Re: How trustworthy is that I/O device?

[Erik Fair <fair%netbsd.org@localhost>]

On Nov 6, 2013, at 23:27 , Alan Barrett <apb%cequrux.com@localhost> wrote:

> I think that we should stop automatically accepting input from hot plugged 
> devices.  For example, if an additional keyboard is plugged in, then don't 
> automatically hook it up to the same wsmux as any other keyboard that is 
> already in use.  Devices that are already present at boot time might be more 
> trusted.

So just sometime past boot? There is an initialization (chicken/egg) issue: if 
you can't use an input device prior to authorization, but authorization 
requires input ...

There's an ancient daemon in pkgsrc: arpwatch - it keeps a database of seen MAC 
addresses on network interfaces, and reports (logs) new ones. Thus can a 
network administrator know when new devices are attached to his networks.

To the extent that various hot-plug devices have unique IDs (more than just 
device classifications, e.g. "mass storage", "HID", "audio"), there could be an 
authorized (or "seen this before and trust it") list, perhaps managed by a 
daemon. If a new device shows up and is not in the list, no I/O is permitted 
(well, maybe basic probe/ID) until authorized explicitly. Can also be "use 
once" or "trust forever" or ...

You could even do this with disk serial numbers, though it's a little 
self-referential (ouroboros) to do that with the boot disk which would have 
that list on it in the root FS (unless we insist on pulling it from some 
motherboard flash in those systems that have such)?

        Erik <fair%netbsd.org@localhost>