LXI Data Erasure in Secure Environments
In some secure test environments extraordinary measures may be required to be taken to ensure that test instrumentation has no "memory" of the tests it has been asked to perform in the secure environment. Essentially the instrumentation must enter the test area in a defined state and leave the test area in the same state.
As computer controlled devices contain memory, in some cases there may be concern that it is possible to retrieve information from a device that can reveal details about the device under test. For an LXI Device providing the switching functions provided by a Pickering Interfaces switching solution the information is limited and usually provides few clues as to what was tested. Even so some traces may remain, this note explains what the issues are and how they can be handled.
All Pickering LXI products are based upon a standard controller platform which contains a microprocessor controller and storage media used for the devices operating system.
The controller memory is divided into three types, two of which are non-volatile. The function and types and sizes are:
- RAM. This is volatile memory and its contents are erased upon power down. It is not possible to read the previous contents of this memory after a power down. This memory is used as temporary workspace whilst the device is running and contains portions of the operating system to speed execution as well as state information and other temporary variables. A small circular buffer contains the devices system log.
- Boot Flash. Typically in the 4Mb to 16Mb size, this memory contains the system boot loader and operating system kernel used to initialise the device. This is program code and not user accessible.
- Main Flash. An area in excess of 64Mb in size, this area contains the configuration files used by the operating system and many system libraries. It stores the users preferences such as the devices IP address and the port settings used to control the device.
The controller and its memory are a compact part of any LXI Device, confined to a relatively small PCB which plugs into a larger distribution board.
The main concern is what information is contained within the LXI Device after the testing has been performed compared to the information it contained when it entered the test area for the first time. Information stored in Pickering Interfaces LXI Switching Solutions can be divided into three types, Retained Settings, Non Retained Settings and Configuration Information.
- Retained settings. The only information retained inside the system at power up are the users network communication settings. No previous instrumentation settings are stored and it is not possible to retrieve previous instrument configurations or operating history.Retained information includes the device IP address and other custom settings made by the operator for communication and control. The system MAC address, a non-volatile network identifier, is set at the factory and cannot be changed or erased.Retained Information is only located in the controller board.
- Non-retained settings. Information which is deleted or erased at power off including the system log which is held in RAM, and the instrument state. No previous history of instrument or switching commands is stored, consequently this information raises no issues in a secure environment.
- Configuration Information. The assemblies that contain the switches (relays) that handle the user signals contain non volatile stores that have configuration information describing the switching system on that assembly. This configuration can only be changed by Pickering Interfaces, the information is created when the Device is manufactured. The information stored does not change when the switching system is used. The information is therefore always the same for a given switching assembly and raises no issues when used in a secure environment.
Erasing Network Settings
A "factory default" reset is available on all Pickering LXI Devices as required by the LXI Specification. This returns the devices network configuration to that configured by Pickering at the factory, erasing any and all setting changes affected by the operator. This is activated by holding the reset button on the rear of the unit in for longer than five seconds. Operating the reset for a shorter period than 5 seconds will simply cause the unit to reboot without changing the network settings.
Once the factory configuration is loaded, the device must then be configured as outlined in the "Getting started guide", provided with the unit. Essentially the LXI Device has to be handled as though it has never been used and is in the same state as when originally supplied by Pickering Interfaces.
Complete system erase
It is not possible to entirely erase the non-volatile memory without effectively destroying the LXI Device. As the operating system and boot loader are stored in the Flash memory, erasing this causes the unit to be become entirely unresponsive, whereupon the unit must be returned to Pickering for reprogramming.
Just as is the case with hard drives erasure of settings in the non volatile store does not necessarily over-write information - the space is simply marked as as being available for writing to. In theory a sufficiently motivated user could attempt to remove the non volatile store and try to read the contents of the non volatile store in areas where the reset operation has marked the store as being available for writing to. This would be awkward to do as the store is directly soldered in place and no information is provided on how to resolve the information in the store. So this store could be construed as a small but nonetheless present risk.
Where complete secure erasure is required, Pickering recommends the removal and physical destruction of the controller board. A replacement microprocessor board can then be ordered from Pickering Interfaces which will require the user to provide the serial and model number of the LXI Device. Contact Pickering Interfaces for replacements, relevant part number information can be found in the product manual.
Pickering Interfaces LXI devices contain memory that stores user communication and network settings. It is not possible to retrieve instrument or switch configurations that have been used by the Device after the power is removed. Where network information is considered to be sensitive information a factory reset can be performed to erase these settings and return the Device to the factory default state.
Where special data retention or disposal regulations exist Pickering Interfaces suggest the removal and physical destruction of the controller board. Destruction of the rest of the LXI Device is not required.