ДАУКЕЕВА»
ISSN 2790-0886
В Е С Т Н И К
АЛМАТИНСКОГО УНИВЕРСИТЕТА ЭНЕРГЕТИКИ И СВЯЗИ
Учрежден в июне 2008 года
Тематическая направленность: энергетика и энергетическое машиностроение, информационные, телекоммуникационные и космические технологии
4 (59) 2022
Импакт-фактор - 0.095
Научно-технический журнал Выходит 4 раза в год
Алматы
о постановке на переучет периодического печатного издания, информационного агентства и сетевого издания
№KZ14VPY00024997 выдано
Министерством информации и общественного развития Республики Казахстан
Подписной индекс – 74108 Бас редакторы – главный редактор
Стояк В.В.
к.т.н., профессор
Заместитель главного редактора Жауыт Алгазы, доктор PhD Ответственный секретарь Шуебаева Д.А., магистр
Редакция алқасы – Редакционная коллегия
Главный редактор Стояк В.В., кандидат технических наук, профессор Алматинского Университета Энергетики и Связи имени Гумарбека Даукеева, Казахстан;
Заместитель главного редактора Жауыт А., доктор PhD, ассоциированный профессор Алматинского Университета Энергетики и Связи имени Гумарбека Даукеева, Казахстан;
Сагинтаева С.С., ректор Алматинского Университета Энергетики и Связи имени Гумарбека Даукеева, доктор экономических наук, кандидат физико-математических наук, профессор математики, академик МАИН;
Ревалде Г., доктор PhD, член-корреспондент Академии наук, директор Национального Совета науки, Рига, Латвия;
Илиев И.К., доктор технических наук, Русенский университет, Болгария;
Белоев К., доктор технических наук, профессор Русенского университета, Болгария;
Обозов А.Д., доктор технических наук, НАН Кыргызской Республики, заведующий Лабораторией «Возобновляемые источники энергии», Кыргызская Республика;
Кузнецов А.А., доктор технических наук, профессор Омского государственного технического университета, ОмГУПС, Российская Федерация, г. Омск;
Алипбаев К.А., PhD, доцент Алматинского Университета Энергетики и Связи имени Гумарбека Даукеева, Казахстан;
Зверева Э.Р., доктор технических наук, профессор Казанского государственного энергетического университета, Российская Федерация, г. Казань;
Лахно В.А., доктор технических наук, профессор Национального университета биоресурсов и природопользования Украины, кафедра компьютерных систем, сетей и кибербезопасности, Украина, Киев;
Омаров Ч.Т., кандидат физико-математических наук, директор Астрофизического института имени В.Г. Фесенкова, Казахстан;
Коньшин С.В., кандидат технических наук, профессор Алматинского Университета Энергетики и Связи имени Гумарбека Даукеева, Казахстан;
Тынымбаев С.Т., кандидат технических наук, профессор Алматинского Университета Энергетики и Связи имени Гумарбека Даукеева, Казахстан.
За достоверность материалов ответственность несут авторы.
При использовании материалов журнала ссылка на «Вестник АУЭС» обязательна.
101
ИНФОРМАЦИОННЫЕ,
ТЕЛЕКОММУНИКАЦИОННЫЕ И КОСМИЧЕСКИЕ ТЕХНОЛОГИИ
МРНТИ 81.93.29 https://doi.org/10.51775/2790-0886_2022_59_4_101
RESEARCH OF THE SAFETY OF THE OPERATING SYSTEM WITH A MODIFIED USB-DEVICES
Ye.А. Zuyeva¹*, G.К. Ordabayeva²
¹Non-profit JSC “Almaty University of Power Engineering and Telecommunications named Gumarbek Daukeyev”, Almaty, Kazakhstan
²Al-Farabi Kazakh National University, Almaty, Kazakhstan E-mail: [email protected], [email protected]
Annotation. The Goal of the article is considering of data received, results of initialization in Windows and Linux operating systems and initialize the characteristics of devices at the time of turning on the power supply via the USB port and presenting them in the system.
The scientific novelty of the work is: 12 different USB devices have been described (in total, 40 devices were considered, and 50% were pre-modified), and they were successfully discovered by a software and hardware complex that reads device descriptors. As a result of the analysis, when connecting devices to the complex, it recognized modifications and issued warnings. The novelty is also that information was presented on the qualitative analysis of descriptors and the availability of research to analyze the reaction of Windows and Linux operating systems in assessing the seizure by an attacker of control over the operating system, that is, the ability to manage with administrator rights through a replacement of representing a USB flash device to a different class of devices. An assessment was also given of the ability to manage an operating system with administrator rights from a modify device, namely: Linux behaves more stably compared to Windows due to the fact that the Linux kernel implements a different kernel management concept that allows fewer vulnerabilities to work functionally.
Tasks were the tracking the operation of identifying factory and modified devices using a specially created hardware and software complex; perform an analysis of the system operability under the test conditions on the presented devices.
