Most sanitization tools ask the drive to erase itself and then walk away.
AAD-50 stays. It watches. It verifies. And it does not move to the next cycle until the hardware confirms the previous one actually completed.
This is the difference between assuming a drive is clean and knowing it.
NVMe Sanitize — Opcode 0x84 — is asynchronous.
When you issue the command, the drive acknowledges receipt instantly and returns control to the host. The actual erasure happens in the background, on the drive's internal ASIC, at silicon speeds the host cannot directly observe. The host has no way to know whether the operation completed correctly — or at all — unless it actively polls NVMe Log Page 0x81 (the Sanitize Status log page) and reads the SSTAT field.
The standard Linux tooling did not do this polling. It fired the command and returned. If drive firmware silently failed — which UC San Diego researchers documented happening in 3 of 12 drives they tested — the operator had no way to know.
AAD-50 fixes this at the architectural level.
After every single sanitize cycle, AAD-50 enters a polling loop against Log Page 0x81:
| SSTAT Code | Meaning | AAD-50 Action |
|---|---|---|
| 0x0 | Idle - no recent sanitize | Treat as complete, advance |
| 0x1 | Completed successfully | Hardware confirmed - advance to next cycle |
| 0x2 | Sanitize in progress | Continue polling (2 second interval) |
| 0x3 | Completed with errors | Abort - write fault record to audit log |
The loop runs on a 2-second poll interval with a 2-hour timeout per cycle. AAD-50 refuses to advance to the next cycle until SSTAT = 0x1 is returned. If SSTAT = 0x3 is returned at any point — the entire operation stops immediately and the fault is recorded in the audit log.
No cycle is assumed complete. Every cycle is confirmed.
AAD-50 executes a deliberate B -> C -> A phase sequence across 50 cycles. The order is not arbitrary — it is a security engineering decision.
NVMe Sanitize Opcode 0x84 | CDW10 = 0x02 | SANITIZE_ACTION_OVERWRITE
Phase B instructs the drive's internal controller to physically overwrite all NAND cells — including over-provisioned zones, bad-block retirement pools, and wear-levelling reserves that are completely invisible to the host operating system.
This is the phase that host-driven software tools like DBAN, nwipe, and DoD 5220.22-M cannot reach. Those tools push sequential writes from the host CPU across the PCIe bus. The drive's Flash Translation Layer intercepts those writes and redirects them to fresh physical blocks — leaving the original data untouched in hidden regions.
NVMe Sanitize with NSID=0xFFFFFFFF broadcasts to the entire drive subsystem. No hidden region is excluded.
The 40-cycle allocation provides redundancy against the class of transient firmware faults Wei et al. documented — where a drive executes a sanitize cycle incompletely without reporting an error. Multiple hardware-confirmed cycles ensure no physical location is missed regardless of firmware queue behaviour.
NVMe Sanitize Opcode 0x84 | CDW10 = 0x01 | SANITIZE_ACTION_BLOCK_ERASE
Phase C destroys the Flash Translation Layer's internal mapping tables — the index that tells the controller which logical block addresses map to which physical NAND locations.
After 40 cycles of Phase B, the physical cells have been overwritten. Phase C ensures the structural map that would allow reconstruction of the data layout is itself completely erased and rebuilt from a clean state. Read requests to any unallocated LBA after Phase C return a hardware-level Unwritten Block error before any forensic carving tool can scan the address.
NVMe Sanitize Opcode 0x84 | CDW10 = 0x04 | SANITIZE_ACTION_CRYPTO_ERASE
Phase A forces the drive to regenerate and overwrite its internal Media Encryption Key (MEK) registers — 5 consecutive times.
Phase A executes last. This is deliberate. Destroying the cryptographic key first — before physical overwrite — creates a window of vulnerability: if a hardware fault terminates the sequence mid-way, a state-sponsored adversary with physical chip access could attempt to reconstruct the original key through side-channel analysis before the overwrite completed.
By executing B first, then C, then A — physical destruction leads and cryptographic destruction seals. Partial execution of B -> C -> A is always safer than partial execution of A -> B -> C.
Software overwrite tools operate at the logical boundary layer. They push data from the host CPU, through the operating system storage stack, through the PCIe bus, and into the drive as normal write commands.
The Flash Translation Layer silently intercepts every one of those writes and redirects them to a fresh physical block — leaving the original data in over-provisioned zones, wear-levelling pools, and retired blocks the host can never reach.
Wei et al. (USENIX FAST 2011) proved this empirically. They tested every major government sanitization standard — DoD 5220.22-M, Gutmann 35-pass, German VSITR, British HMG IS5, US Air Force 5020 — against real SSD hardware. Every single one failed. Recoverable data ranged from 40 MB to nearly 1 GB from a 1 GB test file.
AAD-50 uses no software overwrites. Every cycle is a hardware NVMe Sanitize command issued directly to the drive's ASIC via IOCTL passthrough. The host machine is the orchestrator. The drive does the work — on its own internal buses, at silicon speeds, reaching every physical location including the ones the host cannot see.
After all 50 cycles complete, AAD-50 aggregates every cycle record — timestamp, action code, duration, completion status, and active passthrough tier — into a structured telemetry array.
A SHA-256 hash is computed over the key-sorted JSON serialisation of all 50 cycle records:
Audit Hash = SHA-256( JSON_sorted( CycleRecords[1..50] ) )
This hash is printed at the end of every run, embedded in the JSON audit log, and printed on the PDF Certificate of Destruction. It is tamper-evident — any modification to any cycle record changes the hash. Security auditors can verify the hash independently to confirm all 50 cycles completed cleanly on the hardware.
AAD-50 probes the connected device at runtime and selects the highest available command pathway before the first cycle is issued:
| Tier | Linux Interface | Windows Interface | Verification | Coverage |
|---|---|---|---|---|
| 1 - NVMe Direct | NVME_IOCTL_ADMIN_CMD | IOCTL_STORAGE_PROTOCOL_COMMAND | Log Page 0x81 per cycle | M.2/PCIe + UASP enclosures with NVMe passthrough |
| 2 - ATA/SCSI SAT | SG_IO via SCSI ATA PASS-THROUGH | IOCTL_ATA_PASS_THROUGH | Time-based (120s/cycle) | USB enclosures with UASP + SAT support |
| 3 - Block Layer | BLKDISCARD | IOCTL_STORAGE_REINITIALIZE_MEDIA | Time-based (180s/cycle) | USB enclosures blocking NVMe and ATA passthrough |
Tier 1 provides the strongest assurance — hardware-confirmed completion via Log Page 0x81 after every cycle. Tiers 2 and 3 use conservative time-based polling because the USB bridge chip intercepts NVMe log page reads. For maximum assurance, direct M.2/PCIe connection is always recommended.
AAD-50 is transparent about its limitations:
These limitations are documented in full in the whitepaper: https://doi.org/10.5281/zenodo.20839417
AAD-50 v1.1 - github.com/yonasabeselom/aad50