2 Technical Details for the Curious

Jeff Moe edited this page 3 years ago

Fork Sand fork

Fork Sand fork cloned from:

• https://github.com/robertfisk/USG/wiki

Upstream Wiki

The USG contains two STM32F4 microprocessors communicating over a high-speed serial link. This internal link forms a firewall barrier that effectively blocks malicious USB commands from reaching your computer.

Why is USB insecure?

Your computer automatically trusts every device you plug into it. But every USB device is actually a small embedded computer (microprocessor) that runs software you cannot control. There are three ways a BadUSB device can attack your computer:

Type 1 Attacks: USB Driver Exploits

USB driver exploits work by sending malformed or unexpected input to your computer's USB drivers. Your computer likely has hundreds of USB device drivers installed, and a programming error in any one of them leaves you exposed.

How the USG protects you: The USG blocks these attacks by passing data through an internal serial link with a very simple protocol. Only a limited number of safe commands are accepted by the receiving microprocessor, so no malformed or unexpected data is transmitted to your computer. This effectively blocks USB driver exploits.

Type 2 Attacks: Hidden Evil Functionality

What appears to be a single USB device can actually contain more than one function. The hidden function can perform any action allowed by the USB standard, including executing system commands or intercepting network traffic. Only 100% legitimate USB commands are used, so you can't defend against this by fixing driver bugs. But the USG, being a hardware device, can enforce rules designed to block hidden USB functionality:

• Only one device attached at a time: By supporting only one attached device, we eliminate attacks that use a hidden device to perform unexpected actions.

• No run-time device class changes: Once a USB device is enumerated through the USG, it cannot re-enumerate itself as a different device class until power is removed and reapplied to the USG. This stops attacks where a device unexpectedly changes its functionality to perform malicious actions.

Type 3 Attacks: Evil Functionality in Plain Sight

Type 3 attacks are where the attached device abuses its position of trust even while performing the function you want. This attack involves no malformed or unusual commands, so it is the most difficult to defend against. For example, a malicious keyboard may enter commands to install malware while you are away from the computer. Or a malicious flash drive may insert viruses on-the-fly as they are read by the host computer.

How the USG protects you: USG firmware version r04 includes an HID 'bot detect' feature that monitors attached keyboards and mice for malicious input. If the input looks too much like a bot (insufficiently random) then the USG will temporarily lock for 4 seconds and you will see a red LED double-flash every second. Repeated bot detection will cause a permanent lock.

Protection against a type 3 malicious flash drive can be achieved by encrypting the user's data on-the-fly before it reaches the flash drive. This feature may be added to a future version of the USG's firmware.

FAQ

Which version of USB is used?

USB version 1

Can a USB2 / USB3 flash drive be used with this (at USB 1.0 speeds)?

Every device I tested has worked, although I did receive reports of one USB3 flash drive and one USB3 motherboard that didn't. So I estimate that 95% of USB3 devices are compatible.

How exactly does the "firewall" protects against malware like BadUSB?

The firewall operates on a limited whitelist of known-safe commands. This eliminates all the techniques malicious USB firmware could use to exploit your operating system - buffer overflows, malformed device descriptors, packets out of sequence, etc. This interface is vastly simpler than USB, and therefore checking for unexpected input is actually possible. Each packet received on the SPI interface needs to pass a series of checks based on the firewall's current state, expected command and reply sequence, and expected packet length. Any mismatch on the received data will trigger the various FREAKOUT macros, which immediately halt all traffic and flash an error LED.

One place to start would be reading the firewall's header files defining commands and packet structure below. Each packet contains a command class (interface commands, mass storage commands, etc) and a command (read, write, etc). The downstream side has identical corresponding definitions:

• SPI packet defines
• command class & command defines

Since the firmware is writable, is there not a danger that the USG device itself might become infected by malware (just like any other USB device)?

The firmware is stored in writable memory. And yes either side of the firewall could be exploited. However this is actually expected behavior, as the internal isolation barrier prevents an infection from propagating to the other side.

To prevent malware persistence, when the USG starts up it uses a hardware write-lock feature to disable writes to flash memory effective until the next restart. Theoretically this prevents exploited USB code from persisting between restarts, although the hardware write lock may be bypassable with an unknown exploit. Therefore I consider the write-lock feature slightly less reliable than the firewall's primary feature of isolation between upstream and downstream.

Table of Contents

• Fork Sand fork
• Upstream Wiki
• Why is USB insecure?
• Type 1 Attacks: USB Driver Exploits
• Type 2 Attacks: Hidden Evil Functionality
• Type 3 Attacks: Evil Functionality in Plain Sight
• FAQ
• Which version of USB is used?
• Can a USB2 / USB3 flash drive be used with this (at USB 1.0 speeds)?
• How exactly does the "firewall" protects against malware like BadUSB?
• Since the firmware is writable, is there not a danger that the USG device itself might become infected by malware (just like any other USB device)?