lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <149998076-e48f986b5e79901b4b165c491aef2cb8@pmq1v.m5r2.onet>
Date:	Thu, 07 Jan 2016 08:05:20 +0100
From:	voidquestion <voidquestion@...pl>
To:	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Cc:	"voidquestion@...pl" <voidquestion@...pl>
Subject: How to correctly avoid BadUsb? Udev?

(please CC reply to my email voidquestion@...pl)

How to correctly avoid BadUsb? The solutions I found on web seem not fully working.

Goal: when a device is attached, if it is of HID family (keyboard, mouse),
then if it is attached via USB, then I want to not authorize it to run.

User would turn on this protection some time after boot (e.g. so that his normal usb keyboard works).

The device can play any tricks (e.g. try to report invalid name, forge product/vendor),
try to change it's function suddenly or to add more devices, or try to hit a race condition
against udev protections.

- the method to echo 0 > authorized is probably not safe (race condition)
- tried to authorized_default = 1, but then I do not know what will the functions of USB (e.g. if 2-1.3 will have function of mass-storage, or maybe mass-storage and also HID)... I see that only after I authorize so when it's too late


For example:

/sys/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/authorized  <-- I could manually set this to 1
but it seems I need this files to make sure that this is the correct device:

#cat /sys/devices/pci0000\:00/0000\:00\:1d.0/usb2/2-1/2-1.3/2-1.3\:1.0/uevent
DEVTYPE=usb_interface
DRIVER=usbhid
PRODUCT=1c4f/26/110
TYPE=0/0/0
INTERFACE=3/1/1
MODALIAS=usb:v1C4Fp0026d0110dc00dsc00dp00ic03isc01ip01in00

# cat /sys/devices/pci0000\:00/0000\:00\:1d.0/usb2/2-1/2-1.3/2-1.3\:1.1/uevent
DEVTYPE=usb_interface
DRIVER=usbhid
PRODUCT=1c4f/26/110
TYPE=0/0/0
INTERFACE=3/0/0
MODALIAS=usb:v1C4Fp0026d0110dc00dsc00dp00ic03isc00ip00in01

and they show up only after I authorize the top level 2-1.3/
am I supposed to do that blindly?

Or is it possible to at this point peek what device type will it be... but is kernel guaranteeing that this can not change in some race between looking at declared type of device and authorization=1? 



Btw this is not working for me, it disables the entire usb2 hub instead.
Plus, this is probably a mistake to first allow the device and then do echo 0 authorize
it seems a brief moment exists between the device starting to run (if authorized_default==1) 
and udev being called to perhaps disable it.

    /etc/udev/rules.d/10-usbblock.rules rule contents(10-usbblock.rules):  
    #ACTION=="add", ATTR{bInterfaceClass}=="03" RUN+="/bin/sh -c 'echo 0 >/sys$DEVPATH/../authorized'"    



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