Dry Run Thesis Proposal Presentation to CSL M'A'Sc' Computer Engineering - PowerPoint PPT Presentation

1 / 23
About This Presentation

Dry Run Thesis Proposal Presentation to CSL M'A'Sc' Computer Engineering


'Bump-in-the-line' attack/supply chain attack, based on Hardware Trojan Horse ... A model of a Hardware Trojan Horse device (PC with USB Emulation Card) will be ... – PowerPoint PPT presentation

Number of Views:186
Avg rating:3.0/5.0
Slides: 24
Provided by: phil7


Transcript and Presenter's Notes

Title: Dry Run Thesis Proposal Presentation to CSL M'A'Sc' Computer Engineering

  • Dry Run Thesis ProposalPresentation to
    CSL M.A.Sc. (Computer Engineering)
  • On the Risk of USB Covert Channels
  • Major John Clark
  • 11 April 2008

What is the problem?
  • Working Scenario
  • Previous Work
  • USB Protocol
  • Research Question
  • Proposed Work
  • Validation of Work
  • Timeline
  • Questions

Why is the problem interesting and challenging?
Why are previous solutions inadequate?
Proposed approach to addressing the problem.
How I will evaluate the work.
Working Scenario (1)
Give Defenders the perimeter.
ESS 1,2,3,4 Granularly regulate access
to peripheral devices in accordance with a policy
Approved UFD VID/PID/Serial Number
Working Scenario (2)
Hardware Trojan Horse
  • Residual Devices normally used in specific way
  • Keyboard IN to endpoint
  • Speaker Audio OUT from endpoint

Previous Work (1)
  • No known work on USB covert channels
  • However, complimentary work in USB devices as a
    risk and in PS2 Keyboard covert channels
  • USB devices as a risk
  • 2005 BlackHat Briefing USB plug and root 5
  • Barral and Dewey present Meta-USB device
  • Target vulnerable drivers
  • Cause execution of arbitrary code
  • 2006 - Risk of Consented Use of USB Devices -gt
    focus UFDs 6
  • Al-Zarouni discussed IN vector (introducing
    malicious code) and OUT vector (covertly removing
  • Focus on how one particular attack worked
    USBSwitchblade 7 / NirSoft.net 8
  • UFD successful attack vector, risk assessed as
    serious enough to warrant mitigation

Previous Work (2)
  • USB devices as a risk cont
  • 2006/2007 Anecdotal/Trade articles on USB Flash
    Drives and U3 10, 11
  • Stasiukonis in an article for Dark Reading
    described UFDs seeded with Software Trojan Horse
    used successfully in penetration test of
    financial institution
  • U3 and consented used for subsequent
  • Demonstration of successful attack based on UFD
  • PS2 Keyboard covert channel
  • 2006 Shah, Molina and Blaze publish paper at
    USENIX Security Conference on Keyboard Jitterbug
    Keylogger 9
  • Timing covert channel created by imposing
    specific delay between key presses. Delay is
    observable at remote location through interactive
    session traffic.
  • Bump-in-the-line attack/supply chain attack,
    based on Hardware Trojan Horse
  • Hardware Trojan Horse lives outside of endpoint,
    and can keep malicious processing unobserved

USB Protocol (1) 13
  • Ubiquitous, multi-speed protocol for use with
    self-identifying peripheral devices
  • Host initiated, polled bus
  • Robust error handling/fault recovery built into
  • Allows for four distinct transfer types
  • Control Transfers (all devices support) - Bursty,
    non-periodic, host software-initiated
    request/response communication, typically used
    for command/status operations
  • Interrupt Transfers - Low-frequency,
    bounded-latency communication
  • Bulk Transfers Non-Periodic, large-packet,
    bursty communication
  • Isochronous Transfers -Periodic, continuous
    communication between host and device

USB Protocol (2)
USB Protocol (3)
USB Protocol (4)
USB Protocol (5) 14
USB Protocol (6)
Research Question
  • What is the level of risk USB presents in being
    used for covert channels?

Proposed Work (1)
  • Phase I Analysis of USB Protocol
  • Determine possible covert channels
  • Assess covert channels for
  • Capacity
  • Observability
  • Difficulty to implement
  • Deliverable Identification of possible USB
    Covert Channels
  • Phase II Implementation of Covert Channel
  • Select one or more covert channels to implement,
    and determine appropriate coding scheme based
    upon capacity
  • Implement covert channel (Windows Software
    Development Kit , USB Monitor 15)
  • Based upon chosen coding scheme determine
  • Deliverable The answer to the research question
    the level of risk is at least a covert channel
    with a capacity of X, and qualitatively assessed
    obserability and difficulty.

