skip to main content
10.1145/3339252.3339268acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

Using Context and Provenance to defend against USB-borne attacks

Published: 26 August 2019 Publication History

Abstract

Today's readily available security measures to defend one's computers against malicious USB devices either show popups that require the user to allow each interaction, or they use identity-based peripheral devices attachment rules to allow or deny interaction with the new USB device, which again involves the user. In this paper, we propose a novel strategy for defending against USB attacks with the main goal of not involving the user.
For making the security relevant decision, we take both context of the user's session and provenance of the security relevant event into account. That is, we assume that the user cannot plug a device into their machine when they are not present, e.g. when they have left their computer. We infer that the state of the lock screen relates to the presence of the user and do not allow new USB devices when the screen is locked. Further, we deflect traditional BadUSB attacks by taking the provenance of dangerous keystrokes into account when making an automated security decision. We extend the same idea to other security relevant contexts, such as network re-configuration.
To substantiate our claims, we identify two classes of USB-borne attacks: driver exploitation and user emulation. While the first exploits could and can be prevented with secure coding and runtime mitigations, the second does not circumvent bugs in code but rather masquerades a device as another. We also investigate real-world usage of USB and present data which shows that we can expect users to have a single keyboard. Consequently, we increase protection against said masquerading attacks by filtering keys deemed dangerous or preventing security relevant actions if the keystroke originated from a newly attached USB device. We present an implementation of our filter for both GNU/Linux and Microsoft Windows.

