User: Password:
|
|
Subscribe / Log in / New account

USBGuard: authorization for USB

Benefits for LWN subscribers

The primary benefit from subscribing to LWN is helping to keep us publishing, but, beyond that, subscribers get immediate access to all site content and access to a number of extra site features. Please sign up today!

November 8, 2017

This article was contributed by Nur Hussein

USBGuard is a security framework for the authorization of USB devices that can be plugged into a Linux system. For users who want to protect a system from malicious USB devices or unauthorized use of USB ports on a machine, this program gives a number of fine-grained policy options for specifying how USB devices can interact with a host system. It is a tool similar to usbauth, which also provides an interface to create access-control policies for the USB ports. Although kernel authorization for USB devices already exists, programs like USBGuard make it easy to craft policies using those mechanisms.

Malicious USB attacks

Before we look at USBGuard, let's first take a look at the problem it tries to solve: unauthorized use of the USB ports. Beyond the usual data theft that can occur with USB storage devices on sensitive machines, there is also the problem of malicious USB devices programmed specifically for sophisticated attacks. The recent spate of vulnerabilities in the USB subsystem that can be exploited via specially crafted USB devices is worrying. However, even in the absence of software vulnerabilities, it is possible to mount a USB-based attack against host systems. The BadUSB attack is a proof-of-concept malware that reprograms a USB device to surreptitiously attack a computer that it is plugged into—with no privileges required beyond physical access to the machine in question.

USB devices have a tiny embedded microcontroller that is used to facilitate communications between the device and the host computer. The microcontroller runs embedded firmware that lets it perform this task; for BadUSB this firmware was overwritten with customized malicious code that can wreak havoc on a computer in a number of ways. A malicious USB device attached to a host that's booting can infect the system if USB devices are in the boot sequence order. USB devices interact with the host via interfaces, which are a description of the type of device that is presented to the host. A malicious USB storage device, for example, could stealthily create a secondary interface such as a faux keyboard or spoofed network device that sends malicious input or redirects network traffic.

It is also possible to steal credentials from a screen-locked machine simply with a rigged USB drive which, when plugged in, pretends to be a NIC, hijacks the network and DNS settings, and collects credentials from the all too trusting operating system. The information can either be collected by physically retrieving the drive, or it can have its own rogue wireless connection that transmits the sensitive information to the attacker.

USBGuard

It is possible to thwart unauthorized or malicious USB port usage by controlling the types of devices that are allowed to connect to them or to take certain actions based on USB device events. The idea behind USBGuard is that there is a set of approved devices that a user can specify to be allowed on their system and USBGuard enforces those restrictions. A whitelist or blacklist can be generated for a set of devices, which also specifies the allowed behaviors from approved USB devices.

When constructing a whitelist (or blacklist) of devices, a question that needs to be answered is: "How can I tell if this device is mine or not?" The identification system needs to work even on devices that can't be written to, such as scanners and mice. USBGuard attempts to do this by creating a hash of each device a user owns that they want to whitelist, based on its name, manufacturer and model, serial number when available, interface type, and which port it is connected to.

USBGuard works using the underlying kernel USB authorization mechanism to authorize or de-authorize USB devices connecting to the system. A daemon waits on USB events to implement whatever policy the user has specified. A shared library, libusbguard, exports an API for third-party applications to create their own programs that wish to use USBGuard's functionality. While USBGuard can't do anything about boot-time USB attacks, it can protect the ports once the operating system is up and running.

Identifying USB devices

USBGuard collects information about the devices the user owns to identify them, but it is not possible to generate a unique hash for every single USB device in existence. To generate a hash, USBGuard primarily relies on information inside the USB device descriptor, which is a data structure sent from the device to the host when it connects to a port on the computer. The device descriptor includes the manufacturer and model ID of the USB device. The descriptor also contains a field for serial number, but the USB spec makes it an optional field, except for USB storage devices. Therefore, there is no guarantee that the serial number will be present.

It is better to generate a hash with the serial number information if it is present, but if it isn't, then the default behavior for USBGuard is to enable port-specific rules for the connected device. The documentation notes that this is a security measure to ensure the policy is harder to bypass for devices without serial numbers, with the assumption that said device is always physically connected to a specific port.

