Dry Run Thesis Proposal Presentation to CSL M'A'Sc' Computer Engineering

1

• Dry Run Thesis ProposalPresentation to
  CSL M.A.Sc. (Computer Engineering)
• On the Risk of USB Covert Channels
• Major John Clark
• 11 April 2008

2
Outline
What is the problem?

• Working Scenario
• Previous Work
• USB Protocol
• Research Question
• Proposed Work
• Validation of Work
• Timeline
• Questions

Why is the problem interesting and challenging?
Why are previous solutions inadequate?
Proposed approach to addressing the problem.
How I will evaluate the work.
3
Working Scenario (1)
IDS, AV
Give Defenders the perimeter.
ESS 1,2,3,4 Granularly regulate access
to peripheral devices in accordance with a policy
Approved UFD VID/PID/Serial Number
4
Working Scenario (2)
Hardware Trojan Horse

• Residual Devices normally used in specific way
• Keyboard IN to endpoint
• Speaker Audio OUT from endpoint

5
Previous Work (1)

• No known work on USB covert channels
• However, complimentary work in USB devices as a
  risk and in PS2 Keyboard covert channels
• USB devices as a risk
• 2005 BlackHat Briefing USB plug and root 5
• Barral and Dewey present Meta-USB device
• Target vulnerable drivers
• Cause execution of arbitrary code
• 2006 - Risk of Consented Use of USB Devices -gt
  focus UFDs 6
• Al-Zarouni discussed IN vector (introducing
  malicious code) and OUT vector (covertly removing
  information)
• Focus on how one particular attack worked
  USBSwitchblade 7 / NirSoft.net 8
• UFD successful attack vector, risk assessed as
  serious enough to warrant mitigation

6
Previous Work (2)

• USB devices as a risk cont
• 2006/2007 Anecdotal/Trade articles on USB Flash
  Drives and U3 10, 11
• Stasiukonis in an article for Dark Reading
  described UFDs seeded with Software Trojan Horse
  used successfully in penetration test of
  financial institution
• U3 and consented used for subsequent
• Demonstration of successful attack based on UFD
• PS2 Keyboard covert channel
• 2006 Shah, Molina and Blaze publish paper at
  USENIX Security Conference on Keyboard Jitterbug
  Keylogger 9
• Timing covert channel created by imposing
  specific delay between key presses. Delay is
  observable at remote location through interactive
  session traffic.
• Bump-in-the-line attack/supply chain attack,
  based on Hardware Trojan Horse
• Hardware Trojan Horse lives outside of endpoint,
  and can keep malicious processing unobserved

7
USB Protocol (1) 13

• Ubiquitous, multi-speed protocol for use with
  self-identifying peripheral devices
• Host initiated, polled bus
• Robust error handling/fault recovery built into
  protocol
• Allows for four distinct transfer types
• Control Transfers (all devices support) - Bursty,
  non-periodic, host software-initiated
  request/response communication, typically used
  for command/status operations
• Interrupt Transfers - Low-frequency,
  bounded-latency communication
• Bulk Transfers Non-Periodic, large-packet,
  bursty communication
• Isochronous Transfers -Periodic, continuous
  communication between host and device

8
USB Protocol (2)
13
9
USB Protocol (3)
14
10
USB Protocol (4)
14
1..
1
0..1
0..1
11
USB Protocol (5) 14
14
12
USB Protocol (6)
14
13
Research Question

• What is the level of risk USB presents in being
  used for covert channels?

14
Proposed Work (1)

• Phase I Analysis of USB Protocol
• Determine possible covert channels
• Assess covert channels for
• Capacity
• Observability
• Difficulty to implement
• Deliverable Identification of possible USB
  Covert Channels
• Phase II Implementation of Covert Channel
• Select one or more covert channels to implement,
  and determine appropriate coding scheme based
  upon capacity
• Implement covert channel (Windows Software
  Development Kit , USB Monitor 15)
• Based upon chosen coding scheme determine
  throughput
• Deliverable The answer to the research question
  the level of risk is at least a covert channel
  with a capacity of X, and qualitatively assessed
  obserability and difficulty.

15
Proposed Work (2)

• Phase III Validate the Work
• Deliverable Covert Communication System using
  the covert channel to search for and extract data
  from an endpoint
• At the level of Model//Proof of Concept (PC with
  USB emulation board or USB Development Kit)
• Documentation i.e. write the Thesis
• Throughout, with period of time dedicated to
  producing drafts of the document
• Nice to Have Concurrent porting of Proof of
  Concept to hardware
• Defence
• To occur in Sep 08

16
Validation (1)

• As there is no extant research to compare the
  proposed work with, the work will be validated
  through the design and implementation of a covert
  communication system.