Since a pre-modified device gives an attacker more opportunities to seize access to the operating system, in the future it seems rational to block this modified device.
Keywords: malware, vulnerability, device security, modified device.
INTRODUCTION
Within the framework of various companies and industries, as well as ordinary users, the problem of attacks based on vulnerabilities of USB devices arises. This becomes possible if the USB device was reprogrammed in advance by a hacker so that it is perceived by the system as another common, often common USB device. Embedded malicious code brings insecurity and instability and computer systems begin to work unstable. As a result, the organization or user who allowed the transformation of USB devices into subordinates to the hacker passively indulges the distributors of malicious code. And as a result, economic, technical, production and reputational losses arise from the distributor itself. Neither antiviruses nor any other solutions save or protect from this vulnerability - they are not able to give an indispensable assessment of the actions of USB carriers at the right time.
The choice of USB devices and their widespread use is dictated by their performance, great versatility, reliability, ease of use and convenience. However, they are insidious and the most dangerous and actively used tools as channels for implementing information security threats. There is a problem (standardization) of the lack of uniform controls for detecting preliminary modifications of USB devices, the methods of detecting such devices themselves.
102
Conducting experiments, knowing the device and proving scenarios for attacks on USB devices allows you to comprehend the product vectors of these attacks, and then means predicting protection schemes and harmless methods of servicing enabled USB devices that may exist. with malicious code media.
Through a universal data extraction interface, during the study, we organized a secure tool in terms of trust in computer control and lack of capture via USB devices. We conducted research and organized several Bad USB devices with a changed description to seize control of the computer system (operating environment) with other devices through which attacks can be carried out.
As an explanation of the situation in practice: if we need to create a situation where we need to gain remote access to the operating environment of a computer, perform actions on it without having either user passwords or other system information on the victim's computer, then in this case a device with preloaded commands is used (while the time to access the victim's computer is no more than a couple of tens of seconds). The algorithm of the modified device: connect the device to the hardware of the victim computer via the USB interface, automatically create a channel between the host and the victim computer and at the right time initiate the start of the execution of a pre-prepared script.
Between the host and many remote devices, it is via the USB bus that information is synchronized, this is a complex for multiple maintenance of application programs, processes and devices. An important difference between USB and other traditional remote interfaces: combining software processes with all devices conducts a host controller with multi-level support. Up to 127 devices can be connected to 1 node and exchange response requests using packets on them. During power supply, the connected device is assigned a unique address, and then, in addition to addressing physically connected devices, the system offers logical addressing inside the device. This allows data streams to be separated by different functionality within 1 device.
All this structure can be described using descriptive part – descriptors. They have the hierarchical structure shown in Figure 1.
Figure 1 - USB Device Descriptor
The above figure shows that 1 device has several configurations (configuration descriptor), but only one configuration is active at a certain point in time. Operability when connecting remote devices to a computer involves the operation and use of devices with a USB connector, because USB classes and drivers for these classes are installed and implemented in specifications. If we consider the functionality from the inside, then a USB device is classified as some specific class (according to the classification of the device manufacturer) and any USB device has a class.
If the kernel of the operating system knows the class of the device, then it can affect this device without special drivers.
The main idea of automatically determining the health of USB devices when they are connected provides for two mechanisms:
1. The device transmits its attributes to the host, including the Vendor ID (VID) and Product ID (PID).
Based on these identifiers, the host finds ways to work with this device (this is usually expressed in the requirement to install drivers supplied by the device developer).
103
2. The device transmits a standardized device class identifier to the host. Operating systems have ready-made drivers for popular classes of devices, so such devices are connected without direct user demand and are invisible to the end user.
To the detailed specifications of input devices, for example, stylus, trackball, mouse, HID standard describes an independent class of devices called USB HID Consumer Control (after all, this is a special communication channel with the device). And therefore, you can organize a USB device that does not require the creation and installation of specific drivers in most operating systems.
And there are devices that do not have a human interface: UPS, thermometers. This is when a device was developed that, during development, set out to create a simple technological solution without digital panels, a tool for human-machine interaction.
If the device complies with the logical specifications of HID Consumer Control, then it can belong to the USB HID class, which allows and contributes to the rapid distribution of the device and simplification of installation by end users.
USB HID can be used to describe the operation of the device in question and to describe the interface of this device. For example, it is quite acceptable to use a USB device with 2 different USB interfaces at the same time (for example, a USB phone can use a HID keyboard and a USB audio device as a microphone). If the device complies with the logical specifications of HID Consumer Control, then this device may belong to the USB HID Class, which contributes to faster distribution of devices and simplification of installation by end users.
BadUSB is an attack that specializes in the delivery and execution of malicious code. All controllers are unique and the firmware being implemented should be developed specifically for each controller. The organization of the firmware differs from one controller to another. This all significantly reduces the likelihood of a global BadUSB epidemic, but does not completely protect against hacking by a hacker.
