傳統(tǒng)硬盤(pán)(HDD)還沒(méi)有步馬車的后塵，也就是說(shuō)還沒(méi)有被歷史拋棄，不過(guò)鑒于固態(tài)硬盤(pán)(SSD)人氣飆升，SSD成為標(biāo)準(zhǔn)、HDD被逐步淘汰是早晚的事情?？紤]到固態(tài)硬盤(pán)在速度和可靠性方面具有優(yōu)勢(shì)，更不用說(shuō)最近價(jià)格不斷下滑，這種轉(zhuǎn)變完全在情理之中。

然而卡內(nèi)基·梅隆大學(xué)的研究人員卻發(fā)現(xiàn)固態(tài)硬盤(pán)設(shè)計(jì)存在一處缺陷，這導(dǎo)致它們極容易受到某種特定類型的攻擊，因而導(dǎo)致固態(tài)硬盤(pán)過(guò)早失效和數(shù)據(jù)損毀。這個(gè)缺陷的技術(shù)細(xì)節(jié)非常深?yuàn)W，不過(guò)我會(huì)在這里盡量講得簡(jiǎn)單明了。

很顯然，這個(gè)問(wèn)題只影響多層單元(MLC)固態(tài)硬盤(pán)。單層單元(SLC)固態(tài)硬盤(pán)不受影響，但是由于MLC固態(tài)硬盤(pán)速度快，因而變得更受歡迎，這個(gè)風(fēng)險(xiǎn)波及多得多的設(shè)備。雖然該研究報(bào)告沒(méi)有探討三層單元(TLC)固態(tài)硬盤(pán)，不過(guò)ExtremeTech指出，由于TLC使用了與MLC相同類型的多階段編程周期，TLC可能也易受攻擊。

[[194081]]

這個(gè)安全漏洞源自MLC的編程方式。不像SLC固態(tài)硬盤(pán)，MLC固態(tài)硬盤(pán)從閃存單元將數(shù)據(jù)寫(xiě)入到緩沖器，而不是從固態(tài)硬盤(pán)的閃存控制器將數(shù)據(jù)寫(xiě)入到緩沖器。如果攔截這個(gè)過(guò)程，攻擊者就可以破壞需要寫(xiě)入的數(shù)據(jù)。

顯而易見(jiàn)的結(jié)果是，內(nèi)存中存儲(chǔ)的數(shù)據(jù)損壞，但是這還可能對(duì)固態(tài)硬盤(pán)本身造成破壞，因而縮短其使用壽命。

當(dāng)然，上面這番解釋高度簡(jiǎn)單化了，但如果你精通技術(shù)行話，可以上Semantic Scholar 閱讀研究人員的全文下載，文章標(biāo)題為《MLC NAND 閃存編程中的安全漏洞：實(shí)驗(yàn)性分析、漏洞利用及緩解技術(shù)/方法》。

解決這個(gè)問(wèn)題來(lái)得比較簡(jiǎn)單直觀。固態(tài)硬盤(pán)廠商只要改而通過(guò)閃存控制器來(lái)運(yùn)行數(shù)據(jù)，就像處理SLC那樣。然而，這使延遲時(shí)間增加了約5%，這多少影響了MLC固態(tài)硬盤(pán)相比SLC固態(tài)硬盤(pán)具有的主要優(yōu)勢(shì)之一。

如果卡內(nèi)基·梅隆大學(xué)能搞清楚這個(gè)問(wèn)題，黑客恐怕也有這個(gè)本事。要是黑客還沒(méi)有聽(tīng)說(shuō)過(guò)這個(gè)漏洞，他們現(xiàn)在應(yīng)該聽(tīng)說(shuō)了。我們還沒(méi)有聽(tīng)到有誰(shuí)報(bào)告利用這個(gè)安全漏洞的攻擊;固態(tài)硬盤(pán)廠商們肯定已經(jīng)在竭力尋找方法，在不影響速度的情況下堵住這個(gè)漏洞。

即使廠商確實(shí)搞清楚了如何修復(fù)新固態(tài)硬盤(pán)中的缺陷，已經(jīng)用于消費(fèi)類設(shè)備中的固態(tài)硬盤(pán)該怎么辦?有沒(méi)有軟件補(bǔ)丁可以修復(fù)這個(gè)問(wèn)題?是否可以編寫(xiě)病毒定義，以便檢測(cè)有人是否編寫(xiě)了某個(gè)軟件或應(yīng)用程序來(lái)利用這個(gè)安全漏洞?

英文：

Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques

Abstract

Modern NAND flash memory chips provide high density by storing two bits of data in each flash cell, called a multi-level cell (MLC). An MLC partitions the threshold voltage range of a flash cell into four voltage states. When a flash cell is programmed, a high voltage is applied to the cell. Due to parasitic capacitance coupling between flash cells that are physically close to each other, flash cell programming can lead to cell-to-cell program interference, which introduces errors into neighboring flash cells. In order to reduce the impact of cell-to-cell interference on the reliability of MLC NAND flash memory, flash manufacturers adopt a two-step programming method, which programs the MLC in two separate steps. First, the flash memory partially programs the least significant bit of the MLC to some intermediate threshold voltage. Second, it programs the most significant bit to bring the MLC up to its full voltage state. In this paper, we demonstrate that two-step programming exposes new reliability and security vulnerabilities. We experimentally characterize the effects of two-step programming using contemporary 1X-nm (i.e., 15–19nm) flash memory chips. We find that a partially-programmed flash cell (i.e., a cell where the second programming step has not yet been performed) is much more vulnerable to cell-to-cell interference and read disturb than a fully-programmed cell. We show that it is possible to exploit these vulnerabilities on solid-state drives (SSDs) to alter the partially-programmed data, causing (potentially malicious) data corruption. Building on our experimental observations, we propose several new mechanisms for MLC NAND flash memory that eliminate or mitigate data corruption in partially-programmed cells, thereby removing or reducing the extent of the vulnerabilities, and at the same time increasing flash memory lifetime by 16%.