Proposed Work (2)
  • Phase III Validate the Work
  • Deliverable Covert Communication System using
    the covert channel to search for and extract data
    from an endpoint
  • At the level of Model//Proof of Concept (PC with
    USB emulation board or USB Development Kit)
  • Documentation i.e. write the Thesis
  • Throughout, with period of time dedicated to
    producing drafts of the document
  • Nice to Have Concurrent porting of Proof of
    Concept to hardware
  • Defence
  • To occur in Sep 08

Validation (1)
  • As there is no extant research to compare the
    proposed work with, the work will be validated
    through the design and implementation of a covert
    communication system.

Validation (2)
  • A model of a Hardware Trojan Horse device (PC
    with USB Emulation Card) will be created that
  • Enumerate as an innocuous USB device on the
    target endpoint
  • The implemented covert channel will be placed as
    the payload in the Hardware Trojan Horse
  • The covert channel having been characterized for
    capacity, and for selected coding scheme
  • When covert channel established between target
    endpoint and Hardware Trojan, data can be passed
    from endpoint to Trojan, and the throughput
  • Result is a covert channel with a maximum
    capacity, for which a throughput has been

Timeline (1)
Timeline (2)
Analysis (7 weeks)
Implementation (7 weeks)
Validation (7 weeks)
Documentation (5 weeks)
Defence (5 weeks)
  • Proposed work is to determine USBs level of risk
    for use as a covert channel.
  • Expect to be able to answer in the form of a
    covert channel with X capacity, and qualitatively
    assessed observability and difficulty of Y
  • No known research in this area. This work will
    address this deficiency.
  • The work will be validated through the successful
    implementation of a covert communication system,
    using the USB based covert channel to search for
    and exfiltrate sensitive information from the

References (1)
  • 1 Centennial Software. DeviceWall Homepage.
    Available http//www.devicewall.com/ , Accessed
    4 Apr 2008.
  • 2 CheckPoint Software Technologies (2007).
    Poitsec Protector Homepage. Available
    otector/ , Accessed 4 Apr 2008.
  • 3 DeviceLock Inc. DeviceLock Homepage.
    Available http//www.devicelock.com/ , accessed
    4 Apr 2008.
  • 4 Clark, J., An Examination of Endpoint
    Security Methods to Regulate USB Flash Drives
    Use, Royal Military College of Canada EE502
    Applied Research in Electrical and Computer
    Engineering, Depth Research Paper, Summer 2007.
  • 5 Barral D. and Dewey D., Plug and Root, the
    USB Key to the Kingdom. BlackHat 2005, 27 Jul
    2005. Available http//www.blackhat.com/presentat
    ions/bh-usa-05/BH_US_05-Barrall-Dewey.pdf, last
    accessed 8 Apr 2008.
  • 6 Al-Zarouni, M., The Reality of Risks from
    Consented use of USB Devices. In Proceedings of
    the 4th Australian Information Security
    Conference, 2006, pp 5-14.
  • 7 USBSwitchblade. Hak.5. Available
    http//wiki.hak5.org/wiki/USB_Switchblade , last
    accessed 4 Apr 2008.
  • 8 NirSoft.net. Available http//www.nirsoft.ne
    t/, last accessed 8 Apr 2008.
  • 9 Shah, G. and Molina, A. and Blaze, M.
    Keyboards and Covert Channels. In Proceedings of
    the 15th conference on USENIX Security Symposium,

References (2)
  • 10 Stasiukonis S., Social Engineering, the USB
    Way. Dark Reading Room, 7 Jun 2006. Available
    56, last accessed 4 Apr 2008
  • 11 Stasiukonis S., Social-Engineering
    Employees. Dark Reading Room, 3 December 2007.
    Available http//www.darkreading.com/document.asp
    ?doc_id140433 , last accessed 4 Apr 2008.
  • 12 Russinovitch, M. and Solomon D. Microsoft
    Windows Internals, 4th Ed. Redmond, Washington,
    USA. Microsoft Press, 2005.
  • 13 USB Implementers Forum, USB 2.0
    Specification. 27 Apr 2007. Available
    http//www.usb.org/developers/docs/ , last
    accessed 4 Apr 2008.
  • 14 Axelson, J., USB Complete, 3rd Ed. Madison
    WI, USA. Lakeview Research LLC, 2005.
  • 15 USB Monitor Profession Homepage. HHD
    Software. Available http//www.hhdsoftware.com/P
    roducts/home/usb-monitor-pro.html, last accessed
    8 Apr 2008.
  • 16 Net2280 Homepage. PLX Technology.
    Available http//www.plxtech.com/products/net2000
    /net2280.asp, last accessed 8 Apr 2008.
  • 17 CY3655 enCoRe(TM) II Development Kit Home
    Page. Cypress Semiconductors. Available
    last accessed 8 Apr 08.
Write a Comment
User Comments (0)
About PowerShow.com