Re: How trustworthy is that I/O device?

[Alan Barrett <apb%cequrux.com@localhost>]

On Mon, 04 Nov 2013, Erik Fair wrote:
> ("Gee, it looked like a USB thumb drive; how was I to know 
> it was actually a keyboard programmed to send "rm -rf /" to 
> whatever it plugged into?").

Devices can also have delayed malicious behaviour.  Think "looks 
like a thumb drive, behaves like a thumb drive, but after a delay 
it also attaches a keyboard and sends keystrokes."

There can also be devices that deliberately violate the protocol, 
in an attempt to tickle buffer overruns or other bugs in drivers. 
See
<http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/> 
for a report of a puzzling incident, and 
<http://blog.erratasec.com/2013/10/badbios-features-explained.html> 
for possible explanations for the observed behaviour.

I think that we should stop automatically accepting input from 
hot plugged devices.  For example, if an additional keyboard is 
plugged in, then don't automatically hook it up to the same wsmux 
as any other keyboard that is already in use.  Devices that are 
already present at boot time might be more trusted.

> My model is not well-formed; I merely observe how OS kernel code 
> trusts or doesn't trust the I/O devices it interacts with. I 
> think we might want to rethink some of that interaction in light 
> of the modern age of computing & networking, and the amount of 
> hostile stuff going on.  Some philosophizing about security 
> models and tradeoffs with usability, with an eye towards being a 
> bit more resistant to attacks from things people randomly plug 
> into their computers.

There's also things that adversaries plug into computers.  You step away
from your laptop, and the screen lock password keeps people from doing
much with the keyboard or mouse, but what stops them from plugging in a
hostile USB or firewire or other device?

--apb (Alan Barrett)