The Misunderstood WORM – Securing Data with the Flash Controller
May 25, 2023
Often when one hears ‘WORM’ in conjunction with computers, they think of malware making its way inside a machine and exploiting its vulnerabilities – it can in fact be quite the contrary.
In computer media, WORM is an acronym that stands for Write Once, Read Many and refers to a security use-case used in data storage across the globe. While it is a functionality securing data through ‘integrity’ in the CIA triad, it should not be confused with the overarching umbrella term ‘data security’ – a concept often associated with confidentiality.
Fig 1. Confidentiality, integrity, and availability make up the CIA triad, which are considered equally important principles in ensuring the security of data.
WORM is a type of data storage technology that allows data to be written to a storage device once and then read multiple times while preventing said data from being overwritten, erased, or altered in any way. Data stored on a WORM compliant device is considered immutable. Authorized users can read the data as often as needed, but they cannot change it. Immutable storage plays a pivotal role in meeting secure data compliance requirements around the world.
Fig 2. WORM functionality
This type of storage technology is purposely non-rewritable to prevent anyone from intentionally or accidently erasing or modifying critical data after it is initially stored. It is the ideal technology for storing data that needs to be kept secure and tamper-proof. For this reason, organizations subject to compliance rules find the technology especially useful making it a popular feature in industries such as finance, healthcare, legal and in government agencies, or for archival purposes where data integrity and compliance regulations are strict and controlled.
Fig 3. Different use cases where WORM functionality is critical
WORM functionality is also used for the distribution of copyright protected data across a range of different platforms including but not limited to PC or console games. In these instances, it is then a ‘Read Many’ application, the ‘Write Once’ happens in production. While this functionality may not, appear to fall under "security" umbrella it ensures creator ‘integrity’, a crucial principal of the CIA triad.
Traditionally, WORM drives come in various forms such as optical disks, magnetic HDDs, and tape drives (often in combination with other data storage technologies to ensure data integrity and longevity). In each application, the WORM functionality is and can be implemented differently, for instance through hardware, software on the host OS (Operating System) or through firmware extensions on the flash controller itself. From complying to regulatory requirements, safeguarding files and maintaining data integrity - the flash memory controller is responsible for enabling a range of secure functionality within storage devices.
Fig 4. Goals for implementing WORM devices
But how is WORM functionality implemented? What are the different approaches?
To explain how WORM functionality is implemented, one must first understand the different approaches to enabling WORM.
Generally speaking, there are four approaches.
- True/ physical WORM refers to traditional tape-drives (never-ever erasable)
- Firmware Extension WORM (implemented either through simple firmware flags or eFuse bits)
- Software WORM (implemented on the host OS)
A common argument against a true/ physical WORM in today’s data landscape is that in some use-cases (if it is holding personal data) it may not conform to GDPR regulations. While one can argue that if WORM is not conforming with GDPR. one should simply not use it, there are cases, where legal constraints require information storage in non-modifiable form, which includes personal data.
This issue is circumvented in software WORM compliant implementations as data (with the appropriate access rights) can still be overwritten. A common argument is any drive one can overwrite the data on is just a normal drive with access rights, not a WORM drive. This argument stands tall, and is the reason software WORM vendors, promote their product as “WORM compliant" as their products still comply with (GDPR) regulations. It is more often that not the case that alterations are not absolutely forbidden in all regulations, but they need to be unmodifiably documented.
How does a true/ physical WORM operate?
A true/ physical WORM refers to the origins of the technology where it was carried out on tape-drives. In this approach, the write-once capability is achieved by using a specialized type of photosensitive tape that has a special coating which reacts to heat from a laser.
When data is written to the tape, the laser heats the coating, causing it to change its physical state and become permanently fixed. This process is known as "burning" or "writing" the data to the tape.
With a true/ physical WORM, once the data has been written to the tape, it cannot be erased, modified, or overwritten - ever. This ensures that the data remains unchanged and tamper-proof, making it ideal for applications where data integrity is critical. Depending on the user-case, this permanent approach has fallen into obscurity through GDPR compliance regulations.
How does a software WORM on the Host OS operate?
Software WORM is usually implemented in large scale server settings, which typically host a complete document management system and include WORM functionality. That said, this approach is the most diverse in quality and reliability as every software vendor implements it differently.
Often, software WORMs attach storage drives to a host system and use access rights to implement WORM functionality. What is written to said storage can then be controlled by the system administrator and can be set to allow only the administrator to write to that drive. An application with write access that implements WORM functionality can now take write requests with data from users and store them to unused areas in the write-once drive. This application does not take any delete or change requests. Now, only the administrator can change/delete the content. Furthermore, any administrator activity must be logged to ensure proof and non-repudiation.
How does the NAND flash controller enable WORM functionality?
The NAND flash controller can enable WORM functionality in two different ways, either through an activated e-Fuse (an e-Fuse is a type of non-volatile memory with OTP One-Time Programmable capability) which is never erasable or through simple flags in the controller’s firmware which may be reset by the administrator (logged) but prevent any further modifications or erasures of that data.
To enable WORM functionality on a flash controller, the controller needs to implement a feature called write protection. Write protection is a mechanism that prevents data from being modified or erased once it has been written to the flash memory. This can be implemented in different ways depending on the specific controller and application requirements.
One method of implementing write protection is to use a firmware-based approach. In this case, the flash controller firmware can implement a write-protection flag that is set when data is written to the memory. Once the write-protection flag is set, any attempts to modify or erase the data will be blocked by the controller.
The benefits of a firmware-based approach in comparison to a software WORM on the OS is that it is resistant against malware on the host OS. Furthermore, it could be used as removeable media, which is not possible if the WORM functionality is given by the host. For example: in a production chain, where each step needs to be recorded (for a given legal reason), a thumb drive could lend itself well to this use case, as it could follow a product through said production chain recording each protocol along the way.
Hyperstone Flash Memory Controllers
As data security threats grow, so too do the demands on the flash controller in ensuring secure functionality within a given storage device. The value of WORM is growing, especially in industrial applications where security and data integrity are essential. Since traditional WORM methods do not lend themselves to the data compliance requirements of the times, and host OS software approaches are immobile and more prone to malware threats, the optimal WORM functionality today, is enabled by the flash controller.
Hyperstone flash controllers are designed for demanding solutions where security customization and use case optimization are necessary to meet the requirements of a given storage system. The company’s API allows engineers and security experts to develop individual, undisclosed firmware, enabling WORM and other secure functionality in their drives. This allows companies to benefit from the high-end flash management from Hyperstone while still being able to optimize the drive securely and independently from third parties.
Systems based on Hyperstone controllers with WORM functionality can be used to ensure data stored is tamper-proof and immutable, all while providing a secure and reliable way to store critical data across a range of applications.
Rebecca Reinkunz is a release manager at Hyperstone, a leading developer of embedded flash controllers. Reinkunz plans, organizes and oversees firmware releases from request through the entire development process to the actual release. As a technology futurist, she helps Hyperstone identify new technology investment areas and issues, including security, to better address customer requirements. Before joining Hyperstone, she completed her master’s degree in industrial engineering with a focus on electrical engineering and information technology at the HTWG Konstanz.