Kevin R.B. Butler
ABSTRACT
Portable storage devices, such as key-chain USB devices, are ubiquitous and used everywhere; users repeatedly use the same storage device in open computer laboratories, Internet cafes, and on office and home computers. Consequently, they are the target of malware that exploit the data present or use them as a means to propagate malicious software., e.g., Conficker and Agent.bz. We present the Kells mobile storage system, which limits untrusted or unknown systems from accessing sensitive data by continuously validating the accessing host's integrity state. We explore the design and operation of Kells, and implement a proof-of-concept USB 2.0 storage device of experimental hardware. Our experiments indicate nominal overheads associated with host validation, with a worst-case throughput overhead of 1.22% for reads and 2.78% for writes.
- }}K. Butler, S. McLaughlin, and P. McDaniel. Kells: A Protection Framework for Portable Data. Technical Report NAS-TR-0134--2010, Network and Security Research Center, Pennsylvania State University, June 2010.Google Scholar
- }}K. R. B. Butler, S. McLaughlin, and P. D. McDaniel. Rootkit-Resistant Disks. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS'08), Alexandria, VA, USA, Oct. 2008. Google ScholarDigital Library
- }}A. Datta, J. Franklin, D. Garg, and D. Kaynar. A Logic of Secure Systems and its Application to Trusted Computing. In Proceedings of the 30th IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2009. Google ScholarDigital Library
- }}L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor Support for Identifying Covertly Executing Binaries. In Proceedings of the 17th USENIX Security Symposium, pages 243--258, San Jose, CA, USA, Aug. 2008. Google ScholarDigital Library
- }}Microsoft. BitLocker and BitLocker to Go. http://technet.microsoft.com/en-us/windows/dd408739.aspx, Jan. 2009.Google Scholar
- }}A. G. Pennington, J. D. Strunk, J. L. Griffin, et al. Storage-based Intrusion Detection: Watching storage activity for suspicious behavior. In Proceedings of the 12th USENIX Security Symposium, Washington, DC, USA, Aug. 2003. Google ScholarDigital Library
- }}P. Porras, H. Saidi, and V. Yegneswaran. An Analysis of Conficker's Logic and Rendezvous Points. Technical report, SRI Computer Science Laboratory, Mar. 2009.Google Scholar
- }}R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proceedings of the 13th USENIX Security Symposium, San Diego, CA, USA, Aug. 2004. Google ScholarDigital Library
- }}Seagate Technology LLC. Self-Encrypting Hard Disk Drives in the Data Center. Technology Paper TP583.1-0711US, Nov. 2007.Google Scholar
- }}A. Seshadri, M. Luk, E. Shi, et al. Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems. In Proceedings of ACM SOSP, Brighton, UK, 2005. Google ScholarDigital Library
- }}N. Shachtman. Under Worm Assault, Military Bans Disks, USB Drives. Wired, Nov. 2008.Google Scholar
- }}L. St. Clair, J. Schiffman, T. Jaeger, and P. McDaniel. Establishing and Sustaining System Integrity via Root of Trust Installation. In ACSAC, Miami, FL, USA, Dec. 2007.Google ScholarCross Ref
- }}TCG. TPM Main: Part 1 - Design Principles. Specification Version 1.2, Level 2 Revision 103. TCG, July 2007.Google Scholar
- }}TCG. TCG Storage Security Subsystem Class: Opal. Specification Version 1.0, Revision 1.0. Trusted Computing Group, Jan. 2009.Google Scholar
Index Terms
- Protecting portable storage with host validation
Recommendations
Storage-Based Intrusion Detection
Storage-based intrusion detection consists of storage systems watching for and identifying data access patterns characteristic of system intrusions. Storage systems can spot several common intruder actions, such as adding backdoors, inserting Trojan ...
Rootkit-resistant disks
CCS '08: Proceedings of the 15th ACM conference on Computer and communications securityRootkits are now prevalent in the wild. Users affected by rootkits are subject to the abuse of their data and resources, often unknowingly. Suchmalware becomes even more dangerous when it is persistent-infected disk images allow the malware to exist ...
An update-aware storage system for low-locality update-intensive workloads
ASPLOS '12Traditional storage systems provide a simple read/write interface, which is inadequate for low-locality update-intensive workloads because it limits the disk scheduling flexibility and results in inefficient use of buffer memory and raw disk bandwidth. ...
Comments