Adding a monitor option to hardware APIs (e.g. for webUSB)
110 views
Skip to first unread message
Abdullah Buhadod
Jul 22, 2022, 8:20:09 AM7/22/22
to Chrome DevTools
Dear Chrome DevTools team,
We would like to propose a feature to monitor webUSB traffic as part of the developer tools.
Motivation:
Chromium browsers lack tooling to analyse hardware APIs traffic (e.g. Bluetooth, HID, serial, etc). Currently, to analyse these APIs and inspect their traffic, testers and developers need for instance to use Wireshark to sniff USB traffic and/or a physical Bluetooth sniffer. Additionally, macOS requires disabling OS security feature for USB debugging at a system level. Overall these tools are limited.: they only show the traffic "on the wire" (not per-origin as chromium implemented) and may e.g. require additional configuration to decrypt transmitted data and importantly cannot show the origin URI for each request.
Summary:
We would like to propose a feature that helps inspecting webUSB secuity issues in the future. Our idea is to add a debug tab (part of the F12 developer tools) to log webUSB traffic into the developer console (e.g. showing messages which host is behind a packet and to which device it was sent). Information to be displayed could include: device name, device ID, claimed interface, connected hosts that are authorised to use the device(s), and messages sent from/to devices and hosts. Addtionaly, it might support Chrome's developers and the webUSB project [1] in developing new and debugging existing hardware APIs. The implmentation and the security policy of such a feature can follow the same approach as the network tab from developer option.
Risks:
From a security and privacy perspective, it is possible to show the traffic only if the developer console is open (like the network tab functionality). Also, there should be no issues regarding secret messages or keyloggers, because webUSB cannot access input devices (e.g. keyboard and mouse) [2].
For implementation, we could help and cooperate with the Google developers.
References:
[1] https://github.com/WICG/webusb
[2] https://groups.google.com/a/chromium.org/g/blink-dev/c/LZXocaeCwDw/m/GLfAffGLAAAJ
We would like to propose a feature to monitor webUSB traffic as part of the developer tools.
Motivation:
Chromium browsers lack tooling to analyse hardware APIs traffic (e.g. Bluetooth, HID, serial, etc). Currently, to analyse these APIs and inspect their traffic, testers and developers need for instance to use Wireshark to sniff USB traffic and/or a physical Bluetooth sniffer. Additionally, macOS requires disabling OS security feature for USB debugging at a system level. Overall these tools are limited.: they only show the traffic "on the wire" (not per-origin as chromium implemented) and may e.g. require additional configuration to decrypt transmitted data and importantly cannot show the origin URI for each request.
Summary:
We would like to propose a feature that helps inspecting webUSB secuity issues in the future. Our idea is to add a debug tab (part of the F12 developer tools) to log webUSB traffic into the developer console (e.g. showing messages which host is behind a packet and to which device it was sent). Information to be displayed could include: device name, device ID, claimed interface, connected hosts that are authorised to use the device(s), and messages sent from/to devices and hosts. Addtionaly, it might support Chrome's developers and the webUSB project [1] in developing new and debugging existing hardware APIs. The implmentation and the security policy of such a feature can follow the same approach as the network tab from developer option.
Risks:
From a security and privacy perspective, it is possible to show the traffic only if the developer console is open (like the network tab functionality). Also, there should be no issues regarding secret messages or keyloggers, because webUSB cannot access input devices (e.g. keyboard and mouse) [2].
For implementation, we could help and cooperate with the Google developers.
References:
[1] https://github.com/WICG/webusb
[2] https://groups.google.com/a/chromium.org/g/blink-dev/c/LZXocaeCwDw/m/GLfAffGLAAAJ
Regards,
Abdulla Aldoseri (University of Birmingham)
David Oswald (University of Birmingham)
Reilly Grant (Google Chrome)
Abdulla Aldoseri (University of Birmingham)
David Oswald (University of Birmingham)
Reilly Grant (Google Chrome)
Yang Guo
Jul 22, 2022, 8:35:12 AM7/22/22
to google-chrome-...@googlegroups.com
Hi,
Thanks for your proposal. Could you please verify whether chrome://usb-internals/ already solves your use case?
Best Regards,
Yang
--
You received this message because you are subscribed to the Google Groups "Chrome DevTools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-chrome-develo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-chrome-developer-tools/64637e43-fd14-4bd8-b999-2c78f933367dn%40googlegroups.com.
Message has been deleted
Abdullah Aldoseri
Aug 2, 2022, 1:11:55 PM8/2/22
to google-chrome-...@googlegroups.com, yan...@chromium.org, Reilly Grant, d.f.o...@bham.ac.uk
Hi,
Thank you for your reply. Unfortunately it does not.
chrome://usb-internals/
shows the connected devices per domains and their access permissions only without
any information about the sent/received traffic.
Regards,
Abdulla Aldoseri
You received this message because you are subscribed to a topic in the Google Groups "Chrome DevTools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-chrome-developer-tools/FhaYMeyckv0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-chrome-develo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-chrome-developer-tools/CAFSTc_ion6msA1aLCyvMRQ518rdJvfLTqax4PDRBMeDCQEC%2Bqw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages