TU Darmstadt / ULB / TUbiblio

Using Context and Provenance to Defend Against USB-borne Attacks

Mueller, Tobias ; Zimmer, Ephraim ; de Nittis, Ludovico (2019):
Using Context and Provenance to Defend Against USB-borne Attacks.
In: ARES '19 : Proceedings of the 14th International Conference on Availability, Reliability and Security,
ACM, 14th International Conference on Availability, Reliability and Security, Canterbury, United Kingdom, 26.-29.08.2019, ISBN 978-1-4503-7164-3,
DOI: 10.1145/3339252.3339268,
[Conference or Workshop Item]

Abstract

Today's readily available security measures to defend one's computers against malicious USB devices either show popups that require the user to allow each interaction, or they use identity-based peripheral devices attachment rules to allow or deny interaction with the new USB device, which again involves the user. In this paper, we propose a novel strategy for defending against USB attacks with the main goal of not involving the user.For making the security relevant decision, we take both context of the user's session and provenance of the security relevant event into account. That is, we assume that the user cannot plug a device into their machine when they are not present, e.g. when they have left their computer. We infer that the state of the lock screen relates to the presence of the user and do not allow new USB devices when the screen is locked. Further, we deflect traditional BadUSB attacks by taking the provenance of dangerous keystrokes into account when making an automated security decision. We extend the same idea to other security relevant contexts, such as network re-configuration.To substantiate our claims, we identify two classes of USB-borne attacks: driver exploitation and user emulation. While the first exploits could and can be prevented with secure coding and runtime mitigations, the second does not circumvent bugs in code but rather masquerades a device as another. We also investigate real-world usage of USB and present data which shows that we can expect users to have a single keyboard. Consequently, we increase protection against said masquerading attacks by filtering keys deemed dangerous or preventing security relevant actions if the keystroke originated from a newly attached USB device. We present an implementation of our filter for both GNU/Linux and Microsoft Windows.

Item Type: Conference or Workshop Item
Erschienen: 2019
Creators: Mueller, Tobias ; Zimmer, Ephraim ; de Nittis, Ludovico
Title: Using Context and Provenance to Defend Against USB-borne Attacks
Language: English
Abstract:

Today's readily available security measures to defend one's computers against malicious USB devices either show popups that require the user to allow each interaction, or they use identity-based peripheral devices attachment rules to allow or deny interaction with the new USB device, which again involves the user. In this paper, we propose a novel strategy for defending against USB attacks with the main goal of not involving the user.For making the security relevant decision, we take both context of the user's session and provenance of the security relevant event into account. That is, we assume that the user cannot plug a device into their machine when they are not present, e.g. when they have left their computer. We infer that the state of the lock screen relates to the presence of the user and do not allow new USB devices when the screen is locked. Further, we deflect traditional BadUSB attacks by taking the provenance of dangerous keystrokes into account when making an automated security decision. We extend the same idea to other security relevant contexts, such as network re-configuration.To substantiate our claims, we identify two classes of USB-borne attacks: driver exploitation and user emulation. While the first exploits could and can be prevented with secure coding and runtime mitigations, the second does not circumvent bugs in code but rather masquerades a device as another. We also investigate real-world usage of USB and present data which shows that we can expect users to have a single keyboard. Consequently, we increase protection against said masquerading attacks by filtering keys deemed dangerous or preventing security relevant actions if the keystroke originated from a newly attached USB device. We present an implementation of our filter for both GNU/Linux and Microsoft Windows.

Title of Book: ARES '19 : Proceedings of the 14th International Conference on Availability, Reliability and Security
Publisher: ACM
ISBN: 978-1-4503-7164-3
Divisions: 20 Department of Computer Science
20 Department of Computer Science > Telecooperation
Event Title: 14th International Conference on Availability, Reliability and Security
Event Location: Canterbury, United Kingdom
Event Dates: 26.-29.08.2019
Date Deposited: 05 Feb 2021 09:17
DOI: 10.1145/3339252.3339268
Additional Information:

Art.No.: 1

Export:
Suche nach Titel in: TUfind oder in Google
Send an inquiry Send an inquiry

Options (only for editors)
Show editorial Details Show editorial Details