Defending Against Malicious USB Firmware with GoodUSB

USB attacks are becoming more sophisticated. Rather than using USB devices solely as a delivery mechanism for host-side exploits, attackers are targeting the USB stack itself, embedding malicious code in device firmware to covertly request additional USB interfaces, providing unacknowledged and malicious functionality that lies outside the apparent purpose of the device. This allows for attacks such as BadUSB, where a USB storage device with malicious firmware is capable of covertly acting as a keyboard as well, allowing it to inject malicious scripts into the host machine. We observe that the root cause of such attacks is that the USB Stack exposes a set of unrestricted device privileges and note that the most reliable information about a device's capabilities comes from the end user's expectation of the device's functionality. We design and implement GoodUSB, a mediation architecture for the Linux USB Stack. We defend against BadUSB attacks by enforcing permissions based on user expectations of device functionality. GoodUSB includes a security image component to simplify use, and a honeypot mechanism for observing suspicious USB activities. GoodUSB introduces only 5.2% performance overhead compared to the unmodified Linux USB subsystem. It is an important step forward in defending against USB attacks and towards allowing the safe deployment of USB devices in the enterprise.

[1]  Malka N. Halgamuge,et al.  Optimizing Windows security features to prevent USB based software attacks' to 'Optimizing Windows security features to block malware and hack tools on USB storage devices , 2010 .

[2]  Marco Gruteser,et al.  Wireless device identification with radiometric signatures , 2008, MobiCom '08.

[3]  Kevin R. B. Butler,et al.  Host Identification via USB Fingerprinting , 2011, 2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering.

[4]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[5]  Desmond Loh Chin Choong,et al.  Identifying unique devices through wireless fingerprinting , 2008, WiSec '08.

[6]  Lujo Bauer,et al.  The Effectiveness of Security Images in Internet Banking , 2015, IEEE Internet Computing.

[7]  R. Spenneberg Don ’ t trust your USB ! How to find bugs in USB device drivers , 2014 .

[8]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[9]  Yu Qin,et al.  TMSUI: A Trust Management Scheme of USB Storage Devices for Industrial Control Systems , 2015, ICICS.

[10]  Damon McCoy,et al.  Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting , 2006, USENIX Security Symposium.

[11]  Srdjan Capkun,et al.  Physical-layer Identification of RFID Devices , 2009, USENIX Security Symposium.

[12]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[13]  Rong Zheng,et al.  Device fingerprinting to enhance wireless security using nonparametric Bayesian method , 2011, 2011 Proceedings IEEE INFOCOM.

[14]  Shwetak N. Patel,et al.  ElectriSense: single-point sensing using EMI for electrical event detection and classification in the home , 2010, UbiComp.

[15]  Hossein Saiedian,et al.  Security Threats and Mitigating Risk for USB Devices , 2010, IEEE Technology and Society Magazine.

[16]  Patrick D. McDaniel,et al.  Kells: a protection framework for portable data , 2010, ACSAC '10.

[17]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[18]  Angelos Stavrou,et al.  Exploiting smart-phone USB connectivity for fun and profit , 2010, ACSAC '10.

[19]  Mani Mina,et al.  Device Identification via Analog Signal Fingerprinting: A Matched Filter Approach , 2006, NDSS.

[20]  Marwan Al-Zarouni,et al.  The reality of risks from consented use of USB devices , 2006 .

[21]  Bryan Parno,et al.  Bootstrapping Trust in a "Trusted" Platform , 2008, HotSec.

[22]  Sinan Adnan Diwan,et al.  Complete Security Package for USB Thumb Drive , 2014 .

[23]  Jan Gassen,et al.  A honeypot for arbitrary malware on USB storage devices , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[24]  Guofei Gu,et al.  Conficker and beyond: a large-scale empirical study , 2010, ACSAC '10.

[25]  Kevin R. B. Butler,et al.  Leveraging USB to Establish Host Identity Using Commodity Devices , 2014, NDSS.