There are many possible attack vectors. The most commonly used are the following 4 directions:
1. by reprogramming the microcontroller of the USB device to represent another device (e.g., a power supply) that may act as another device (e.g., a keyboard or mouse);
2. by reprogramming the firmware of the USB device to perform malicious actions (for example, loading malware, distortion of information);
3. not to flash the firmware of the device, but to exploit vulnerabilities in the USB communication protocol and the host operating system;
4. USB attacks by electricity.
In order to experiment with BADUSB devices, you need to create them [1]. After preliminary modification, these devices began to broadcast, creating a WI-FI channel and sketches were launched through an organized channel either using the button control menu or through the launch of sketches [2].
Based on the obtained experimental data, the operation of devices with the BADUSB vulnerability was analyzed [3]. There is a security mechanism that reduces to detecting suspicious USB devices by analyzing the traffic timing of USB packets that they generate [4]. In [5] USB drive attacks related to the autorun function and exploiting vulnerabilities of USB device drivers of the host operating system caused by distorted USB packets were taken into consideration. When trying to increase the organizational security of USB devices within the framework of the separately removed system [6], TMSUI software is implemented, acting as a firewall, allowing you to connect USB drives only on certain protected individual terminals for a certain time. When analyzing 6 security properties, TMSUI decides only to temporarily access only certain secure terminals.
BADUSB also occurs by running the Powershell script using Bad USB, which activates Keylogger [7].
The authors note that there are no studies on correction of script execution delay. In work [8] a protection strategy is proposed - non-interference of the user and a conclusion is made on the basis of an analysis of what is happening in the user's session, the possibility of the origin of events in the operating system is calculated, i.e., the origin of keystrokes is analyzed when making automated security decisions; and in cases where the network configuration architecture changes. It all comes down to determining the system who gives commands - the user himself or the malicious component. The key point of protection of the proposed approach is the use of masks, filtering keys that are considered dangerous. If long delays are implemented in the sketch, then the proposed system can be bypassed. And in [9] we consider the Spyduino ‒ board, recognized in the operating system as a HID device. Based on it, attackers can implement scripts, in turn, injecting it into any devices that will then create the Bad USB vulnerability. The board is built into the USB keyboard and sends confidential information to the FTP server without user permission and can significantly
104
damage everyone and everything. The article discusses various countermeasures and presents possible extensions, but the policy of applying whitelists is not always applicable, since the device at one point in time can be clean and, in another case, modified, and since it is already on the white list, the system will be attacked by this USB device. Since Bad USB modifies the USB firmware and can attack all systems to which the infected USB is connected, the proposed solution against this is to use the whitelist [10]. A detailed approach to fingerprinting based on USB functions is offered, which facilitates the creation of a list of trusted USB devices. There are times when it is proposed to pre-filter data from USB devices [11] and the vast majority of these filters are implemented at the operating system level, leaving one of its parts and the firmware of the USB host controllers unprotected. Therefore, the authors propose flexible, universal USB filtering policies. [12] shows the operation of the USB Firm USB firmware analysis framework, which uses scripts and knowledge of the USB protocol to determine and correlate images of embedded programs on the device and determine the activity that they can produce, it checks the device's firmware to determine its ability to generate potentially malicious behavior. Determining whether a device is secure is a challenge due to the many different device architectures and operating systems [13]. The authors conducted experiments on measuring the time of receiving target instructions related to USB for only two firmware.
Summing up all the above: you need a detailed, detailed analysis of the parameters of USB devices when they are connected, as well as a tool for deciding on the possible preliminary modification of devices through the analysis of descriptors and the data structures they give out.
METHODS
The purpose of the study is to contribute to approaches to detecting suspicious USB devices by analyzing the determination of transmitted parameters in order to analyze and decide on the presence of a pre-modified firmware. For the research part, a software and hardware complex was created and 40 devices of different classes and with various characteristics were examined: iPhone, joystick, keyboard, mouse, game mouse, Lily Pad Arduino, USB WIFI modem, webcam, USB 3G modem, Android device, docking station, Arduino Mega and others, all they have a HID interface.
For example, to change part of the USB-flash memory, we use Ducky Script programming. These sketches cause the victim's computer to perform actions that will be written to the memory of the USB device, and this will be done without the knowledge and consent of the user sitting at the victim's computer.
The algorithm of the Bad USB device is as follows: connect the device to the equipment of the victim computer via the USB interface, automatically create a channel between the host and the victim computer and initiate the execution of the necessary script at the right time.
It is necessary to identify patterns of data presentation in order to achieve clarity in the analysis of data presentation structures.
Which, in turn, will make it possible to carry out a qualitative analysis and ensure adequacy when deciding whether or not there is a pre-modified firmware of the connected USB device.