References

[1]
Anne Adams and Martina Angela Sasse. 1999. Users Are Not the Enemy. Commun. ACM 42, 12 (Dec. 1999), 40--46.
[2]
Sebastian Angel, Riad S. Wahby, Max Howald, Joshua B. Leners, Michael Spilo, Zhen Sun, Andrew J. Blumberg, and Michael Walfish. 2016. Defending against Malicious Peripherals with Cinch. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, Texas, USA, 397--414. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/angel
[3]
Apple, Hewlett-Packard Inc., Intel, Microsoft, Renesas Corporation, STMicroelectronics, and Texas Instruments. 2017. Universal Serial Bus 3.2 Specification. https://www.usb.org/document-library/usb-32-specification-released-september-22-2017-and-ecns
[4]
Jan Axelson. 2009. USB Complete: The Developer's Guide (4th ed.). Lakeview Research, Madison WI.
[5]
Gisela Susanne Bahr and William H. Allen. 2013. Rational Interfaces for Effective Security Software: Polite Interaction Guidelines for Secondary Tasks. In Universal Access in Human-Computer Interaction. Design Methods, Tools, and Interaction Techniques for eInclusion (Lecture Notes in Computer Science), Constantine Stephanidis and Margherita Antona (Eds.). Springer Berlin Heidelberg, 165--174.
[6]
G. Susanne Bahr and Richard A. Ford. 2011. How and Why Pop-Ups Don't Work: Pop-up Prompted Eye Movements, User Affect and Decision Making. Computers in Human Behavior 27, 2 (March 2011), 776--783.
[7]
D. Balfanz, G. Durfee, D. K. Smetters, and R. E. Grinter. 2004. In Search of Usable Security: Five Lessons from the Field. IEEE Security Privacy 2, 5 (Sept. 2004), 19--24.
[8]
Silas Boyd-Wickizer and Nickolai Zeldovich. 2010. Tolerating Malicious Device Drivers in Linux. In Proceedings of the 2010 USENIX Conference on USENIX Annual Technical Conference (USENIXATC'10). USENIX Association, Berkeley, CA, USA, 9--9. http://dl.acm.org/citation.cfm?id=1855840.1855849
[9]
S. Butt, V. Ganapathy, M. M. Swift, and C. Chang. 2009. Protecting Commodity Operating System Kernels from Vulnerable Device Drivers. In 2009 Annual Computer Security Applications Conference. 301--310.
[10]
Compaq, Hewlett-Packard, Intel, Lucent, Microsoft, NEC, and Philips. 2000. Universal Serial Bus Specification. https://www.usb.org/sites/default/files/usb_20_20181221.zip
[11]
Chad Dougherty, Kirk Sayre, Robert Seacord, David Svoboda, and Kazuya Togashi. 2009. Secure Design Patterns. Technical Report CMU/SEI-2009-TR-010. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9115
[12]
Moritz Duge. 2016. Abwehr von BadUSB-Angriffen Mittels Kontrollierter Geräte-Aktivierung. Bachelorthesis. HAW, Hamburg. http://edoc.sub.uni-hamburg.de/haw/volltexte/2016/3430/
[13]
Nicolas Falliere, Liam O Murchu, and Eric Chien. 2011. W32.Stuxnet Dossier. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
[14]
F. Griscioli, M. Pizzonia, and M. Sacchetti. 2016. USBCheckIn: Preventing BadUSB Attacks by Forcing Human-Device Interaction. In 2016 14th Annual Conference on Privacy, Security and Trust (PST). 493--496.
[15]
J. N. Herder, H. Bos, B. Gras, P. Homburg, and A. S. Tanenbaum. 2009. Fault Isolation for Device Drivers. In 2009 IEEE/IFIP International Conference on Dependable Systems Networks. 33--42.
[16]
Grant Hernandez, Farhaan Fowze, Dave (Jing) Tian, Tuba Yavuz, and Kevin R.B. Butler. 2017. FirmUSB: Vetting USB Device Firmware Using Domain Informed Symbolic Execution. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). ACM, New York, NY, USA, 2245--2262.
[17]
Moritz Jodeit and Martin Johns. 2010. USB Device Drivers: A Stepping Stone into Your Kernel. In 2010 European Conference on Computer Network Defense. Berlin, Germany, 46--52.
[18]
Samy Kamkar. 2016. PoisonTap - Exploiting Locked Computers over USB. https://samy.pl/poisontap/
[19]
Myung Kang and Hossein Saiedian. 2017. USBWall: A Novel Security Mechanism to Protect against Maliciously Reprogrammed USB Devices. Information Security Journal: A Global Perspective 26, 4 (July 2017), 166--185.
[20]
Stefan Koch. 2015. Sicherheitsaspekte beim Anschluss von USB-Geräten. Masterthesis. Universität Bayreuth, Bayreutch, Germany. https://epub.uni-bayreuth.de/3048/ Ursprüngliche Abgabe als Masterarbeit: 01. Juni 2015, Informationsstand dieser Überarbeitung: 25. November 2015, letzte Änderung vor Veröffentlichung: 23. Januar 2017.
[21]
E. L. Loe, H. Hsiao, T. H. Kim, S. Lee, and S. Cheng. 2016. SandUSB: An Installation-Free Sandbox for USB Peripherals. In 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT). 621--626.
[22]
Westerberg Mika. 2017. Thunderbolt Security Levels and NVM Firmware Upgrade. https://groups.google.com/forum/#!topic/linux.kernel/bAygpgSiKuA%5B1-25%5D
[23]
Tobias Mueller. 2015. Framework for Fuzzing USB Stacks with Virtual Machines. In INFORMATIK 2015, Douglas W. Cunningham, Petra Hofstedt, Klaus Meer, and Ingo Schmitt (Eds.). Gesellschaft für Informatik e.V., Cottbus, 1901--1912. http://dl.gi.de/handle/20.500.12116/2176
[24]
Matthias Neugschwandtner, Anton Beitler, and Anil Kurmus. 2016. A Transparent Defense Against USB Eavesdropping Attacks. In Proceedings of the 9th European Workshop on System Security (EuroSec '16). ACM, New York, NY, USA, 6:1--6:6.
[25]
Sebastian Neuner, Artemios G. Voyiatzis, Spiros Fotopoulos, Collin Mulliner, and Edgar R. Weippl. 2018. USBlock: Blocking USB-Based Keypress Injection Attacks. In Data and Applications Security and Privacy XXXII (Lecture Notes in Computer Science), Florian Kerschbaum and Stefano Paraboschi (Eds.). Springer International Publishing, 278--295.
[26]
Nir Nissim, Ran Yahalom, and Yuval Elovici. 2017. USB-Based Attacks. Computers & Security 70 (Sept. 2017), 675--688.
[27]
Karsten Nohl and Jakob Lell. 2014. BadUSB - On Accessories That Turn Evil. https://www.blackhat.com/us-14/briefings.html#badusb-on-accessories-that-turn-evil
[28]
Qubes OS. 2018. Using and Managing USB Devices. https://www.qubes-os.org/doc/usb/
[29]
Fahimeh Raja, Kirstie Hawkey, Pooya Jaferian, Konstantin Beznosov, and Kellogg S. Booth. 2010. It's Too Complicated, So I Turned It off!: Expectations, Perceptions, and Misconceptions of Personal Firewalls. In Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration (SafeConfig '10). ACM, New York, NY, USA, 53--62.
[30]
Christian Seifert, Ian Welch, and Peter Komisarczuk. 2006. Effectiveness of Security By Admonition: A Case Study of Security Warnings in a Web Browser Setting. In)secure Magazine 1 (2006).
[31]
Jennifer Stoll, Craig S. Tashman, W. Keith Edwards, and Kyle Spafford. 2008. Sesame: Informing User Security Decisions with System Visualization. In Proceeding of the Twenty-Sixth Annual CHI Conference on Human Factors in Computing Systems - CHI '08. ACM Press, Florence, Italy, 1045.
[32]
Yang Su, Daniel Genkin, Damith Ranasinghe, and Yuval Yarom. 2017. USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs. In Proceedings of the 26th USENIX Conference on Security Symposium (SEC'17). USENIX Association, Berkeley, CA, USA, 1145--1161. http://dl.acm.org/citation.cfm?id=3241189.3241279
[33]
Dave Tian, Nolen Scaife, Adam Bates, Kevin R. B. Butler, and Patrick Traynor. 2016. Making USB Great Again with Usbfilter. In Proceedings of the 25th USENIX Conference on Security Symposium (SEC'16). USENIX Association, Berkeley, CA, USA, 415--430. http://dl.acm.org/citation.cfm?id=3241094.3241127
[34]
Dave Jing Tian, Adam Bates, and Kevin Butler. 2015. Defending Against Malicious USB Firmware with GoodUSB. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC 2015). ACM, New York, NY, USA, 261--270.
[35]
Dave (Jing) Tian, Adam Bates, Kevin R.B. Butler, and Raju Rangaswami. 2016. ProvUSB: Block-Level Provenance-Based Data Protection for USB Storage Devices. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 242--253.
[36]
J. Tian, N. Scaife, D. Kumar, M. Bailey, A. Bates, and K. Butler. 2018. SoK: "Plug & Pray" Today -- Understanding USB Insecurity in Versions 1 Through C. In 2018 IEEE Symposium on Security and Privacy (SP). 1032--1047.
[37]
M. Tischer, Z. Durumeric, S. Foster, S. Duan, A. Mori, E. Bursztein, and M. Bailey. 2016. Users Really Do Plug in USB Drives They Find. In 2016 IEEE Symposium on Security and Privacy (SP). 306--319.
[38]
USB 3.0 Promoter Group. 2016. Universal Serial Bus Type-C Authentication Specification. Online. (March 2016). https://www.usb.org/document-library/usb-authentication-specification-rev-10-ecn-and-errata-through-january-7-2019 Revision 1.0.
[39]
USB Implementers Forum. 2014. USB-IF Statement Regarding USB Security. http://web.archive.org/web/20160331174300/https://www.usb.org/press/USB-IF_Statement_on_USB_Security_FINAL.pdf
[40]
Ka-Ping Yee. 2004. Aligning Security and Usability. IEEE Security Privacy 2, 5 (Sept. 2004), 48--55.
[41]
Z. F. Zaaba, S. M. Furnell, and P. S. Dowland. 2014. A Study on Improving Security Warnings. In The 5th International Conference on Information and Communication Technology for The Muslim World (ICT4M). 1--5.

