Issue link: https://read.uberflip.com/i/1173420
3 mance when it detects excessive writes to the NAND, vs. accumulated power-on hours. Warranty throttling is done to assure that the NAND media will not reach its Program/Erase (PE cycle) limit prior to fulfilling the warranty period. Warranty throttling can be catastrophic in defense applications that must collect high-speed data at a deterministic rate throughout the equipment's lifespan. Since the throttling is dependent on the number of previous write operations and power-on time, the is- sue can slip through qualification undetected. Throttling might not start until units are fielded. By contrast, Defense Grade SSDs don't throttle performance and often specify product life as Total Bytes Written (TBW) or as Drive-Writes-Per-Day (DWPD). To mitigate early media wear out, Defense Grade SSDs can use stronger Error Correction Codes (ECC) and incorporate extra NAND devices to allow additional over-provisioning and ECC parity storage. These techniques are costly, however; they can greatly extend the full performance lifespan of an SSD. Consistency choked by temperature Another impact to performance under non-ideal usage scenarios is tem- perature throttling. When a SSD operates at full read or write speed, it uses more power than when it runs at idle. The additional power quickly increases the internal temperature of the SSD. Temperature is especially important to manage for Multi-Level Cell (MLC)/ Triple Level Cell (TLC) based SSDs because the MLC and TLC NAND have a significantly re- duced temperature ranges. COTS SSDs incorporate a feature to gradu- ally lower (throttle) the SSD Read/Write performance once the internal temperature reaches an upper limit. Lowering performance lowers pow- er and therefore temperature, so temperature throttling acts as a simple type of thermal regulation. The SSD resumes normal operation once the temperature reduces to a predetermined lower limit. Temperature throttling is generally discovered in the lab, during prototype testing, prior to qualification. The mitigation is to incorporate additional cool- ing. Defense Grade SSDs must also protect against over-temperature conditions, however; their enhanced enclosure designs, industrial grade components, and often Single-Level Cell (SLC) flash, allow full speed operation to higher temperatures, to at least 85 ˚C, with some products operating as high as 100 to 110 ˚C. Garbage collection limits performance While warranty and temperature throttling can both cause application failures in defense equipment, there exists a third more serious per- formance limitation. Most modern SSDs utilize large DRAM devices to hold sector translation tables and buffers for data destined for the NAND media. COTS SSDs also utilize the DRAM as a large data cache to boost short term performance and hide worst case performance limitations. Performance of the SSD abruptly reduces when the DRAM cache over- runs during sustained random write operations. Further, once the SSD is written full, continued small block random write operations fragment the location of data sectors across the NAND media. At some point, the SSD begins a garbage collection process, to consolidate partially dirty NAND blocks to free up media space and allow for continued write operations. Other than media wear out, the garbage collection process is typically the most severe performance degradation mechanism in modern SSDs. The delays inherent in the garbage collection process can be partially hidden if the SSD uses a large portion of DRAM as a data cache. Unfor- tunately sustained full speed small block random write operations even- tually over-run the cache. Once the cache is over-run, performance drops significantly, potentially to less than 1 MB/s depending on the garbage collection algorithm and severity of fragmentation. Typical defense ap- plications require sustained write operations at a predictable rate. With limited resources for large DRAM buffers, defense equipment designs cannot tolerate performance reductions for extended periods of time. In such a scenario, when the rate of data accepted by the SSD slows for too long, defense application software begins to lose data, crashes or hangs. While all SSDs are susceptible to this performance loss scenario, Defense Grade SSD designers are aware of the requirements for deter- ministic sustained write speeds. Defense Grade SSDs incorporate better garbage collection algorithms, additional over-provisioning, and some- times additional NAND devices to improve parallelism and maximize write performance during garbage collection operations. Questions to ask When permanent storage is present in defense applications, trust and security are mandatory. Many questions present themselves: • Is the SSD designed and assembled in a foreign country? • Can you verify that the SSD truly implements the claimed security? • Are all instances of the DEK (Data Encryption Key) in the SSD encrypted? • Was the firmware in the SSD replaced or modified prior to delivery? • Does the SSD manufacturer have revision control for the firm- ware? • Is the firmware delivered, the expected version? • Does the firmware have back doors? • Has the key management firmware been reviewed by a trusted 3rd party to assure proper implementation of crypto algorithms? • Is the password or DEK value encrypted or stored in plain text? • Does the SSD test its crypto algorithms on each power-on cycle? • Can an attacker easily replace the SSD firmware with their own malicious firmware? • Has the Random Number Generator (RNG) used to generate the DEK been tested over temperature and proven to have predict- able entropy? • Is there a possability that every SSD has the same DEK value? • Did the manufacturer install a master password or key to bypass security and allow drive recovery? • Does the design include a debug or production mode that can bypass security? • Is there a single bit in the controller that, if triggered by an invasive attack, can force a key export operation? • Does the drive encrypt all data sectors or are some skipped? These are questions to answer when selecting an SSD for a critical se- cure storage application. The wrong answer to any one of these ques- tions jeopardizes the security of data-at-rest residing in the SSD.