In the firmware provides there are several operating modes:
1. direct access control of mouse keys and keyboard keys;
2. loading and execution of programs previously loaded into memory;
3. formatting of the loaded programs in the memory of the USB-drive (emergency);
4. data filtering mode;
5. USB device firmware update mode;
6. configuration mode of device parameters.
Experiments were provided on different operating systems. For example, in one experiment in Windows the device with a modified firmware was created, posing as a keyboard and it gave commands on behalf of the user under which the operating system was logged in, gaining full access to all the capabilities of the operating system. Malicious software was downloaded and launched on behalf of the user, files were saved and sent, and data deletion commands were run.
The coordination of the motherboard (computer system) with the USB device is connected through a microcontroller and so that the controller can perform operations, the control code is in its service memory.
The user does not have access to this memory through regular programs, and in some controller models then there should be the use of a hardware programmer. This of course carries certain difficulties and inconveniences. With all this, not a single antivirus recognizes flashing, since it is in the firmware of the device.
105
Considering the USB device in detail, I must immediately say that it has unique identifiers: VID (manufacturer's identifier); PID (product ID), it is published in the system declared according to the following format: four-digit hexadecimal numbers; data on the number of configurations. By reading their values, you can determine the type of USB drive controller, then its manufacturer (but not necessarily since the manufacturer can specify them at its discretion).
You can use various utilities such as ChipEasy to determine the controller type (Figure 2).
Figure 2 - An example of polling a USB drive using the utility
Attacker only needs to connect to the created access point using the specified password (shown in Figure 3 on the left) and the network interface settings (on the right side of Figure 3).
Figure 3 - Connecting to the created access point
106 RESULTS AND DISCUSSION
As part of the work on the project, 40 devices were tested. The article describes only 12 of them.
Among the 40 devices, 20 devices were pre-modified. Subsequently, they were all successfully discovered by the software and hardware complex, about which warnings were issued.
Due to the fact that attacks on USB devices are targeted and deliberate, USB devices pose a serious threat to industrial facilities in the first place, since they can cause dangerous situations and cause great harm at industrial facilities. Personal computers under the same threat. Since control is seized from the computer and control is given to the attacker, the computer turns into a weapon capable of reading, modifying, replacing, transmitting data, opening, removing communication channels and deforming the network infrastructure.
There is no effective way to defend against this kind of USB attacks. Antiviruses cannot access the firmware running on the device, and detection based on behavioral patterns is difficult, since the behavior of an infected device may look as if the user simply plugs in a new device or simply uses a keyboard or mouse.
You can block or allow specific actions for specific USB device classes and device IDs, but you can easily bypass the general lists.
107
Figure 4 shows information on qualitative analysis of descriptors - a total of 4 devices. There were only 40 tested devices. Of these, pre-modified 20. The complex recognized all pre-modified devices correctly and adequately gave a conclusion.
Figure 4 – Some descriptors of 4 devices
108
Research were conducted to analyze (data represented in the Table 1) the response from operating systems to detect scenarios for passing USB flash to another class of devices (success); assessment of the attacker's capture of further control over the operating system (the ability to manage with administrative rights).
Table 1 - Modified USB Drive Behavior Analysis Results Success of issuing USB flash
as another class of devices
Seizure a control attacker over the operating system
Class type after modification
Linux Windows Accident in Linux
Accident in Windows
Hub 7.5% 12.5% 5% 27%
Keyboard 92.5% 97.5% 42% 56%
Mouse 95% 98% 29% 62%
Wireless 47.5% 54% 33% 48%
Camera 82.5% 86.5% 26% 69%
Figure 5 shows the success of issuing a USB flash for another class of devices on different operating systems. Figure 6 assesses the ability to manage the operating system with administrative rights from the BADUSB device.
Figure 5 - Scripts for issuing USB-flash for another class of devices
Figure 6 - Estimate of the ability to manage with administrative rights on operating systems from BADUSB devices
0,00%
20,00%
40,00%
60,00%
80,00%
100,00%Hub
Keyboard
Mouse Wireless
Camera Linux
Windows
0% 10% 20% 30% 40% 50% 60% 70%
Hub Keyboard Mouse Wireless Camera
Accident in Windows Accident in Linux
109
These figures vindicate that Linux behaves more stably compared to Windows, since the Linux kernel implements a different kernel management concept that gives fewer vulnerabilities.
In order to be able to recognize descriptors, analyze them and compare them with pattern groups and ultimately issue a conclusion on the preliminary modification of the device, it was necessary to perform the following works:
1) disassemble the methods and algorithms of functioning of USB devices;
2) work on the software and hardware part of the project;
3) make a physical selection of components and carry out their software interaction;
4) make the transition to the firmware component through a compact representation of descriptors;
5) create software with implementation in the Arduino IDE environment;
6) debug the operation of functions for correct identification of ports and adjust the firmware of the complex;
7) create scripts, debug them on devices and provide a range of USB devices for testing;
8) make a significant improvement in the correction of the operation functions of the Wi-Fi module through the creation of temporary data reading zones so that commands are not "swallowed," while creating a stable data reading channel from a modified device provides a read/write/transfer check of control on the channel.