Rule-based configuration

Configuring USBGuard policy is done using a rule-based language that lets a user specify whether to allow, block, or reject a device based on particular attributes. A device that is blocked will be listed by the operating system as being connected, but no communication is allowed for it. A device that is rejected will be completely ignored after it is inserted into the port.

When a device is inserted in the host, the rules list is scanned from beginning to end until a matching rule is found or, if it reaches the end without a match, then a default rule is applied. An initial policy can be created for the system using the usbguard command-line tool with the generate-policy sub-command that will add the currently connected USB devices to the list of allowed devices and create hashes to identify each device.

The following is an example of a rule, extracted from the documentation: 

    allow with-interface equals { 08:*:* }
The colon separated triad of numbers refer to the USB interface class, subclass, and protocol, which in turn identifies the type of USB device. For example, the hexadecimal number 08 in the class segment of the interface identifier signifies a USB storage device. The example will let any USB storage device (wildcards indicate any subclass or protocol) work on the system. In the absence of any other rule, the default is to block everything else.

The following example is a rule allowing a specific device, also from the documentation: 

   allow 1050:0011 name "Yubico Yubikey II" serial "0001234567" \
       via-port "1-2" hash "044b5e168d40ee0245478416caf3d998" \
       reject via-port "1-2"
The identifier 1050:0011 indicates that the device's manufacturer ID is 1050 (Yubico), and the product ID is 0011 (which is the Yubikey II). Therefore the above command will accept only a Yubikey II device with the given serial number and hash on either port 1 or 2 and reject everything else on that port. The hash is a value that is pre-generated when the user created a whitelist of devices they want to allow.

Development status

USBGuard is included with Red Hat Enterprise Linux 7.4 and later, and has found its way into other distributions too. On Ubuntu and Arch Linux, it is a community-supported optional install. The code is also available from its GitHub repository. The documentation in the repository warns that the 0.x releases are not production ready; since the latest release is numbered at 0.7.0, there is no production release of the software yet.

Conclusion

USBGuard gives users a way to lock down the USB ports of their machine while also enabling specific permissions for specific devices. It is particularly useful for machines that are accessible to the public or in an environment with many users, such as an office. USBGuard provides a reasonable defense against malicious USB devices, although such things are not widespread, at least yet. However, the attribute-based identification mechanism is only "good enough", as it is not possible to confirm the ID of a plugged-in device with 100% certainty, especially for non-storage USB devices without a serial number. It is also possible to spoof the information in the USB descriptor, thus if the policy rules are revealed to an attacker, the whitelist can be bypassed. Despite this, it is better than having no guards against USB attacks at all.

(Log in to post comments)

Locking your keys inside

Posted Nov 8, 2017 17:05 UTC (Wed) by abatters (✭ supporter ✭, #6932) [Link]

Scenario:
Whitelist your existing USB devices.
Existing USB keyboard stops working.
Go to store and buy a new keyboard.
Plug in new keyboard.
New keyboard isn't whitelisted, so can't use it to login to add it to the whitelist.

What you need then is some variant of the well-known "port knocking" technique from the network world, where you plug and unplug the new device into a specific series of ports with specific timings known only to you to add it to the whitelist automatically. Maybe to the tune of your favorite song?

Sorry, couldn't help myself.

;-)

Locking your keys inside

Posted Nov 9, 2017 20:58 UTC (Thu) by flussence (subscriber, #85566) [Link]

This is a solved problem: just copy what Bluetooth does with PIN codes.

Locking your keys inside

Posted Nov 9, 2017 22:24 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

Now start typing a PIN with your mouse.

Locking your keys inside

Posted Nov 11, 2017 22:26 UTC (Sat) by flussence (subscriber, #85566) [Link]

No wonder people complain about Apple being expensive — having to take it in for servicing every time the mouse battery runs low must add up fast!

