MASTER OF SCIENCE THESIS DEFENSE BY: Daniel R. Noyes
When: Tuesday,
August 16, 2016
2:00 PM
-
4:00 PM
Where: Science & Engineering Building, Lester W. Cory Conference Room: Room 213A
Cost: Free
Description: TOPIC: SECURITY ANALYSIS AND IMPROVEMENT OF USB TECHNOLOGY
LOCATION: Lester W. Cory Conference Room, Science & Engineering Building (Group II), Room 213A
ABSTRACT:
The Universal Serial Bus (USB) is one of the most commonly used standards for peripherals communications in the computer industry. USBs features, such as cross-platform and hot-swapping, make USB the dominant choice of connections in computer systems. Today USB is commonly used for keyboards, printers, external storages, digital cameras, scanners, and smartphones. In addition to communication, USB is used to charge devices as well. The ubiquitous USB devices used in daily life constitute a high security risk to users attached devices. The USB was originally designed for synonymous connectivity, ease of use as plug-and-play, and a means for expanding ports on computer buses. Unfortunately, the great popularity of USB also brings more scrutiny with individuals trying to exploit the communication specification. With the possibility of exploits, it has becomes a point for security adversaries to analyze the protocol and it has been demonstrated that USB currently has no security measures to protect the data communication among devices on the bus line. Sensitive data transmitted on the line can be easily sniffed, and USB devices can be spoofed to launch attacks on attached devices.
This thesis aims at analyzing the USB protocol regarding vulnerabilities and defending the USB devices with security measures. Two major types of attack scenarios are demonstrated: USB Sniffing to capture any data transmitted on the bus line as passive attacks and USB spoofing to make any device act as a keyboard to inject malicious commands as an active attacks. The study improves understanding of the USB security threats, prompting the design of USB security measures using information security principles of Confidentiality, Integrity, and Availability (CIA). For Confidentiality, public encryption mechanism is used to set up a session followed by fast data encryption with symmetric cryptography of onetime key. For Integrity, device authentication is initiated at connection and maintained during the session. In addition, critical data are signed up for message integrity. For Availability, fallback method is deployed to ensure services by the USB device. The security measures are proto-typed with both hardware and software. Their effectiveness is evaluated qualitatively.
Securing USB plays a paramount role in defending the society from potential attacks. These attacks can maliciously hinder machines and create devastating problems. With the cost for USB devices diminishing, the issue will arise soon from a bad USB that will spread viruses. With the Internet-of-Things penetrates the world with connected USB devices, it has become more cohesive to provide a solution to this dilemma. Future work will fulfill the full spectrum of security goals with the holistic approach.
NOTE: All ECE Graduate Students are ENCOURAGED to attend.
All interested parties are invited to attend. Open to the public.
Advisor: Dr. Hong Liu
Committee Members: Dr. Paul J. Fortier, Department of Electrical & Computer Engineering and Dr. Haiping Xu, Department of Computer & Information Science
*For further information, please contact Dr. Hong Liu at 508.999.8514, or via email at hliu@umassd.edu.
LOCATION: Lester W. Cory Conference Room, Science & Engineering Building (Group II), Room 213A
ABSTRACT:
The Universal Serial Bus (USB) is one of the most commonly used standards for peripherals communications in the computer industry. USBs features, such as cross-platform and hot-swapping, make USB the dominant choice of connections in computer systems. Today USB is commonly used for keyboards, printers, external storages, digital cameras, scanners, and smartphones. In addition to communication, USB is used to charge devices as well. The ubiquitous USB devices used in daily life constitute a high security risk to users attached devices. The USB was originally designed for synonymous connectivity, ease of use as plug-and-play, and a means for expanding ports on computer buses. Unfortunately, the great popularity of USB also brings more scrutiny with individuals trying to exploit the communication specification. With the possibility of exploits, it has becomes a point for security adversaries to analyze the protocol and it has been demonstrated that USB currently has no security measures to protect the data communication among devices on the bus line. Sensitive data transmitted on the line can be easily sniffed, and USB devices can be spoofed to launch attacks on attached devices.
This thesis aims at analyzing the USB protocol regarding vulnerabilities and defending the USB devices with security measures. Two major types of attack scenarios are demonstrated: USB Sniffing to capture any data transmitted on the bus line as passive attacks and USB spoofing to make any device act as a keyboard to inject malicious commands as an active attacks. The study improves understanding of the USB security threats, prompting the design of USB security measures using information security principles of Confidentiality, Integrity, and Availability (CIA). For Confidentiality, public encryption mechanism is used to set up a session followed by fast data encryption with symmetric cryptography of onetime key. For Integrity, device authentication is initiated at connection and maintained during the session. In addition, critical data are signed up for message integrity. For Availability, fallback method is deployed to ensure services by the USB device. The security measures are proto-typed with both hardware and software. Their effectiveness is evaluated qualitatively.
Securing USB plays a paramount role in defending the society from potential attacks. These attacks can maliciously hinder machines and create devastating problems. With the cost for USB devices diminishing, the issue will arise soon from a bad USB that will spread viruses. With the Internet-of-Things penetrates the world with connected USB devices, it has become more cohesive to provide a solution to this dilemma. Future work will fulfill the full spectrum of security goals with the holistic approach.
NOTE: All ECE Graduate Students are ENCOURAGED to attend.
All interested parties are invited to attend. Open to the public.
Advisor: Dr. Hong Liu
Committee Members: Dr. Paul J. Fortier, Department of Electrical & Computer Engineering and Dr. Haiping Xu, Department of Computer & Information Science
*For further information, please contact Dr. Hong Liu at 508.999.8514, or via email at hliu@umassd.edu.
Contact:
ECE: Electrical & Computer Engineering Department 508.999.9164 http://www.umassd.edu/engineering/ece/
Topical Areas: General Public, University Community, College of Engineering, Electrical and Computer Engineering