17
Validation (2)

• A model of a Hardware Trojan Horse device (PC
  with USB Emulation Card) will be created that
  will
• Enumerate as an innocuous USB device on the
  target endpoint
• The implemented covert channel will be placed as
  the payload in the Hardware Trojan Horse
• The covert channel having been characterized for
  capacity, and for selected coding scheme
  throughput
• When covert channel established between target
  endpoint and Hardware Trojan, data can be passed
  from endpoint to Trojan, and the throughput
  observed
• Result is a covert channel with a maximum
  capacity, for which a throughput has been
  observed.

18
Timeline (1)
19
Timeline (2)
Analysis (7 weeks)
Implementation (7 weeks)
Proposal
Validation (7 weeks)
Documentation (5 weeks)
Defence (5 weeks)
20
Conclusion

• Proposed work is to determine USBs level of risk
  for use as a covert channel.
• Expect to be able to answer in the form of a
  covert channel with X capacity, and qualitatively
  assessed observability and difficulty of Y
• No known research in this area. This work will
  address this deficiency.
• The work will be validated through the successful
  implementation of a covert communication system,
  using the USB based covert channel to search for
  and exfiltrate sensitive information from the
  endpoint.

21
Questions
?
22
References (1)

• 1 Centennial Software. DeviceWall Homepage.
  Available http//www.devicewall.com/ , Accessed
  4 Apr 2008.
• 2 CheckPoint Software Technologies (2007).
  Poitsec Protector Homepage. Available
  http//www.checkpoint.com/products/datasecurity/pr
  otector/ , Accessed 4 Apr 2008.
• 3 DeviceLock Inc. DeviceLock Homepage.
  Available http//www.devicelock.com/ , accessed
  4 Apr 2008.
• 4 Clark, J., An Examination of Endpoint
  Security Methods to Regulate USB Flash Drives
  Use, Royal Military College of Canada EE502
  Applied Research in Electrical and Computer
  Engineering, Depth Research Paper, Summer 2007.
• 5 Barral D. and Dewey D., Plug and Root, the
  USB Key to the Kingdom. BlackHat 2005, 27 Jul
  2005. Available http//www.blackhat.com/presentat
  ions/bh-usa-05/BH_US_05-Barrall-Dewey.pdf, last
  accessed 8 Apr 2008.
• 6 Al-Zarouni, M., The Reality of Risks from
  Consented use of USB Devices. In Proceedings of
  the 4th Australian Information Security
  Conference, 2006, pp 5-14.
• 7 USBSwitchblade. Hak.5. Available
  http//wiki.hak5.org/wiki/USB_Switchblade , last
  accessed 4 Apr 2008.
• 8 NirSoft.net. Available http//www.nirsoft.ne
  t/, last accessed 8 Apr 2008.
• 9 Shah, G. and Molina, A. and Blaze, M.
  Keyboards and Covert Channels. In Proceedings of
  the 15th conference on USENIX Security Symposium,
  2006.

23
References (2)

• 10 Stasiukonis S., Social Engineering, the USB
  Way. Dark Reading Room, 7 Jun 2006. Available
  http//www.darkreading.com/document.asp?doc_id955
  56, last accessed 4 Apr 2008
• 11 Stasiukonis S., Social-Engineering
  Employees. Dark Reading Room, 3 December 2007.
  Available http//www.darkreading.com/document.asp
  ?doc_id140433 , last accessed 4 Apr 2008.
• 12 Russinovitch, M. and Solomon D. Microsoft
  Windows Internals, 4th Ed. Redmond, Washington,
  USA. Microsoft Press, 2005.
• 13 USB Implementers Forum, USB 2.0
  Specification. 27 Apr 2007. Available
  http//www.usb.org/developers/docs/ , last
  accessed 4 Apr 2008.
• 14 Axelson, J., USB Complete, 3rd Ed. Madison
  WI, USA. Lakeview Research LLC, 2005.
• 15 USB Monitor Profession Homepage. HHD
  Software. Available http//www.hhdsoftware.com/P
  roducts/home/usb-monitor-pro.html, last accessed
  8 Apr 2008.
• 16 Net2280 Homepage. PLX Technology.
  Available http//www.plxtech.com/products/net2000
  /net2280.asp, last accessed 8 Apr 2008.
• 17 CY3655 enCoRe(TM) II Development Kit Home
  Page. Cypress Semiconductors. Available
  http//www.cypress.com/portal/server.pt?spaceComm
  unityPagecontrolSetCommunityCommunityID285Pag
  eID552drid80962shortlinkr_folderr_title,
  last accessed 8 Apr 08.