1s20S0167404817301578main PDF Malware

Desember 22, 2022Desember 24, 2022 falma.u99 1s20s0167404817301578main, malware

: used for any of the following data transfer types:a.

for functions that require timing co-ordination at some guaranteed data rate but with possibledata loss, e.g., real-time audio or video.b.

for functions that need guaranteed quickresponses with bounded latency,e.g.,mice and keyboards.c.

for large sporadic transfers using all re-maining available bandwidth,but with no guarantees onbandwidth or latency, e.g., ﬁle transfers.Note that in all data transfer types,the host directs all com-munications, and the USB device cannot transfer any data onthe bus without an explicit request from the host controller.Connecting a USB device to the host initiates a process callede

. In general, enumeration involves four steps:1.

Detecting that a device has been connected

: When a USBdevice is plugged into a USB host there is a change on thedata lines by which the host detects a device has beenconnected.2.

:The change on the data lines isalso used to identify the speed of a device.3.

Determining device descriptors

: Devices are identiﬁed bydescriptors that they send to the host. Once the host hasestablished that a device is connected to it and at what speedit should communicate with it, the host will reset the USBdevice and attempt to read its descriptors.This step basi-cally follows a question and answer process:a. First,the host will send a

command,and the device will send its descriptor length followedby the actual descriptor.b. At the completion of this stage, the device is reset againand given a unique logical address via a

command.c. Next, the host will send a

Get_Conﬁguration_Descriptor

command in order to establish the device’s conﬁgura-tion. The device will reply by sending its conﬁgurationdescriptor which includes a hierarchy of interface, end-point, and (optionally) class speciﬁc descriptors.4.

: After the USB device has been fully iden-tiﬁed by the host, the host needs to load a driver that willtell it how to control the USB device.Matching the USB deviceto the driver is usually done according to the USB class as-sociatedwiththedevice,vendorID(VID,andproductID(PID).Once the driver has been loaded, the USB device becomesavailable for applications to access. Standard USB devicesare normally supported by drivers included in the host’s OS.However,in cases when a particular USB device has to fulﬁllnon-standard requirements, a custom USB device drivershould be download by the host.We now delve into the existing USB based attacks, describ-ing the attacks and their taxonomy and categories, and theperipherals used to carry out such attacks.

InFigs. 1 and 2,we present a taxonomy of USB attacks and their categories.The taxonomy is based on the USB hardwarerequired for executing the attacks and that can be classiﬁedinto three major categories: (A) programmable microcontrollers(red),(B) the common USB peripheral devices that can be foundin most organizations and households (orange and blue) and(C)crafteddevicescomposedonlyfromelectricalhardwarecom-ponents (purple). The programmable microcontroller (e.g.,Teensy(PJRC)or Arduino(arduino.cc)) devices, aka USB hard- wareTrojans(Clark et al., 2010), can emulate USB peripherals and are often disguised within an innocuous external casing.The USB peripheral devices can be further classiﬁed into twosub-categories: devices whose ﬁrmware was maliciously modi-ﬁed in order to perform the attack (orange) and devices thatdo not require ﬁrmware modiﬁcation (blue). For convenience,categories are numbered according to the subsections in whichthey are described below and attacks are numbered accord-ing to their assigned ID.4. Description of USB attacks

4.1. Programmable microcontrollers {A}

Rubber Ducky(RIFT recon)is a commercial keystroke injec- tion attack platform released in 2010.Once connected to a hostcomputer, the Rubber Ducky poses as a keyboard and injectsa preloaded keystroke sequence. It supports a simple script-ing language that enables an attacker to craft payloads capableof changing system settings,opening back doors,retrieving data,initiating reverse shells, or basically anything that can beachieved with physical access – all of which are automated andcan be executed in a matter of seconds. Rubber Ducky’s hard-ware consists of a powerful Atmel 60 MHz 32-bit processor, amicro SD card reader for quick loading of different attack pay-loads, a payload replay button for easy re-execution, a LEDindicator, and a JTAG interface that can be used for I/O.ongle(Crenshaw,2010)(PHUKD) is a Teensy microcontroller(PJRC)based pen testing device created by Adrian Crenshaw. PHUKD combineskeyboard emulation with mouse emulation,and it inspired theA taxonomy of USB-based attacks (covered in thissurvey), categorized based on the hardware required toexecute the attacks. (For interpretation of the references tocolour in this ﬁgure legend, the reader is referred to theweb version of this article.)

computers & security 70 (2017) 675–688