ProvUSB: Block-level Provenance-Based Data Protection for USB Storage Devices

Defenders of enterprise networks have a critical need to quickly identify the root causes of malware and data leakage. Increasingly, USB storage devices are the media of choice for data exfiltration, malware propagation, and even cyber-warfare. We observe that a critical aspect of explaining and preventing such attacks is understanding the provenance of data (i.e., the lineage of data from its creation to current state) on USB devices as a means of ensuring their safe usage. Unfortunately, provenance tracking is not offered by even sophisticated modern devices. This work presents ProvUSB, an architecture for fine-grained provenance collection and tracking on smart USB devices. ProvUSB maintains data provenance by recording reads and writes at the block layer and reliably identifying hosts editing those blocks through attestation over the USB channel. Our evaluation finds that ProvUSB imposes a one-time 850 ms overhead during USB enumeration, but approaches nearly-bare-metal runtime performance (90% of throughput) on larger files during normal execution, and less than 0.1% storage overhead for provenance in real-world workloads. ProvUSB thus provides essential new techniques in the defense of computer systems and USB storage devices.

[1]  Mahadev Satyanarayanan,et al.  Rapid Trust Establishment for Pervasive Personal Computing , 2007, IEEE Pervasive Computing.

[2]  Timothy Fraser,et al.  LOMAC: MAC You Can Live With , 2001, USENIX Annual Technical Conference, FREENIX Track.

[3]  Ethan L. Miller,et al.  Tracking Emigrant Data via Transient Provenance , 2011, TaPP.

[4]  Guofei Gu,et al.  Conficker and beyond: a large-scale empirical study , 2010, ACSAC '10.

[5]  Xiangyu Zhang,et al.  High Accuracy Attack Provenance via Binary-based Execution Partition , 2013, NDSS.

[6]  Ashish Gehani,et al.  SPADE: Support for Provenance Auditing in Distributed Environments , 2012, Middleware.

[7]  Marianne Winslett,et al.  The Case of the Fake Picasso: Preventing History Forgery with Secure Provenance , 2009, FAST.

[8]  Ramón Cáceres,et al.  Reincarnating PCs with portable SoulPads , 2005, MobiSys '05.

[9]  Patrick Traynor,et al.  Making USB Great Again with USBFILTER , 2016, USENIX Security Symposium.

[10]  Fareed Zaffar,et al.  Fine-grained tracking of Grid infections , 2010, 2010 11th IEEE/ACM International Conference on Grid Computing.

[11]  Fareed Zaffar,et al.  Identifying the provenance of correlated anomalies , 2011, SAC '11.

[12]  Marwan Al-Zarouni,et al.  The reality of risks from consented use of USB devices , 2006 .

[13]  William Yurcik,et al.  Trade-offs in protecting storage: a meta-data comparison of cryptographic, backup/versioning, immutable/tamper-proof, and redundant storage solutions , 2005, 22nd IEEE / 13th NASA Goddard Conference on Mass Storage Systems and Technologies (MSST'05).

[14]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[15]  Kevin R. B. Butler,et al.  Leveraging USB to Establish Host Identity Using Commodity Devices , 2014, NDSS.

[16]  Bryan Parno,et al.  Bootstrapping Trust in a "Trusted" Platform , 2008, HotSec.

[17]  Andreas Haeberlen,et al.  Let SDN Be Your Eyes: Secure Forensics in Data Center Networks , 2014 .

[18]  Jim Zelenka,et al.  A cost-effective, high-bandwidth storage architecture , 1998, ASPLOS VIII.

[19]  Andrea C. Arpaci-Dusseau,et al.  Semantically-Smart Disk Systems , 2003, FAST.

[20]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[21]  Patrick D. McDaniel,et al.  Hi-Fi: collecting high-fidelity whole-system provenance , 2012, ACSAC '12.

[22]  Xiangyu Zhang,et al.  LogGC: garbage collecting audit log , 2013, CCS.

[23]  Andreas Haeberlen,et al.  Secure network provenance , 2011, SOSP.

[24]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[25]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[26]  Rob Sloan,et al.  Advanced Persistent Threat , 2014 .

[27]  Andrea C. Arpaci-Dusseau,et al.  Database-aware semantically-smart storage , 2005, FAST'05.

[28]  Thomas Moyer,et al.  Trustworthy Whole-System Provenance for the Linux Kernel , 2015, USENIX Security Symposium.

[29]  Patrick D. McDaniel,et al.  Rootkit-resistant disks , 2008, CCS.

[30]  Margo I. Seltzer,et al.  Provenance-Aware Storage Systems , 2006, USENIX ATC, General Track.

[31]  Adrian Perrig,et al.  Bootstrapping Trust in Commodity Computers , 2010, 2010 IEEE Symposium on Security and Privacy.

[32]  Kevin R. B. Butler,et al.  Defending Against Malicious USB Firmware with GoodUSB , 2015, ACSAC.

[33]  Patrick D. McDaniel,et al.  Kells: a protection framework for portable data , 2010, ACSAC '10.

[34]  Xiangyu Zhang,et al.  ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting , 2016, NDSS.

[35]  Erez Zadok,et al.  Ensuring data integrity in storage: techniques and applications , 2005, StorageSS '05.

[36]  Craig A. N. Soules,et al.  Storage-based Intrusion Detection: Watching Storage Activity for Suspicious Behavior , 2003, USENIX Security Symposium.

[37]  Adrian Perrig,et al.  Turtles all the way down: research challenges in user-based attestation , 2007, WRAITS '08.

[38]  H. Farhangi,et al.  A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin , 2015 .

[39]  Jaehong Park,et al.  A provenance-based access control model , 2012, 2012 Tenth Annual International Conference on Privacy, Security and Trust.

[40]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[41]  Kevin R. B. Butler,et al.  Host Identification via USB Fingerprinting , 2011, 2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering.

[42]  Luc Moreau,et al.  PROV-Overview. An Overview of the PROV Family of Documents , 2013 .

[43]  Craig A. N. Soules,et al.  Self-securing storage: protecting data in compromised systems , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[44]  Jaehong Park,et al.  Dependency Path Patterns as the Foundation of Access Control in Provenance-aware Systems , 2012, TaPP.

[45]  Cláudio T. Silva,et al.  VisTrails: visualization meets data management , 2006, SIGMOD Conference.

[46]  Kevin R. B. Butler,et al.  Towards secure provenance-based access control in cloud environments , 2013, CODASPY.

[47]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[48]  Margo I. Seltzer,et al.  Layering in Provenance Systems , 2009, USENIX Annual Technical Conference.

[49]  Ilkay Altintas,et al.  Provenance Collection Support in the Kepler Scientific Workflow System , 2006, IPAW.

[50]  Andrew J. Blumberg,et al.  Defending against Malicious Peripherals with Cinch , 2016, USENIX Security Symposium.