Cited By

View all
  • (2025)Transformer-based GAN-augmented Defender for Adversarial USB Keystroke Injection AttacksProceedings of the 26th International Conference on Distributed Computing and Networking10.1145/3700838.3700871(94-103)Online publication date: 4-Jan-2025
  • (2025)USB-GATE: USB-based GAN-augmented transformer reinforced defense framework for adversarial keystroke injection attacksInternational Journal of Information Security10.1007/s10207-025-00997-224:2Online publication date: 16-Feb-2025
  • (2023)A story-driven gamified education on USB-based attackJournal of Computing in Higher Education10.1007/s12528-023-09392-zOnline publication date: 9-Oct-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security
August 2019
979 pages
ISBN:9781450371643
DOI:10.1145/3339252
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 August 2019

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. USB attacks
  2. usability
  3. usable security

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ARES '19

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)29
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Transformer-based GAN-augmented Defender for Adversarial USB Keystroke Injection AttacksProceedings of the 26th International Conference on Distributed Computing and Networking10.1145/3700838.3700871(94-103)Online publication date: 4-Jan-2025
  • (2025)USB-GATE: USB-based GAN-augmented transformer reinforced defense framework for adversarial keystroke injection attacksInternational Journal of Information Security10.1007/s10207-025-00997-224:2Online publication date: 16-Feb-2025
  • (2023)A story-driven gamified education on USB-based attackJournal of Computing in Higher Education10.1007/s12528-023-09392-zOnline publication date: 9-Oct-2023
  • (2021)BADUSB-C: Revisiting BadUSB with Type-C2021 IEEE Security and Privacy Workshops (SPW)10.1109/SPW53761.2021.00053(327-338)Online publication date: May-2021
  • (2021)Let’s Attest! Multi-modal Certificate Exchange for the Web of Trust2021 International Conference on Information Networking (ICOIN)10.1109/ICOIN50884.2021.9333877(758-763)Online publication date: 13-Jan-2021

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media