是一个用户级机制, 持续运行, 并提供概率性改进, 以安全方式删除。 Zero 封写是一个内核级别机制, 保证立即安全删除不戴装置的系统。 我们在Nexus One smarphones上实施这些机制, 并表明它们成功地安全删除了闪存的寿命, 并且不会令人窒息地减少设备电池的寿命。 这些技术使移动电话用户更加相信它们确实删除了它们。