skip to main content
10.1145/3289100.3289121acmotherconferencesArticle/Chapter ViewAbstractPublication PagesicsdeConference Proceedingsconference-collections
research-article

Making Whitelisting-Based Defense Work Against BadUSB

Published: 18 October 2018 Publication History

Abstract

Universal serial bus (USB) devices have widespread use in different computing platforms, including IoT gadgets, but this popularity makes them attractive targets for exploits and being used as an attack vector by malicious software. During recent years, several reports [17] ranked USB-based malware among top 10 popular malware. This security flaw can slow down the increasing penetration rate of IoT devices since most of those devices have USB ports. The research community and industry has tried to address USB security problem by implementing authentication protocols to protect users' private information and also scanning USB's storage space for any malicious software using their own repository of malware signatures, or simply disallowing use of USB devices on desktops. The new generation of USB malware does not hide in storage space, which means they are not detectable by conventional anti-malware. BadUSB is a malware recently introduced by security researchers. BadUSB modifies USB firmware and can attack all the systems which the infected USB is plugged in. The only applicable solution against this new generation of malware is whitelisting. However, generating a unique fingerprint for USB devices is challenging. In this paper, we propose an accurate USB feature based fingerprinting approach which helps us to create a list of trusted USBs as device whitelist. Our solution prevents and detects BadUSB and similar attacks by generating fingerprint from trusted USB devices' features and their primary usage. We verified the uniqueness of our generated fingerprints by analyzing real data which is collected from USB drives used by students in academic computer labs over one year. Our results indicate that our feature based whitelisting approach with an accuracy of 98.5% can identify USB whitelist members.

References

[1]
Badandroid. https://opensource.srlabs.de/projects/badusb. Accessed: 2015-09-24.
[2]
Controlling device driver installation. https://technet.microsoft.com/en-us/library/cc731387(WS.10).aspx. Accessed: 2018-10-28.
[3]
Deviceinstanceid. https://msdn.microsoft.com/en-us/library/windows/hardware/ff541327.aspx. Accessed: 2016-09-24.
[4]
Everstrik device whitelist. http://www.everstrike.com/usbsecurity/help/device-whitelist.htm. Accessed: 2018-10-28.
[5]
Gdata software ag. how to be sicher from usb attacks. https://www.gdata.at/at-usb-keyboard-guard. Accessed: 2015-09-24.
[6]
How to allow authorized usb access on your network. http://www.solarwinds.com/log-event-manager/usb-access.aspx. Accessed: 2018-10-28.
[7]
Ironkey secure usb devices. http://www.ironkey.com/en-US/solutions/protect-against-badusb.html. Accessed: 2018-10-28.
[8]
List of usb id manufacturers. http://www.linux-usb.org/usb.ids. Accessed: 2018-10-28.
[9]
Lumension end point security. http://bowmantec.com/eng/endpointsecurity/. Accessed: 2018-10-28.
[10]
Symantec data loss prevention. http://www.symantec.com/connect/articles/create-white-list-usb-disk-dlp-agent. Accessed: 2018-10-28.
[11]
Ubuntu-gaurdian. http://ubuntuforums.org/showthread.php?t=2158605. Accessed: 2018-10-28.
[12]
Usb class codes. http://www.usb.org/developers/definedclass. Accessed: 2018-10-28.
[13]
Usb device registry entries. http://msdn.microsoft.com/en-us/library/windows/hardware/jj649944.aspx. Accessed: 2018-10-28.
[14]
Usb guard. https://github.com/dkopecek/usbguard. Accessed: 2018-10-28.
[15]
Usb guardian. http://www.ghacks.net/2010/11/07/usb-waechter-only-allow-whitelisted-usb-devices-pc-access/. Accessed: 2018-10-28.
[16]
Whitelisting-and-blacklisting. http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-endpointsecurity/specifications/whitelisting-and-blacklisting. Accessed: 2018-10-28.
[17]
Microsoft Security Intelligence Report, Vol 20. Technical report, Microsoft Inc., Dec 2015.
[18]
J. Kang and D. Lee. Advanced white list approach for preventing access to phishing sites. In Convergence Information Technology, 2007. International Conference on, pages 491--496. IEEE, 2007.
[19]
L. Li, E. Berki, M. Helenius, and S. Ovaska. Towards a contingency approach with whitelist-and blacklist-based anti-phishing applications: what do usability tests indicate? Behaviour & Information Technology, 33(11):1136--1147, 2014.
[20]
M. Neugschwandtner, A. Beitler, and A. Kurmus. A transparent defense against usb eavesdropping attacks. In Proceedings of the 9th European Workshop on System Security, page 6. ACM, 2016.
[21]
S. Neuner, A. G. Voyiatzis, S. Fotopoulos, C. Mulliner, and E. R. Weippl. Usblock: Blocking usb-based keypress injection attacks. In F. Kerschbaum and S. Paraboschi, editors, Data and Applications Security and Privacy XXXII, pages 278--295, Cham, 2018. Springer International Publishing.
[22]
K. Nohl, S. Kribler, and J. Lell. Badusb, oa accessories that turn evil. In BlackHat Conference Proceedings, pages 84--89. Security Research Lab, Auguest 2014.
[23]
R. Rao and S. Ali. A computer vision technique to detect phishing attacks. In Communication Systems and Network Technologies (CSNT), 2015 Fifth International Conference on, pages 596--601, April 2015.
[24]
S. Sikka, U. Srivastva, and R. Sharma. A review of detection of usb malware. International Journal of Engineering Science, 14283, 2017.
[25]
D. T. Sullivan. Survey of malware threats and recommendations to improve cybersecurity for industrial control systems version 1.0. Technical report, DTIC Document, 2015.
[26]
D. J. Tian, A. Bates, and K. Butler. Defending against malicious usb firmware with goodusb. In Proceedings of the 31st Annual Computer Security Applications Conference, pages 261--270. ACM, 2015.
[27]
B. Yang, D. Feng, Y. Qin, Y. Zhang, and W. Wang. Tmsui: A trust management scheme of usb storage devices for industrial control systems. IACR Cryptology ePrint Archive, 2015:22, 2015.
[28]
M. Yoon. Using whitelisting to mitigate ddos attacks on critical internet sites. Communications Magazine, IEEE, 48(7):110--115, 2010.

Cited By

View all
  • (2023)The impostor among US(B)Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620565(5863-5880)Online publication date: 9-Aug-2023

Index Terms

  1. Making Whitelisting-Based Defense Work Against BadUSB

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    ICSDE'18: Proceedings of the 2nd International Conference on Smart Digital Environment
    October 2018
    214 pages
    ISBN:9781450365079
    DOI:10.1145/3289100
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    In-Cooperation

    • University of Houston

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 18 October 2018

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. BadUSB
    2. USB Malware
    3. Whitelist

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Conference

    ICSDE'18

    Acceptance Rates

    ICSDE'18 Paper Acceptance Rate 32 of 80 submissions, 40%;
    Overall Acceptance Rate 68 of 219 submissions, 31%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)38
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 17 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2023)The impostor among US(B)Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620565(5863-5880)Online publication date: 9-Aug-2023

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media