Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

Is secure deletion possible in Java

  1. Jun 12, 2015 #1
    Let a file on disc comprise the bytes "Hello World".

    If I open the file in Java as a RandomAccessFile and write the character "X" over it from the start of the file to it's end, will the original disc block be overwritten? Or, will the original block containing "Hello World" be marked as unused, and another block written as "Xello World" and so forth till a final block is written containing "XXXXXXXXXXX"?

    Is it possible to do secure deletion entirely in Java? (...I'm aware of secure deletion programs)
     
  2. jcsd
  3. Jun 12, 2015 #2

    phinds

    User Avatar
    Gold Member
    2016 Award

    I'm pretty sure that actual file access is done from O.S. subroutine calls and it is irrelevant what language you use to create the machine language call. The O.S. will open the same file and, yes, overwrite it.
     
  4. Jun 12, 2015 #3
    Do you mean overwrite the same physical magnetic block on the hard disc surface as laid down by the drive's firmware? So that block will be written to 11 times?
     
  5. Jun 12, 2015 #4

    phinds

    User Avatar
    Gold Member
    2016 Award

    No, why would it be done 11 times?

    If you write the file once, it will be written once. If you want it to overwrite 11 times, you have to specifically tell the O.S. to write the file 11 times. I'm not aware of any O.S. sub (at least under Windows) that writes a file 11 times with one call.
     
  6. Jun 13, 2015 #5

    Filip Larsen

    User Avatar
    Gold Member

    Yes, in the same way as in any programming language with access to file random access. However, this method of secure erase would only apply for HDD (Hard Disc Drive) or other storage where the location of the file block retain their position. For this to be effective you would also have to make sure that the blocks are written many times during the process and not cached in RAM by the OS and then just written once.

    For the modern SSD (Solid State Drive) overwriting a file for security measures does not make sense as the blocks of the files are changing on the device when blocks are updated and written by the OS. For files on SSD's you would need other (low level) methods [1] for securely erase a file, methods that to my knowledge is not yet available on the OS file API level less alone from Java. To the extend the SSD in question supports such secure erase, it would most likely need a special vendor or BIOS tool to securely erase a file or whole partition from that disc.

    Later: I can see in the description for the SysInternal sdelete tool [2] that they apparently only overwrite files once using a certain bit pattern. If one overwrite is all it takes, my concern stated above about the OS caching blocks between multiple overwrites does of course not apply.

    [1] https://en.wikipedia.org/wiki/Solid-state_drive#Data_recovery_and_secure_deletion
    [2] https://technet.microsoft.com/en-us/sysinternals/bb897443.aspx
     
    Last edited: Jun 13, 2015
  7. Jun 13, 2015 #6

    phinds

    User Avatar
    Gold Member
    2016 Award

    Excellent point. I hadn't even thought about that.
     
  8. Jun 14, 2015 #7
    For the reasons explained above (SSDs, OS leaking info via swap files etc), if you are depending on secure deletion you might additionally wish to look into full disk encryption.
     
  9. Jun 14, 2015 #8
    Can't really rely on encryption unfortunately. My scenario calls for a program that will run on varied machines. It will then securely delete a part of itself when the program has been run. I was wondering if this could be achieved solely in Java?

    I can't rely on them having /being able to have disc encryption.
     
  10. Jun 14, 2015 #9
    Any programming language should be able to delete or overwrite files that it created.
    I don't see the problem.
     
  11. Jun 14, 2015 #10
    From my question title, I was referring to secure deletion.
     
  12. Jun 14, 2015 #11
    So before you detete the file you replace it's content with random gibberish.
     
  13. Jun 14, 2015 #12
    and this will overwrite the same physical magnetic block on the hard disc surface as laid down by the drive's firmware? You realise of course that erased data isn't really erased?
     
  14. Jun 14, 2015 #13
    A block of data on a magnetic disk is what it is, bits of information stored and retrievable by means of atomic magnetic orientation.
    As far as I know computer disk magnetism is 'at it is' and does not contain any memory of it's previous content, but I am willing to hear of how this could be possible.
     
  15. Jun 14, 2015 #14

    FactChecker

    User Avatar
    Science Advisor
    Gold Member

    There is no guarantee that the modified file is written back to the same place on the disk. So the original data can still be there. This is certainly true for sequential access files and the question is whether it is also true for direct access files. Even for direct access files, there is some chance that a disk sector will be marked as bad and would not be overwritten. I doubt that there is any way, using high level disk access, to guarantee that a particular sector is overwritten. It's possible that the only sure way would be to copy all other data to another disk and reformat the entire original disk.
     