USBGuard: authorization for USB

Posted Nov 8, 2017 20:27 UTC (Wed) by ejr (subscriber, #51652) [Link]

The most insidious USB threats are outside OS control. The microcontrollers on both sides are vulnerable before anything reaches the OS. I'm not saying the proposed framework is bad, just that it's limited to aspects that *are* under OS control.

USBGuard: authorization for USB

Posted Nov 8, 2017 22:38 UTC (Wed) by ballombe (subscriber, #9523) [Link]

Also there are no reasonable way to identify most devices.
It is easy to impersonate a standard Dell keyboard.
It is not uncommon for laptop to have internal peripherals plugged to the USB bus that could also being impersonated.

USBGuard: authorization for USB

Posted Nov 9, 2017 0:54 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

But the internal peripherals will be plugged in to a different part of the topology. So it's possible to write a rule that says OK, you can have this device on this internal port, where it would be if it's built-in, but it's not allowed on the external USB ports because that makes no sense.

USBGuard: authorization for USB

Posted Nov 10, 2017 1:15 UTC (Fri) by TheLessThanAmazing (guest, #119480) [Link]

Don't forget that a single USB device can have multiple pipes/endpoints.

USBGuard: authorization for USB

Posted Nov 9, 2017 1:38 UTC (Thu) by rahvin (subscriber, #16953) [Link]

I'm not sure how that would be worse than a USB thumb drive that reports itself as a storage device, keyboard, mouse and network controller along with some handy malware that autoruns, draws it's own IP address, opens a vpn connection and starts logging all input/ouput while scanning all attached storage.

USBGuard: authorization for USB

Posted Nov 9, 2017 15:51 UTC (Thu) by nix (subscriber, #2304) [Link]

Also, as of a few days ago it appears that Skylake and later systems can have the ME rooted via JTAG over the USB ports. Since the CPU never sees it (heck, it doesn't even use the USB protocol), and the rooted ME can do *anything*, this seems like a good vector for truly horrific evil maid attacks.

(Thank goodness it requires physical access.)

USBGuard: authorization for USB

Posted Nov 8, 2017 21:51 UTC (Wed) by dullfire (subscriber, #111432) [Link]

Something to note: there are exceptions but in general usb devices receive, at an electrical level, all the data the host sends to any device on the same usb bus (USB 3 sort of changes this, and usb devices operating at different speeds don't see the same traffic). So to some degree a usb device can "passively", after it's been enumerated onto the bus, listen to bus traffic. And if the attacker has physical access, the could simply unplug each device and it's descriptors, in a attempt to build a table of permutations to try (of course being port lock is a little better protection).
While I think attempting to secure USB is a worth while endeavor, it does not seem, to me personally, from this article that USBGuard gives significant protection compared to the effort to configure and the inconvenience when things break.

USBGuard: authorization for USB

Posted Nov 9, 2017 0:36 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

Well, without having yet spent much time thinking about the practical capabilities, I will say that this _is_ equivalent to the lock down required in many enterprise employee systems.

Typically their rule is you can plug in any input device (so the employee's own keyboard works, as does some generic USB mouse they borrowed at a conference when theirs broke) and thus filling the sockets with epoxy is not an option - but it won't allow say, a USB thumb drive. You also see rules prohibiting USB network devices, web cams, and I've even seen printers.

In each case the intent is not to prevent bad guys from doing things, but as a nudge reminder for good guys. Company policy says they mustn't put data onto USB thumb drives. But such a policy might get bent and eventually broken by normal corner cutting. Policy enforcement means that temptation is avoided. A sophisticated employee could probably bypass the protection somehow, but that's _more_ hassle than accepting the policy and not using the drives.

It's usually the case that such a corporate policy can grant exceptions for special purposes. We can imagine that a company with a rule against web cams might decide that a home worker needs a web cam to join video conferences that in the company's own offices are held using a dedicated system, because delivering such a system to the home worker is excessively expensive. Or there might be cause for a technician to have working USB thumb drives despite everybody else up to the executive floor being forbidden. USBGuard seems appropriately flexible.

