Suppose that there is an USB controller assigned to an AppVM. Let's insert there a malicious device. I'd like to exclude some physical attacks like high voltage as they are neither Qubes-specific nor interesting (destroying a HW is not as interesting as pwning a device). What can the attacker do?
For Windows and all non-seamless systems, I suppose that attacker can perform pretty standard BadUSB attack.
For seamless systems (e.g. Qubes Debian/Fedora template), it seems that keyboard input comes into a tty. I was able to shut the system down using ctrl+alt+delete. I was, however, unable to log in the system as root (like I can do using virsh) and perform some commands like touch /tmp/i-am-here. Is such attack possible? If not, how is such attack mitigated?
My second consideration is about non-keyboard attacks deployed through USB. What else can attacker perform supposing I have a VM originating from an ITL template (provided that I haven't done any drastical modifications)? Maybe he can connect an USB network card and hijack all the network communication. This could have some implications on usbip-based USB-VMs. Is there anything more interesting?
Apparently, the attacker can't attack dom0 even if he shuts the AppVM down, as the USB controller is not automatically attached to dom0 after shutdown.
Reagrds,--
Vít Šesták 'v6ak'
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/68269b18-dced-4543-9972-744bf4935275%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Very cool, looking forward to seeing your solution. I have wondered about using https://github.com/dominicgs/USBProxy to only allow block devices connected to it firewall keyboard based input, faked hid and etc.. The idea is you setup a beagleboard with this software as your dedicated usb flash drive device that blocks anything but block access to data.
The active session is X session, not a standard tty. But if you switch
to a text console with something like Alt+Ctrl+F1, you'll probably be
able to login. Other than that, its possible to inject keystrokes into
active UsbVM window.
> My second consideration is about non-keyboard attacks deployed through USB.
> What else can attacker perform supposing I have a VM originating from an
> ITL template (provided that I haven't done any drastical modifications)?
> Maybe he can connect an USB network card and hijack all the network
> communication. This could have some implications on usbip-based USB-VMs. Is
> there anything more interesting?
If that UsbVm is also your NetVM, then probably yes - he/she can
probably sniff/hijack all the network connections. But if UsbVm is
separate (and even better - not connected to any netvm), then it
shouldn't be possible.
If you attach USB stick (as a block device) from such compromised UsbVM
to some other VM, it would be able to try attacks on filesystem metadata
parsing code. But the same applies to simply infected USB stick...
Are you inserting the malicious device, without knowing it is malicious, or is the attacker who has physical access to your machine?
I have been brewing a solution to BadUSB in my limited spare time for
most of this year. I am currently bench-testing the first prototype, and
hope to release a public beta in a few weeks when the bugs are squashed
and the docs are written.
It is an embedded system using two microprocessors to sanitise USB
transactions between host and device. A feature already present in the
firmware is the enforcement of some basic rules: A single feature per
device (no composite devices), and no run-time class changes after
enumeration. This will effectively prevent innocent-looking devices
surreptitiously inserting keystrokes, jacking network connections, etc.
The proxy device requires a power cycle before a device class change is
permitted - i.e. the user has to unplug it from their computer.
>> >
>> > Second, consider a slightly more social-engineering-based attack: You
>> > insert an USB stick to your computer and some BadUSB attack is performed in
>> > some invisible-enough way. You realize that the USB device does not work,
>> > Maybe you will try to reinsert the device, maybe to another port. But after
>> > the BadUSB attack is performed, the device would work like it is supposed
>> > to. I would bet that even most of the security experts would not consider
>> > this to be suspicious. And even if the user considered this to be
>> > suspicious, it is too late. This reminds me the joke about a man putting
>> > his bike to a place so that he can see anyone trying to steal his bike.
>> > Well, he saw someone.
Yes we rely on the user to always use the proxy device. A BadUSB may
refuse to work through the proxy, inviting the user to 'just try it
directly', in which case we cannot help :(
I wouldn't rely on the USBProxy to keep you safe. If a device can own
your linux box over USB, then it can also own your linux box after first
owning linux on the BeagleBoard.
So it might slow an attacker down but it won't stop them.
Anyone know if dom0 is utilizing grsecurity and if would be beneficial?