Mueller, Tobias ; Zimmer, Ephraim ; de Nittis, Ludovico (2019)
Using Context and Provenance to Defend Against USB-borne Attacks.
14th International Conference on Availability, Reliability and Security. Canterbury, United Kingdom (26.-29.08.2019)
doi: 10.1145/3339252.3339268
Konferenzveröffentlichung, Bibliographie
Kurzbeschreibung (Abstract)
Today's readily available security measures to defend one's computers against malicious USB devices either show popups that require the user to allow each interaction, or they use identity-based peripheral devices attachment rules to allow or deny interaction with the new USB device, which again involves the user. In this paper, we propose a novel strategy for defending against USB attacks with the main goal of not involving the user.For making the security relevant decision, we take both context of the user's session and provenance of the security relevant event into account. That is, we assume that the user cannot plug a device into their machine when they are not present, e.g. when they have left their computer. We infer that the state of the lock screen relates to the presence of the user and do not allow new USB devices when the screen is locked. Further, we deflect traditional BadUSB attacks by taking the provenance of dangerous keystrokes into account when making an automated security decision. We extend the same idea to other security relevant contexts, such as network re-configuration.To substantiate our claims, we identify two classes of USB-borne attacks: driver exploitation and user emulation. While the first exploits could and can be prevented with secure coding and runtime mitigations, the second does not circumvent bugs in code but rather masquerades a device as another. We also investigate real-world usage of USB and present data which shows that we can expect users to have a single keyboard. Consequently, we increase protection against said masquerading attacks by filtering keys deemed dangerous or preventing security relevant actions if the keystroke originated from a newly attached USB device. We present an implementation of our filter for both GNU/Linux and Microsoft Windows.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2019 |
| Autor(en): | Mueller, Tobias ; Zimmer, Ephraim ; de Nittis, Ludovico |
| Art des Eintrags: | Bibliographie |
| Titel: | Using Context and Provenance to Defend Against USB-borne Attacks |
| Sprache: | Englisch |
| Publikationsjahr: | August 2019 |
| Verlag: | ACM |
| Buchtitel: | ARES '19 : Proceedings of the 14th International Conference on Availability, Reliability and Security |
| Veranstaltungstitel: | 14th International Conference on Availability, Reliability and Security |
| Veranstaltungsort: | Canterbury, United Kingdom |
| Veranstaltungsdatum: | 26.-29.08.2019 |
| DOI: | 10.1145/3339252.3339268 |
| Kurzbeschreibung (Abstract): | Today's readily available security measures to defend one's computers against malicious USB devices either show popups that require the user to allow each interaction, or they use identity-based peripheral devices attachment rules to allow or deny interaction with the new USB device, which again involves the user. In this paper, we propose a novel strategy for defending against USB attacks with the main goal of not involving the user.For making the security relevant decision, we take both context of the user's session and provenance of the security relevant event into account. That is, we assume that the user cannot plug a device into their machine when they are not present, e.g. when they have left their computer. We infer that the state of the lock screen relates to the presence of the user and do not allow new USB devices when the screen is locked. Further, we deflect traditional BadUSB attacks by taking the provenance of dangerous keystrokes into account when making an automated security decision. We extend the same idea to other security relevant contexts, such as network re-configuration.To substantiate our claims, we identify two classes of USB-borne attacks: driver exploitation and user emulation. While the first exploits could and can be prevented with secure coding and runtime mitigations, the second does not circumvent bugs in code but rather masquerades a device as another. We also investigate real-world usage of USB and present data which shows that we can expect users to have a single keyboard. Consequently, we increase protection against said masquerading attacks by filtering keys deemed dangerous or preventing security relevant actions if the keystroke originated from a newly attached USB device. We present an implementation of our filter for both GNU/Linux and Microsoft Windows. |
| Zusätzliche Informationen: | Art.No.: 1 |
| Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Telekooperation |
| Hinterlegungsdatum: | 05 Feb 2021 09:17 |
| Letzte Änderung: | 05 Feb 2021 09:17 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum