Patent Grant
8646082
This invention relates generally to computer security and, in particular, to apparatus and methods that prevent malicious data in Universal Serial Bus (USB) configurations by providing a hardware firewall.
The Universal Serial Bus (USB) is a common interconnect format for computer devices. Data is transmitted over a serial connection between a host and a device. Each device is assigned an address form 0-127, allowing multiple devices to communicate with the same host using the same wires.
The USB specification allows multiple device classes, including but not limited to keyboards, mice, printers, mass storage, video, and vendor specific items. Some physical devices appear as two or more logical USB devices, such as a webcam that has an audio and a video USB connection. USB data is sent in packets, some of which signal devices being added or removed. Other packet types are data, signaling such as acknowledgement of data received or ready, and other types.
Malicious USB devices have been created that utilize weaknesses in the USB infrastructure to attack unprotected hosts and devices through combinations of malformed packets, device spoofing, electrical tricks, and other methods. For example, a flash drive may have a keyboard controller hidden in it that only activates after the drive has been inserted for some length of time. The keyboard activates, unsuspecting USB infrastructure connects it to the PC, and the keyboard sends commands for malicious activity on the host PC. There are many other types of attacks.
This invention is directed to apparatus and methods that prevent malicious data in Universal Serial Bus (USB) configurations by providing a hardware firewall. A computer security device according to the invention comprises a hardware unit interconnected between a Universal Serial Bus (USB) device and a host. The device, which may include a memory to log data exchanges, monitors communication packets associated with data exchanges between the bus and the host and blocks packets having unwanted or malicious intent.
In some embodiments, the device may only allow mass storage packets from a device recognized as a mass storage device. The device may block enumeration of unwanted devices by not forwarding packets between the device and the host. The device may be operative to assign a bogus address to a malicious device so as not to transfer communications from the device further up the chain to the host. The device may provide shallow or deep packet inspection to determine when a trusted device is sending possible malicious data, or provide packet validation to block packets that are malformed.
In the preferred embodiment, the device acts as a hub, enabling multiple devices to connect to a single host. The device may interface to the host through a first USB connector, and interface to the USB through a second USB connector. For added security, the device may be interfaced to the host through an optically isolated bus. Methods of use are also disclosed and claimed herein.
This invention prevents malicious data in USB configurations by providing a hardware firewall. All USB data is sent between a device and a host. The firewall sites physically between them, either acting as a hub (which connects multiple devices to a single host) or acting passively by sitting on the wire to listen to traffic. In the latter case it does not change traffic but nevertheless monitors and logs data.
The firewall, depicted schematically in
The firewall can stop malicious device types by monitoring the USB pipes (connections between device and host) and watching for new connection enumeration. When a new device tries to connect to the system, the host enumerates the device by first noticing changes on the bus, then performing transfers that obtain the device information. The device responds to the host through a specified endpoint which the device can monitor.
The firewall can block enumeration of devices that are not allowed to pass the firewall by not forwarding packets between the device to the host. The firewall assigns an address to the malicious device and makes the device think it was on a valid host, but would not transfer the communication further up the chain to the host.
Interactions between device and host are carried out through transfers, which are broken into transactions, which are further broken into packets (
For packets that are allowed through, the device provides shallow or deep packet inspection to determine when a trusted device is sending possible malicious data. One example would be to detect file transfers from mass storage devices and examine the files as they pass through. Another example detects images coming from a camera and scans the image headers for valid parameters.
This device can also provide a level of validation on the packets to ensure they are not malformed. Malformed packets can be designed to exploit weaknesses or errors in USB implementations, such as buffer overflows. For example, checking that fields in packets are correctly formed gives a second layer of protection against poorly implemented hardware that may be susceptible to invalid fields or invalid combinations of fields.
This device can electrically isolate the two connections to prevent electrical attacks, for example by using an optically isolated bus.
This application claims priority from U.S. Provisional Patent Application Ser. No. 61/453,777, filed Mar. 17, 2011, the entire content of which is incorporated herein by reference.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6820160 | Allman | Nov 2004 | B1 |
| 6879869 | Kou | Apr 2005 | B2 |
| 7213766 | Ryan et al. | May 2007 | B2 |
| 7367832 | Muhs et al. | May 2008 | B2 |
| 8019194 | Morrison et al. | Sep 2011 | B2 |
| 8037247 | Kreiner et al. | Oct 2011 | B2 |
| 8118606 | Larsson | Feb 2012 | B2 |
| 8286243 | Clark et al. | Oct 2012 | B2 |
| 20040193302 | Kou | Sep 2004 | A1 |
| 20050109841 | Ryan et al. | May 2005 | A1 |
| 20050254776 | Morrison et al. | Nov 2005 | A1 |
| 20060075486 | Lin et al. | Apr 2006 | A1 |
| 20070105432 | Muhs et al. | May 2007 | A1 |
| 20080040609 | Giobbi | Feb 2008 | A1 |
| 20080083037 | Kruse et al. | Apr 2008 | A1 |
| 20080156207 | Ellenbogen | Jul 2008 | A1 |
| 20080222309 | Shanbhogue | Sep 2008 | A1 |
| 20080250165 | Reynolds et al. | Oct 2008 | A1 |
| 20090024746 | Welch | Jan 2009 | A1 |
| 20090150435 | Balu et al. | Jun 2009 | A1 |
| 20100037296 | Silverstone | Feb 2010 | A1 |
| 20100087076 | Larsson | Apr 2010 | A1 |
| 20100153621 | Kreiner et al. | Jun 2010 | A1 |
| 20100281546 | Kruse et al. | Nov 2010 | A1 |
| 20100324956 | Lopez et al. | Dec 2010 | A1 |
| 20100332355 | Lopez et al. | Dec 2010 | A1 |
| 20100333192 | Song | Dec 2010 | A1 |
| 20110030030 | Terpening et al. | Feb 2011 | A1 |
| 20110166824 | Haisty et al. | Jul 2011 | A1 |
| 20110169924 | Haisty et al. | Jul 2011 | A1 |
| 20110215917 | Bolduc et al. | Sep 2011 | A1 |
| 20110296488 | Dandekar et al. | Dec 2011 | A1 |
| 20120020638 | Morrison et al. | Jan 2012 | A1 |
| 20120079563 | Green et al. | Mar 2012 | A1 |
| Number | Date | Country | |
|---|---|---|---|
| 20120240234 A1 | Sep 2012 | US |
| Number | Date | Country | |
|---|---|---|---|
| 61453777 | Mar 2011 | US |