Remembering that all USB devices provide a device descriptor on demand, and it in turn contains information about its device class, manufacturer and product identifiers, as well as the number of configurations. The configuration then provides a configuration descriptor indicating the number of interfaces and other characteristics. Each interface provides an interface descriptor for each of its alternative parameters, which contain data about the class and number of endpoints. Finally, the endpoint at each interface is represented by endpoint descriptors indicating the endpoint type and maximum packet size.
According to the descriptor standard, device descriptors initially indicate some information about the device: the first byte is the length of the descriptor in bytes, the second byte shows the type of descriptor.
Further, upon request, the number of possible configurations that the device can have determined. Basically, devices are single-function, which means they have only one configuration. From the configuration descriptor, you can understand how the device is powered, what is its maximum power consumption, the number of device interfaces. Therefore, 2 configurations are possible for the device - one for power supply from the bus, the other for power supply from an external source. Since this is a header for interface descriptors, it is also possible to have different configurations for different transmission modes.
After studies of the analysis of the data of Table 1, namely, summing up the reaction of operating systems to the detection of USB transfer scenarios to another class of devices, an assessment was made of the potential seizure by an attacker of control over the operating system.
Any device with a USB interface can be considered as a kind of system/computer that can be programmed to execute any commands from a hacker. Bad USB attacks talentedly use the fact that not all manufacturers protect their devices from flashing, and hosts do not check USB devices for authenticity, and when a new HID device is connected, the computer does not determine its class itself, but trusts descriptors from devices. Thanks to this, you can replace the firmware of the microcontroller and pass off one device after another. In situations where USB-flash pretends to be a keyboard, and later, when connected, opens the command line and creates its own script, executes it and is deleted in seconds.
The correct security system does not exist. Since there is no single controller, which means there is no universality of actions against such an attack either.
A complete radical development of protection will take a lot of time and resources, since you need to fully open the source code of the firmware to the manufacturers themselves. But this is very difficult for USB device manufacturers. One of the possible security vectors is the firmware signature by the hardware manufacturers and its corresponding check on the host side before using the device, which is not currently provided for by the current USB specification. Special software for detecting malicious devices does not check the firmware, and there is no further recognition procedure, and this is unlikely to happen in the near future, as it poses difficulties for many USB device manufacturers. And developers of antivirus products will be forced to add separate modules to more flexibly manage plug-in USB devices.
110 CONCLUSION
Since USB devices are used both at home and in offices, in enterprises for connecting devices, managing them and transmitting information, they are universal everywhere. It is for this reason that they are the most dangerous and actively used means and channels for implementing information security threats.
After all, they can be technologically modified in a certain way, giving dangerous properties to ordinary harmless devices. Therefore, it is important to have tools and technologies for monitoring the detection of preliminary modifications of USB devices.
The article describes only 12 out of 40 USB devices. Among the 40 devices, 20 devices were pre- modified. Subsequently, they were all successfully recognized by the complex. The selection of components for the complex was based on the technical characteristics of the printed circuit boards and their cost.
The fullness (structuring) of the data of certain devices showed heterogeneity both in the length of the main descriptors and in their content. This information for device configuration was generated at the request of the device polling module: device information, information on device descriptors, configuration descriptors and interfaces.
The complex effectively detects the Bad USB vulnerability in USB devices, which in turn carries the potential and, when applied, will increase security for both production stations and personal computers.
The studies analyzed different devices by class and the resistance of different operating systems to recognizing BADUSB-type attacks.
These studies can be used to protect against possible BADUSB threats both in the lives of users within the home and as a separate security module in the office, as well as where there is a need to connect many USB devices and guarantee the safety of their functioning.
The study sets the tasks of analyzing the obtained parameters, categorizing them and identifying patterns, creating dependencies for determining USB devices in different operating environments; detecting mechanisms, methods and structures for determining pre-modified devices by describing descriptors; an effective tool for developing a method for identifying pre-modified devices is also discussed.
After the studies, the level of danger of the effect of a modified USB drive on the operating system by diagnosing the connection is reduced. And this, in turn, allows you to manage a complex of devices with USB ports and reconfigure calls to USB ports individually. This significantly affects the security level of the computer system as a whole. The introduction of this technology increases the safety of operation and stable operation of computer systems, identifies suspicious USB devices, ensuring a safer level of system operation.
The article describes the results of the hardware and software complex as a way to recognize the modification of USB devices in application to 40 USB devices. The development complex successfully recognized device modifications using descriptors. So, our research is a tool to block the access of hackers against the use of modified devices.
Antiviruses are not a solution or security tool or tool, as they respond only to certain events that, in turn, the USB device can bypass.
Another solution to the problem may be the manufacturer's blocking of the possibility of introducing an EDS of each USB device, and for this you need to use a special protective mechanism over the firmware.
