Defending against malicious USB firmware with GoodUSB

Dave Tian, Adam Bates, Kevin Butler

Research output: Chapter in Book/Report/Conference proceedingConference contribution


USB attacks are becoming more sophisticated. Rather than using USB devices solely as a delivery mechanism for host-side exploits, attackers are targeting the USB stack itself, embedding malicious code in device firmware to covertly request additional USB interfaces, providing unacknowledged and malicious functionality that lies outside the apparent purpose of the device. This allows for attacks such as BadUSB, where a USB storage device with malicious firmware is capable of covertly acting as a keyboard as well, allowing it to inject malicious scripts into the host machine. We observe that the root cause of such attacks is that the USB Stack exposes a set of unrestricted device privileges and note that the most reliable information about a device's capabilities comes from the end user's expectation of the device's functionality. We design and implement GoodUSB, a mediation architecture for the Linux USB Stack. We defend against BadUSB attacks by enforcing permissions based on user expectations of device functionality. GoodUSB includes a security image component to simplify use, and a honeypot mechanism for observing suspicious USB activities. GoodUSB introduces only 5.2% performance overhead compared to the unmodified Linux USB subsystem. It is an important step forward in defending against USB attacks and towards allowing the safe deployment of USB devices in the enterprise.

Original languageEnglish (US)
Title of host publicationProceedings - 31st Annual Computer Security Applications Conference, ACSAC 2015
PublisherAssociation for Computing Machinery
Number of pages10
ISBN (Electronic)9781450336826
StatePublished - Dec 7 2015
Externally publishedYes
Event31st Annual Computer Security Applications Conference, ACSAC 2015 - Los Angeles, United States
Duration: Dec 7 2015Dec 11 2015

Publication series

NameACM International Conference Proceeding Series


Conference31st Annual Computer Security Applications Conference, ACSAC 2015
CountryUnited States
CityLos Angeles


  • BadUSB
  • Linux kernel
  • USB

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Defending against malicious USB firmware with GoodUSB'. Together they form a unique fingerprint.

Cite this