Abstract
In recent years, many attacks targeting USB were proposed. Besides spreading virus through USB storage, attackers are tending to attack USB stacks because in most cases, any information from devices will be trusted. In this paper, we design a system named Curtain on Windows to defend those attacks by analyzing their IRP flows. Curtain is deployed as a filter driver in USB stack on Windows. It’ll sniff all the IRP flows of each USB device and analyze them. It’s based on the fact that an attack always happens in a short time and that will be reflected in IRP flows. In short, Curtain provides a solution to defend USB attacks on Windows by inserting a filter driver to USB stacks and catch the behaviors of each device.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Al-Zarouni, M.: The reality of risks from consented use of USB devices. School of Computer and Information Science, Edith Cowan University (2006)
OLEA Kiosks Inc: Malware Scrubbing Cyber Security Kiosk. https://www.olea.com/product/california-cyber-security-kiosk/
Tetmeyer, A., Saiedian, H.: Security threats and mitigating risk for USB devices. IEEE Technol. Soc. Mag. 29(4), 44–49 (2010)
Falliere, N., Murchu, L., Chien, E.: W32. stuxnet dossier. White paper, Symantec Corp., Security Response. vol. 5, p. 6 (2011)
Pavković, N., Perkov, L.: Social Engineering Toolkit-A systematic approach to social engineering. In: the 34th International Convention, pp. 1485–1489 (2011)
Hak5. Episode 709: USB Rubber Ducky Part 1. http://www.hak5.org/episodes/episode-709
Hak5. USB Rubber Ducky Payloads. https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads
MouseJack, KeySniffer and Beyond: Keystroke Sniffing and Injection Vulnerabilities in 2.4GHz Wireless Mice and Keyboards. https://media.defcon.org/DEFCON24/DEFCON24presentations/DEFCON-24-Marc-Newlin-MouseJack-Injecting-Keystrokes-Into-Wireless-Mice-WP-UPDATED.pdf
Karsten, N., Sascha, K., Jakob, L.: BadUSB-On accessories that turn evil. In: BlackHat (2014)
Karsten, N., Sascha, K., Jakob, L.: BadUSB-On accessories that turn evil. In: PacSec (2014)
Caudill, A., Wilson, B.: Phison 2251–03 (2303) Custom Firmware & Existing Firmware Patches (BadUSB). https://github.com/adamcaudill/Psychson/tree/master/firmware/
Tian, D., Scaife, N., Bates, A., Butler, K., Traynor, P.: Making USB great again with USBFILTER. In: the 25th USENIX Security Symposium, pp. 415–430 (2016)
Tian, D., Bates, A., Butler, K.: Defending against malicious USB firmware with GoodUSB. In: The 31st Annual Computer Security Applications Conference, pp. 261–270 (2015)
Bastille: MouseJack. https://www.bastille.net/research/vulnerabilities/mousejack/
Bastille: Keysniffer. https://www.bastille.net/research/vulnerabilities/keysniffer-intro/
Microsoft Hardware Dev Center: Driver Stacks. https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/driver-stacks
Microsoft Hardware Dev Center: I/O request packets. https://docs.microsoft.com/zh-cn/windows-hardware/drivers/gettingstarted/i-o-request-packets
Microsoft Developer Network: USB host-side drivers in Windows. https://msdn.microsoft.com/en-us/library/hh406256(v=vs.85).aspx
Microsoft Windows Embedded 8.1 Industry: Usb flter (industry 8.1). https://msdn.microsoft.com/en-us/library/dn449350(v=winembedded.82).aspx
Universal Serial Organization: USB Class Codes. http://www.usb.org/developers/defined_class
Zaitcev, P.: The usbmon: USB monitoring framework. In: Linux Symposium, pp. 291–296 (2005)
PJRC: Teensy 3.2&3.1-New Features. https://www.pjrc.com/teensy/teensy31.html
Kamkar, S.: USBdriveby. http://samy.pl/usbdriveby/
Liu, F., Ting, K., Zhou, Z.: Isolation forest. In: the 8th IEEE International Conference on Data Mining, pp. 413–422 (2008)
Pham, D., Haigamuge, M., Sysed, A., Mendis, P.: Optimizing windows security features to block malware and hack tools on USB storage devices. In: Progress in Electromagnetics Research Symposium, pp. 350–355 (2010)
Universal Serial Bus Specification. http://sdphca.ucsd.edu/lab_equip_manuals/usb_20.pdf
USB-IF Statement regarding USB security. http://www.usb.org/press/USB-IF_Statement_on_USB_Security_FINAL.pdf
USB Monitor Pro. http://www.usb-monitor.com/
Acknowledgement
This work is sponsored by the National Natural Science Foundation of China (61373168).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Fu, J., Huang, J., Zhang, L. (2017). Curtain: Keep Your Hosts Away from USB Attacks. In: Nguyen, P., Zhou, J. (eds) Information Security. ISC 2017. Lecture Notes in Computer Science(), vol 10599. Springer, Cham. https://doi.org/10.1007/978-3-319-69659-1_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-69659-1_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69658-4
Online ISBN: 978-3-319-69659-1
eBook Packages: Computer ScienceComputer Science (R0)