TY - GEN
T1 - ProvUSB
T2 - 23rd ACM Conference on Computer and Communications Security, CCS 2016
AU - Tian, Dave
AU - Bates, Adam
AU - Butler, Kevin R.B.
AU - Rangaswami, Raju
N1 - Publisher Copyright:
© 2016 Copyright held by the owner/author(s). Publication rights licensed to ACM.
PY - 2016/10/24
Y1 - 2016/10/24
N2 - Defenders of enterprise networks have a critical need to quickly identify the root causes of malware and data leakage. Increasingly, USB storage devices are the media of choice for data exfiltration, malware propagation, and even cyber-warfare. We observe that a critical aspect of explaining and preventing such attacks is understanding the provenance of data (i.e., the lineage of data from its creation to current state) on USB devices as a means of ensuring their safe usage. Unfortunately, provenance tracking is not offered by even sophisticated modern devices. This work presents ProvUSB, an architecture for fine-grained provenance collection and tracking on smart USB devices. ProvUSB maintains data provenance by recording reads and writes at the block layer and reliably identifying hosts editing those blocks through attestation over the USB channel. Our evaluation finds that ProvUSB imposes a one-time 850 ms overhead during USB enumeration, but approaches nearly-bare-metal runtime performance (90% of throughput) on larger files during normal execution, and less than 0.1% storage overhead for provenance in real-world workloads. ProvUSB thus provides essential new techniques in the defense of computer systems and USB storage devices.
AB - Defenders of enterprise networks have a critical need to quickly identify the root causes of malware and data leakage. Increasingly, USB storage devices are the media of choice for data exfiltration, malware propagation, and even cyber-warfare. We observe that a critical aspect of explaining and preventing such attacks is understanding the provenance of data (i.e., the lineage of data from its creation to current state) on USB devices as a means of ensuring their safe usage. Unfortunately, provenance tracking is not offered by even sophisticated modern devices. This work presents ProvUSB, an architecture for fine-grained provenance collection and tracking on smart USB devices. ProvUSB maintains data provenance by recording reads and writes at the block layer and reliably identifying hosts editing those blocks through attestation over the USB channel. Our evaluation finds that ProvUSB imposes a one-time 850 ms overhead during USB enumeration, but approaches nearly-bare-metal runtime performance (90% of throughput) on larger files during normal execution, and less than 0.1% storage overhead for provenance in real-world workloads. ProvUSB thus provides essential new techniques in the defense of computer systems and USB storage devices.
UR - http://www.scopus.com/inward/record.url?scp=84995477512&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84995477512&partnerID=8YFLogxK
U2 - 10.1145/2976749.2978398
DO - 10.1145/2976749.2978398
M3 - Conference contribution
AN - SCOPUS:84995477512
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 242
EP - 253
BT - CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 24 October 2016 through 28 October 2016
ER -