The implementation of these protections entails a complete refinement of the USB standard, which will require labor for a long period of time.
ACKNOWLEDGEMENTS
This research has been funded by the Science Committee of the Ministry of Education and Science of the Republic of Kazakhstan (Grant No. АР15473360).
111
LIST OF REFERENCES
1. А. Pyrkova, Ye. Zuyeva. Sozdanie BADUSB-ustroistva b analiz bezopasnosti sistemy. [Creating BADUSB devices and system safety analysis] Vestnik KazNITU 2019 №5 pp. 466-470. Available at:
https://official.satbayev.university/download/document/12327/%D0%92%D0%95%D0%A1%D0%A2%D0
%9D%D0%98%D0%9A-2019%20%E2%84%965.pdf
2. Ye. Zuyeva, А. Pyrkova. Issledovanie raboty USB-ustroistv, ispol’zuushyh DUCKY SCRIPT [Operation research of USB devices using DUCKY SCRIPT]. Vestnik AUPET 3 2019 pp. 53-56. Available at: https://vestnik-aues.kz/frontend/web/uploads/magazine/pdf/1591966671_nFx8A8.pdf#page=55
3. Ye. Zuyeva. Аnaliz raboty ustriostv s uyazvimost’u BADUSB [Analyzing the operation of devices with a BADUSB vulnerability]. Vestnik KBTU №1 2020, pp.143-148. Available at:
https://kbtu.edu.kz/images/vesnik_1_2020.pdf
4. Sebastian Neuner, Artemios Voyiatzis, Spiros Fotopoulos, Collin Mulliner, Edgar Weippl. USBlock:
Blocking USB-Based Keypress Injection Attacks. 32th IFIP Annual Conference on Data and Applications Security and Privacy (DBSec), Jul 2018, Bergamo, Italy. pp.278-295. Available at:
https://link.springer.com/chapter/10.1007/978-3-319-95729-6_18
5. Yang, B., Feng, D., Qin, Y., Zhang, Y., Wang, W.: TMSUI: A trust management scheme of USB storage devices for industrial control systems. In: Information and Communications Security: 17th International Conference, ICICS 2015, Revised Selected Papers, pp. 152–168. Springer International Publishing, Cham (2016). Available at: https://eprint.iacr.org/2015/022
6. Johnson, P., Bratus, S., Smith, S.: Protecting against malicious bits on the wire: Automatically generating a USB protocol parser for a production kernel. In: Proceedings of the 33rd Annual Computer Security Applications Conference, Orlando, FL, USA, 2017. pp. 528–541. Available at:
https://dl.acm.org/doi/10.1145/3134600.3134630
7. Ramadhanty AD, Budiono, A., Almaarif, A. “Implementation and Analysis of Keyboard Injection Attack using USB Devices in Windows Operating System”. 3rd International Conference on Computer and Informatics Engineering, IC2IE 2020. Electronic ISBN:978-1-7281-8247-6, p. 449-454. Available at:
https://ieeexplore.ieee.org/document/9274631
8. Mueller, T., Zimmer, E., De Nittis, L. “Using context and provenance to defend against USB-borne attacks”. ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security, August 2019 Article No.: 1. Available at: https://dl.acm.org/doi/abs/10.1145/3339252.3339268
9. Karystinos, E., Andreatos, A., Douligeris, C. “Spyduino: Arduino as a HID exploiting the BadUSB vulnerability”. “Proceedings - 15th Annual International Conference on Distributed Computing in Sensor Systems”, DCOSS 2019.8804730, p. 279-283. Available at: https://ieeexplore.ieee.org/document/8804730
10. Hessam Mohammadmoradi, Omprakash Gnawali. “Making Whitelisting-Based Defense Work Against BadUSB”. ICSDE'18: Proceedings of the 2nd International Conference on Smart Digital Environment. October 2018 Pages 127–134. Available at: http://www2.cs.uh.edu/~gnawali/papers/badusb- icsde2018.pdf
11 Ji, X., Le Guernic, G., Cuppens-Boulahia, N., Cuppens, F. USB packets filtering policies and an associated low-cost simulation framework. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). 11149 LNCS, 2018, p. 732-742.
Available at: https://link.springer.com/chapter/10.1007/978-3-030-01950-1_44
12. Hernandez G., Fowze F., Tian D.J., Yavuz T., Butler K.R.B. FirmUSB: Vetting USB device firmware using domain informed symbolic execution. Proceedings of the ACM Conference on Computer and Communications Security. 2017, p. 2245-2262. Available at: https://arxiv.org/pdf/1708.09114.pdf
13. Griscioli, F., Pizzonia, M., Sacchetti, M. USBCheckIn: Preventing BadUSB attacks by forcing human-device interaction. 2016 14th Annual Conference on Privacy, Security and Trust, PST 2016.