USBGuard: authorization for USB

Posted Nov 9, 2017 9:17 UTC (Thu) by michaeljt (subscriber, #39183) [Link]

It should even theoretically be possible, if you build the data bases, to present the user of a picture of their computer with diagrams showing what is plugged in where (at least for laptops and other standard-ish systems). If the user knows they wanted to plug a network device into such and such a port they can click on the picture of it to white list it. Agreed that input devices should probably get special treatment.

USBGuard: authorization for USB

Posted Nov 9, 2017 11:36 UTC (Thu) by mfuzzey (subscriber, #57966) [Link]

As I understand it this is not quite true.

Hubs do broadcast all data coming from the upstream (host) to all the downstream devices.

But data from the downstream devices is only sent to the upstream host.

So, if you plug a keyboard, a USB stick and a rogue device into the same hub they rogue device couldn't read they keystrokes (because they are going in the wrong direction) but it could read the data being written to (but not read from) the USB stick.

USBGuard: authorization for USB

Posted Nov 9, 2017 0:39 UTC (Thu) by chfisher (subscriber, #106449) [Link]

Which version of the kernel is required to support this? - none of the documentation says

USBGuard: authorization for USB

Posted Nov 9, 2017 0:49 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Can't you do it only with udev rules?

USBGuard: authorization for USB

Posted Nov 9, 2017 3:45 UTC (Thu) by unixbhaskar (subscriber, #44758) [Link]

Yup, that is my query too! ..thanks for bringing up.

USBGuard: authorization for USB

Posted Nov 9, 2017 10:33 UTC (Thu) by grawity (subscriber, #80596) [Link]

Yes, you could use udev rules to do this by setting ATTR{authorized} apropriately – but they need to be written, while USBGuard has more convenient UIs for that (both command-line and graphical) – a notification pops up and you can confirm the device temporarily or permanently. That's something the article has forgotten to mention.

Since y'all have already started making fun of people being inconvenienced by this feature, it would be unfair to tell the same people to edit udev rulesets every time they get a new device.

Regarding kernel versions, per-device authorization was added in 2007, somewhere around v2.6.24. Per-interface (more fine-grained) authorization is a 2015 addition in v4.4.

USBGuard: authorization for USB

Posted Nov 9, 2017 2:48 UTC (Thu) by biergaizi (subscriber, #92498) [Link]

> allow 1050:0011 name "Yubico Yubikey II"

What's the point here? USB Vendor and Device IDs can be claimed by any re-programmable USB devices, and Vendor ID abuse is a widespread problem. If I remembered correctly, the Vendor ID of a Linux developer who had written an USB programming book, was abused by many clueless manufacturers. And now the Free Software Initiative of Japan, the organization behind Gnuk, the open implementation of OpenPGP smartcard on general microcontrollers, was trying to prevent it from happening again by integrating a Vendor ID setting into the Gnuk build system, and adding warnings about not using FSIJ's Vendor ID on customized Gnuk tokens.

If an attacker is going to infiltrate one physically, I assume they will do their homework to figure it out. Or the whole scheme requires one to keep the USB Vendor/Device ID and its serial number as a secret? Sounds reasonable, and it can make many attacks difficult. But I'm still uncomfortable as it's not possible to keep the serial number of my USB thumb drive as a secret.

USBGuard: authorization for USB

Posted Nov 9, 2017 23:00 UTC (Thu) by gdt (subscriber, #6284) [Link]

As an aside, there are USB Product IDs for documentation such as the book you reference, namely 0x1d50:0x5200 through to 0x1d50:0x52ff. Distributions can safely suppress any device offering a Product ID within that range.

USBGuard: authorization for USB

Posted Nov 10, 2017 20:27 UTC (Fri) by juliank (subscriber, #45896) [Link]

In theory, yes. In practice, there are probably devices using them and people relying on them :)

USBGuard: authorization for USB

Posted Nov 12, 2017 2:19 UTC (Sun) by gdt (subscriber, #6284) [Link]

It's a relatively recent allocation. Your point is good and I'll send a patch to the udev people so we can nip that in the bud. The range is already blacklisted in another operating system.