  16. Jun 14, 2015 #15
    Sure, but it's definitely possible to write whatever gibberish you want to a specific disk block if you have have reason to do that.
     
  17. Jun 14, 2015 #16

    phinds

    User Avatar
    Gold Member
    2016 Award

    I'm not sure if it's still true but in the early days of Windows, the carry-over from DOS was that there were system calls that let you access the file system directly via the File Allocation Table and you COULD be sure that you were overwriting what you wanted to be overwriting. File systems are a bit more complicated nowadays so that capability may no longer exist in windows. I haven't kept up with such things.
     
  18. Jun 14, 2015 #17

    phinds

    User Avatar
    Gold Member
    2016 Award

    Only if the O.S. allows you direct access to the file allocation system, otherwise you have no way of knowing whether you are writing to the same place on the disk or not. You seem to be conflating high-level disk operations with low-level disk operations in a way that may not hold.
     
  19. Jun 14, 2015 #18

    phinds

    User Avatar
    Gold Member
    2016 Award

    I'm with you on this one, but there have always been people who are paranoid about security who insist that it is possible. That has never made the slightest bit of sense to me but I've never delved into the technical details so I cannot say w/ 100% assurance that it can't be done. There are numerous app, and pretty much have always been (since the early days of PCs) that "guarantee" what they call "secure" overwriting, which means writing to the same exact magnetic bit over and over and people buy them or they would not still be around.
     
  20. Jun 14, 2015 #19

    Filip Larsen

    User Avatar
    Gold Member

    This is in general not possible to do securely in the sense that it would be very easy for an adversary to break this by denying your process the permission to overwrite the files in question or by making copies of your program and restore them after your program deletes itself. Note that using a virtual machine it is very easy to save and restore the full HDD state of a machine to one (or many) points in the past simply by the click of a button.

    A long story short, you cannot trust or rely on anything deployed to a client machine you have no (physical) control of. If you need some kind of license control of your system the "most secury" route dictates that you move part of your licensed service (i.e. the functions your program perform) to a host that you control. The logical end-point of this argument with current technology is that if you need strong license control you would probably want to use a cloud solution and only use the client for presentation and use of non-licensed functions.
     
  21. Jun 15, 2015 #20
    What's to stop them having the JVM pause and dump your code? There's even an open source JVM which can be made to do anything with your bytecode.

    I don't know high profile examples from Java, but for other VM languages, you can look at Dropbox's attempts to obfuscate Python (they used a custom interpreter) and Zend's attempt to build a PHP obfuscator using encrypted bytecode. It doesn't work, because, eventually, you have to run regular bytecode and the intepreter or JVM will give you up when sufficiently prodded.

    You're going to need a language that runs on the metal or you going to need to fork the JVM and add obfuscation into it. You can't run regular Java bytecode thats's binary compatible with a standard JVM. You could send the data over the internet to a private server you control. Run your secret algorithm on that, and send the data back.

    In the old days they felt you could use electron microscopes and similar tools to read the residual signatures from the disk, and you could, so various governments therefore drew up secure disk wiping schemes like the famous 7-pass that's used by US Government. However, newer drives have a much higher density of data and we currently believe it's not possible to extract data meaningully from a disk that's been zero filled once. It's known various intelligence agencies were unable to recover data from the wiped portions of Edward Snowden's Macbook. If you need another name to google w.r.t. secure erase, there is some work by Gutman. I believe he was the original author of the '7 pass' paper.

    Of course with SSD its more complex as they can reorganise data with their internal controller so you have no guarantee that if you write to the same spot on the disk twice, that you will actually get the same physical cell both times. However, a zero fill of the entire drive does work. To be honest I am not sure how SSD do it, but I know you can't rely on file-level zero-fills on an SSD. It's got to include freespace.

    The current recommended way to securely erase data when a PC is destroyed is an industrial shredding machine or thermite. It's just faster than any kind of erase. If you're reselling a machine, boot from a Linux USB stick and run "sfill". You can set the paranoia level in options. Personally I run full disk encrpytion on all my stuff, so even if someone does steal it, they ain't gonna get any data off it unless they hit me with a pipe until I give up the decryption keys.
     
    Last edited: Jun 15, 2015
Know someone interested in this topic? Share this thread via Reddit, Google+, Twitter, or Facebook




Similar Discussions: Is secure deletion possible in Java
  1. Internet Security (Replies: 1)

  2. Internet security (Replies: 4)

  3. JAVA GridLayout (Replies: 1)

  4. Java interpreter (Replies: 8)

  5. Java Cylinders (Replies: 2)

Loading...