7907004, p. 493-496. Available at: https://www.semanticscholar.org/paper/USBCheckIn%3A-Preventing- BadUSB-attacks-by-forcing-Griscioli-Pizzonia/e9aadc94db83689b10e0c2cb2f366d53d0cc20d9
112
ӨЗГЕРТІЛГЕН USB ҚҰРЫЛҒЫЛАРЫМЕН ОПЕРАЦИЯЛЫҚ ЖҮЙЕ ҚАУІПСІЗДІГІН ЗЕРТТЕУ
Е.А. Зуева¹*, Г.К. Ордабаева²
¹«Ғұмарбек Даукеев атындағы Алматы энергетика және байланыс университеті» КЕАҚ, Алматы, Қазақстан
²Әл-Фараби атфндағы Қазақ ұлттық университеті, Алматы, Қазақстан E-mail: [email protected], [email protected]
Аңдатпа. Мақаланың мақсаты – алынған деректерді, Windows және Linux операциялық жүйелеріндегі инициализация нәтижелерін қарастыру және USB порты арқылы қосу кезінде құрылғы сипаттамаларын инициализациялау және оларды жүйеде көрсету.
Жұмыстың ғылыми жаңалығы 12 түрлі USB құрылғыларының сипатталғандығымен алдын-ала анықталған (барлығы 40 құрылғы қарастырылды, олардың 50% алдын-ала өзгертілген) және олар құрылғының дескрипторларын оқитын аппараттық-бағдарламалық кешен арқылы сәтті анықталды. Кешенге құрылғыларды қосу кезінде талдау нәтижесінде ол өзгертулерді танып, ескертулер берді. Жаңалығы сонымен қатар дескрипторлардың сапалы талдауы және шабуылдаушының операциялық жүйені басқаруды басып алуын бағалау кезінде Windows және Linux операциялық жүйелерінің жауабын талдауға арналған зерттеулердің болуы туралы ақпарат ұсынылды. USB флеш құрылғысының көрінісін басқа құрылғы класына ауыстыру арқылы әкімші құқықтарымен басқару. Операциялық жүйені модификацияланған құрылғыдан әкімші құқықтарымен басқару мүмкіндігі де бағаланады, атап айтқанда: Linux ядросы ядроны басқарудың басқа концепциясын жүзеге асыруына байланысты Linux өзін Windows-қа қарағанда тұрақтырақ ұстайды, бұл осалдықтардың функционалды жұмыс істеуіне мүмкіндік береді.
Міндеттер арнайы жасалған бағдарламалық-аппараттық кешеннің көмегімен зауыттық және өзгертілген құрылғыларды сәйкестендіру жұмысын бақылау болды; ұсынылған құрылғыларда тестілеу жағдайында кешеннің жұмыс қабілеттілігіне талдау жасау болды. Алдын ала өзгертілген құрылғы шабуылдаушыға операциялық жүйеге кіруге көбірек мүмкіндік беретіндіктен, болашақта бұл өзгертілген құрылғыны бұғаттау қажет сияқты.
Түйін сөздер: зиянды бағдарлама, осалдық, құрылғы қауіпсіздігі, өзгертілген құрылғы.
ИССЛЕДОВАНИЕ БЕЗОПАСНОСТИ ОПЕРАЦИОННОЙ СИСТЕМЫ С МОДИФИЦИРОВАННЫМИ USB-УСТРОЙСТВАМИ
Е.А. Зуева¹*, Г.К. Ордабаева²
¹НАО «Алматинский университет энергетики и связи имени Гумарбека Даукеева», Алматы, Казахстан
²Казахский Национальный университет имени аль-Фараби, Алматы, Казахстан E-mail: [email protected], [email protected]
Аннотация. Целью является рассмотрение полученных данных, результатов инициализации в операционных системах Windows и Linux и инициализация характеристик устройств в момент включения питания через USB-порт и представление их в системе.
Научная новизна работы предопределяется тем, что были описаны 12 разных USB-устройств (всего же были рассмотрены 40 устройств, где 50% были предварительно модифицированных), и они были успешно обнаружены программно-аппаратным комплексом, считывающим дескрипторы устройств. В результате анализа при подключении устройств к комплексу он распознал модификации и вынес предупреждения. Новизна также состоит в том, что была представлена информация о качественном анализе дескрипторов и наличии исследований для анализа реакции операционных систем Windows и Linux в оценке захвата злоумышленником контроля над операционной системой, то есть возможности управления с правами администратора через замену представления USB-устройства класса флеш на другой класс устройств. Также дана оценка возможности управления операционной системой с правами администратора с модифицированного устройства, а именно: Linux ведет себя более стабильно по сравнению с Windows из-за того, что в ядре Linux
113
реализована другая концепция управления ядром, дающая функционально работать меньшему количеству уязвимостей.