USBGuard: authorization for USB

Posted Nov 12, 2017 2:15 UTC (Sun) by gdt (subscriber, #6284) [Link]

Perhaps a better example would be that we allow the class of items like Yubikeys but deny all other classes. So that only Yubikey-like objects can go into that slot (not ethernet/wifi dongles, keyboards, mice, storage, microphones, cameras, etc). That's a powerful denial, since even if an object fakes into the Yubikey-like class then it can only do Yubikey-like things, not unexpected things, as the drivers which support those unexpected classes won't be attached.

This article certainly encouraged me to install the software, to set most of the USB ports on the laptop only allow the storage class, and to set the USB-C port to only allow the classes I saw already plugged into that desktop expander. That's a modest but useful improvement in security for the trouble.

USBGuard: authorization for USB

Posted Nov 13, 2017 15:02 UTC (Mon) by nix (subscriber, #2304) [Link]

Unfortunately Yubikeys themselves register as, uh, keyboards. (That's quite a lot of the point of them.)

They do have authentication modes that involve direct USB communication (challenge-response, CCID, U2F etc) but if you're relying on OTP entry, then you'll need to add some extra authentication somewhere to ensure that the keystream coming from the thing that looks like a Yubikey is actually Yubikey-like (roughly, 'lowercase letters only' though honestly just excluding non-alphanumeric characters would suffice to stop an attacker masquerading as a Yubikey keyboard from doing anything too bad: it's hard to do anything malicious when you can't type return or tab or space or any punctuation).

USBGuard: authorization for USB

Posted Nov 13, 2017 16:21 UTC (Mon) by nybble41 (subscriber, #55106) [Link]

> it's hard to do anything malicious when you can't type return or tab or space or any punctuation

For what it's worth, a genuine Yubikey will type a return character at the end to submit the OTP. This is more of a convenience than an actual requirement, as long as you have a normal keyboard attached, but it would be a problem if the device was rejected as "non-genuine" just because it generated a non-alphanumeric character.

USBGuard: authorization for USB

Posted Nov 15, 2017 0:25 UTC (Wed) by nix (subscriber, #2304) [Link]

Oof. True! So you do need to allow return. I suppose you could require that the inputs be the right *length* as well (not just alphabetical but a 44-character-long alphabetical sequence terminated by return), which means that you'd only be at risk from a hostile device if the user being attacked has commands named things like "rmrmrmrmrmrmrmrmrmrmrmrmrmrmrmrmrmrmrmrmrmrm" that do dangerous things when run with no parameters :)

USBGuard: authorization for USB

Posted Nov 23, 2017 14:54 UTC (Thu) by itvirta (guest, #49997) [Link]

Well, yubikeys can also send tabs, variable length public ids, and arbitrary static passwords.
And they can be configured to not send that final <enter>.

USBGuard: authorization for USB

Posted Nov 23, 2017 20:43 UTC (Thu) by nix (subscriber, #2304) [Link]

Yeah, I was thinking specifically of OTP usage, but you're right, they can type in other stuff too, I just don't use those features so I forgot about them. :)

An open USB "firewall" is apparently available

Posted Nov 9, 2017 4:52 UTC (Thu) by bokr (subscriber, #58369) [Link]

http://hexus.net/tech/news/peripherals/103132-the-usg-don...

Presumably some fruit-pi device with OTG could be programmed to do something similar,
and maybe blink some red leds and provide a trace of attempted bad stuff for access
via ssh from either side, or third connection -- eth, wifi, bt ? -- there's a lot of connection
options in the fruit-pi world, it would seem.

I like the idea of having a physical device that I can trust between computer and usb device,
whichever side I am the owner of and want to protect.

An open USB "firewall" is apparently available

Posted Nov 11, 2017 18:26 UTC (Sat) by Herve5 (subscriber, #115399) [Link]

I suspect I am quite alone in my geographical area reading LWN, but just in case : if some neigbors in the French Maritime alps (06xx postal code here) wish to join I'd definitely share the shipping costs for a small series of these devices...
Potentially extendable to other areas with family/friends regularly, but not hurriedly visited : french cities of Toulouse and Paris.
I'll come back here in a couple of days to check ;-)
H.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds