Curtain: Keep Your Hosts Away from USB Attacks

  • Jianming FuEmail author
  • Jianwei Huang
  • Lanxin Zhang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10599)


In recent years, many attacks targeting USB were proposed. Besides spreading virus through USB storage, attackers are tending to attack USB stacks because in most cases, any information from devices will be trusted. In this paper, we design a system named Curtain on Windows to defend those attacks by analyzing their IRP flows. Curtain is deployed as a filter driver in USB stack on Windows. It’ll sniff all the IRP flows of each USB device and analyze them. It’s based on the fact that an attack always happens in a short time and that will be reflected in IRP flows. In short, Curtain provides a solution to defend USB attacks on Windows by inserting a filter driver to USB stacks and catch the behaviors of each device.


USB Device security Windows driver 



This work is sponsored by the National Natural Science Foundation of China (61373168).


  1. 1.
    Al-Zarouni, M.: The reality of risks from consented use of USB devices. School of Computer and Information Science, Edith Cowan University (2006)Google Scholar
  2. 2.
    OLEA Kiosks Inc: Malware Scrubbing Cyber Security Kiosk.
  3. 3.
    Tetmeyer, A., Saiedian, H.: Security threats and mitigating risk for USB devices. IEEE Technol. Soc. Mag. 29(4), 44–49 (2010)CrossRefGoogle Scholar
  4. 4.
    Falliere, N., Murchu, L., Chien, E.: W32. stuxnet dossier. White paper, Symantec Corp., Security Response. vol. 5, p. 6 (2011)Google Scholar
  5. 5.
    Pavković, N., Perkov, L.: Social Engineering Toolkit-A systematic approach to social engineering. In: the 34th International Convention, pp. 1485–1489 (2011)Google Scholar
  6. 6.
    Hak5. Episode 709: USB Rubber Ducky Part 1.
  7. 7.
  8. 8.
    MouseJack, KeySniffer and Beyond: Keystroke Sniffing and Injection Vulnerabilities in 2.4GHz Wireless Mice and Keyboards.
  9. 9.
    Karsten, N., Sascha, K., Jakob, L.: BadUSB-On accessories that turn evil. In: BlackHat (2014)Google Scholar
  10. 10.
    Karsten, N., Sascha, K., Jakob, L.: BadUSB-On accessories that turn evil. In: PacSec (2014)Google Scholar
  11. 11.
    Caudill, A., Wilson, B.: Phison 2251–03 (2303) Custom Firmware & Existing Firmware Patches (BadUSB).
  12. 12.
    Tian, D., Scaife, N., Bates, A., Butler, K., Traynor, P.: Making USB great again with USBFILTER. In: the 25th USENIX Security Symposium, pp. 415–430 (2016)Google Scholar
  13. 13.
    Tian, D., Bates, A., Butler, K.: Defending against malicious USB firmware with GoodUSB. In: The 31st Annual Computer Security Applications Conference, pp. 261–270 (2015)Google Scholar
  14. 14.
  15. 15.
  16. 16.
  17. 17.
  18. 18.
    Microsoft Developer Network: USB host-side drivers in Windows.
  19. 19.
    Microsoft Windows Embedded 8.1 Industry: Usb flter (industry 8.1).
  20. 20.
    Universal Serial Organization: USB Class Codes.
  21. 21.
    Zaitcev, P.: The usbmon: USB monitoring framework. In: Linux Symposium, pp. 291–296 (2005)Google Scholar
  22. 22.
    PJRC: Teensy 3.2&3.1-New Features.
  23. 23.
    Kamkar, S.: USBdriveby.
  24. 24.
    Liu, F., Ting, K., Zhou, Z.: Isolation forest. In: the 8th IEEE International Conference on Data Mining, pp. 413–422 (2008)Google Scholar
  25. 25.
    Pham, D., Haigamuge, M., Sysed, A., Mendis, P.: Optimizing windows security features to block malware and hack tools on USB storage devices. In: Progress in Electromagnetics Research Symposium, pp. 350–355 (2010)Google Scholar
  26. 26.
    Universal Serial Bus Specification.
  27. 27.
  28. 28.
    USB Monitor Pro.

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Key Laboratory of Aerospace Information Security and Trusted ComputingWuhan UniversityWuhanChina
  2. 2.School of Computer ScienceWuhan UniversityWuhanChina

Personalised recommendations