Portable storage devices such as USB flash drives have become virtually ubiquitous in daily life. They are as useful to students in college as to a soldier transferring data in a combat theater. However, the security risks posed by using these devices are all too real: after malicious code on a flash drive infected operational networks, allowing a mass exfiltration of classified data subsequently posted to Wikileaks, the Department of Defense banned these devices. The security vulnerabilities exposed by these events are of concern far beyond the military and extend to any user of portable storage. While numerous attempts have been made to secure hosts from malicious devices, very little research has considered the symmetrical problem of ensuring the protection of sensitive data from potentially compromised hosts, nor the security of the USB bus itself.

This project examines the factors contributing to the vulnerability of portable storage devices and consider a new framework for modeling and evaluating the security of these devices. We will consider the security of the storage devices themselves, the hosts they attach to, and the USB interface that transports the data. We consider methods of monitoring the integrity of attached hosts, and examine how to establish and manage host identity. We propose applications based on these devices, such as maintaining provenance and forensic information on stored data, and new frameworks supporting information flow for further enforcing finer-grained access protections. Such advances will ensure that flash drives and hosts they attach to remain safe and secure.

Agency
National Science Foundation (NSF)
Institute
Division of Computer and Network Systems (CNS)
Application #
1118046
Program Officer
Angelos Keromytis
Project Start
Project End
Budget Start
2011-09-01
Budget End
2014-08-31
Support Year
Fiscal Year
2011
Total Cost
$515,530
Indirect Cost
Name
University of Oregon Eugene
Department
Type
DUNS #
City
Eugene
State
OR
Country
United States
Zip Code
97403