Задачами являлось отследить операцию идентификации заводских и модифицированных устройств с помощью специально созданного программно-аппаратного комплекса; сделать анализ работоспособности комплекса в условиях тестирования на представленных устройствах. Поскольку предварительно модифицированное устройство дает злоумышленнику больше возможностей для захвата доступа к операционной системе, то в будущем представляется нужным заблокировать это модифицированное устройство.
Ключевые слова: вредоносное ПО, уязвимость, безопасность устройства, модифицированное устройство.
Басылымның шығыс деректері
Мерзімді баспасөз басылымының атауы «Алматы энергетика және байланыс университетінің Хабаршысы» ғылыми- техникалық журналы
Мерзімді баспасөз басылымының меншік иесі «Ғұмарбек Дәукеев атындағы Алматы энергетика және байланыс университеті»
коммерциялық емес акционерлік қоғамы, Алматы, Қазақстан
Бас редактор Профессор, т.ғ.к., В.В. Стояк
Қайта есепке қою туралы куәліктің нөмірі мен күні және берген органның атауы
№ KZ14VPY00024997, күні 17.07.2020,
Қазақстан Республикасының Ақпарат және қоғамдық даму министрлігі
Мерзімділігі Жылына 4 рет (тоқсан сайын)
Мерзімді баспасөз басылымының реттік нөмірі және жарыққа шыққан күні
Жалпы нөмір 59, 4-басылым, 2022 жылғы 30 желтоқсан
Басылым индексі 74108
Басылым таралымы 200 дана
Баға Келісілген
Баспахана атауы, оның мекен-жайы «Ғұмарбек Дәукеев атындағы Алматы энергетика және байланыс университеті»
КЕАҚ баспаханасы, Байтұрсынұлы көшесі, 126/1 үй, А120 каб.
Редакцияның мекен-жайы 0 5 0 0 1 3 , Алм а т ы қ. , «Ғ ұ м а р бе к Дә ук е ев а т ы н да ғы А л м а т ы эн ер г ет и ка ж ә н е ба й ла н ы с ун и в ер с и т ет і » К ЕА Қ, Б а й т ұ р с ы н ұ лы к- с і , 1 2 6 / 1 ү й , ка б. А 2 2 4 , т е л. : 8 ( 7 2 7 ) 2 9 2 5 8 4 8 , 7 08 8 8 0 7 7 9 9 , e - m a i l : v e s t n i k @ a u e s . k z
Выходные данные
Название периодического печатного издания Научно-технический журнал «Вестник Алматинского университета энергетики и связи»
Собственник периодического печатного издания
Некоммерческое акционерное общество «Алматинский университет энергетики и связи имени Гумарбека Даукеева», Алматы, Казахстан
Главный редактор Профессор, к.т.н., Стояк В.В.
Номер и дата свидетельства о постановке на переучет и наименование выдавшего органа
№ KZ14VPY00024997 от 17.07.2020
Министерство информации и общественного развития Республики Казахстан
Периодичность 4 раза в год (ежеквартально)
Порядковый номер и дата выхода в свет
периодического печатного издания Валовый номер 59, выпуск 4, 30 декабрь 2022
Подписной индекс 74108
Тираж выпуска 200 экз.
Цена Договорная
Наименование типографии, ее адрес Типография НАО «Алматинский университет энергетики и связи имени Гумарбека Даукеева», ул. Байтурсынулы, дом 126/1, каб. А 120
Адрес редакции 050013, г. Алматы, НАО «Алматинский у ниверситет э нергетики и с вязи имени Гумарбека Даукеева», ул. Байтурсынулы, дом 126/1, каб. А 224, т ел.: 8 (727) 292 58 48, 708 880 77 99, e-mail: [email protected]
Issue output
Name of the periodical printed publication Scientific and technical journal "Bulletin of the Almaty University of Power Engineering and Telecommunications"
Owner of the periodical printed publication Non-profit joint-stock company "Almaty University of Power Enginnering and Telecommunications named after Gumarbek Daukeyev", Almaty, Kazakhstan
Chief Editor Professor, candidate of technical sciences Stoyak V.V.
Number and date of the registration certificate and the name of the issuing authority
№ KZ14VPY00024997 from 17.07.2020
Ministry of Information and Social Development of the Republic of Kazakhstan
Periodicity 4 times a year (quarterly)
Serial number and date of publication of a periodical printed publication
Number 59, edition 4, December 30, 2022
Subscription index 74108
Circulation of the issue 200 copies
Price Negotiable
The name of the printing house, its address Printing house of Non-profit joint-stock company "Almaty University of Power Enginnering and Telecommunications named after Gumarbek Daukeyev", 126/1 Baitursynuly str., office A 120, Almaty, Republic of Kazakhstan
Editorial office address 050013, Non-profit joint-stock company "Almaty University of Power Enginnering and Telecommunications named after Gumarbek Daukeyev",
A 2 2 4 , t e l .: 8 (727) 292 58 48, 708 880 77 99, e-mail: [email protected]
