/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancement: input proxy and Qubes policy argument #2783

Open
Rudd-O opened this Issue Apr 29, 2017 · 7 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Far in the future
4 participants
@Rudd-O @marmarek @andrewdavidwong @jpouellet
@Rudd-O

Rudd-O commented Apr 29, 2017

It would be ideal if the USB ID of the device was used to form an RPC argument that the USB qube can send to dom0, when connecting a device.

That way, we can have a policy per device. Say someone connects a wiggler or a foreign keyboard — if that happens, then the default deny policy is triggered and, bam, no device appears in dom0.

Thanks!

@Rudd-O Rudd-O changed the title from Enhancement: input proxy and Qubes policy to Enhancement: input proxy and Qubes policy argument Apr 29, 2017

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Apr 29, 2017

Member

Any kind of USB ID could be easily spoofed by both USB device and USB VM. We can't do much about USB device. Lets thing about USB VM - we have two cases:

  1. USB VM being compromised - in this case, adding USB ID to RPC argument doesn't add much - it's about USB VM asking dom0 "please, deny/allow this call", which in case of compromised USB VM would always choose "allow" (and pass "correct" USB ID, for example extracted from logs).
  2. USB VM not being compromised - in this is also asking dom0 "please, deny/allow this call", but if USB VM is not compromised, it can do all of it itself and not even trigger qrexec call at all.

So, implementing this is mostly where to put configuration (qrexec policy in dom0 vs some config in USB VM). And in fact IMO putting it into USB VM could have additional benefit - do not even load drivers for "unwanted" devices, reducing attack surface of USB VM from thousands of USB drivers, to just few of them. There are already few implementations of it: https://dkopecek.github.io/usbguard/blog/2015/USBGuard-vs-UDev.
Member

marmarek commented Apr 29, 2017

Any kind of USB ID could be easily spoofed by both USB device and USB VM. We can't do much about USB device. Lets thing about USB VM - we have two cases:

  1. USB VM being compromised - in this case, adding USB ID to RPC argument doesn't add much - it's about USB VM asking dom0 "please, deny/allow this call", which in case of compromised USB VM would always choose "allow" (and pass "correct" USB ID, for example extracted from logs).
  2. USB VM not being compromised - in this is also asking dom0 "please, deny/allow this call", but if USB VM is not compromised, it can do all of it itself and not even trigger qrexec call at all.

So, implementing this is mostly where to put configuration (qrexec policy in dom0 vs some config in USB VM). And in fact IMO putting it into USB VM could have additional benefit - do not even load drivers for "unwanted" devices, reducing attack surface of USB VM from thousands of USB drivers, to just few of them. There are already few implementations of it: https://dkopecek.github.io/usbguard/blog/2015/USBGuard-vs-UDev.
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Apr 30, 2017

Member

So, implementing this is mostly where to put configuration (qrexec policy in dom0 vs some config in USB VM). And in fact IMO putting it into USB VM could have additional benefit - do not even load drivers for "unwanted" devices, reducing attack surface of USB VM from thousands of USB drivers, to just few of them. There are already few implementations of it: https://dkopecek.github.io/usbguard/blog/2015/USBGuard-vs-UDev.

Does this mean that we do want to keep this issue open in order that this might get implemented at the USB VM level, or do we want to close this because it's beyond the scope of Qubes to implement such a thing at the USB VM level?
Member

andrewdavidwong commented Apr 30, 2017

So, implementing this is mostly where to put configuration (qrexec policy in dom0 vs some config in USB VM). And in fact IMO putting it into USB VM could have additional benefit - do not even load drivers for "unwanted" devices, reducing attack surface of USB VM from thousands of USB drivers, to just few of them. There are already few implementations of it: https://dkopecek.github.io/usbguard/blog/2015/USBGuard-vs-UDev.

Does this mean that we do want to keep this issue open in order that this might get implemented at the USB VM level, or do we want to close this because it's beyond the scope of Qubes to implement such a thing at the USB VM level?
@Rudd-O

This comment has been minimized.

Show comment
Hide comment
@Rudd-O

Rudd-O Apr 30, 2017

Let's chat about case (2) a bit more in depth.

Let's suppose the VM is not compromised.

If it is not, then allowing me (the user) to say Yes to all to a specific mouse or keyboard, while blanket denying all other devices, is already a very useful feature.

I agree that, if the VM is compromised, this feature very much obviously does not help.

But it adds to the usability of the common use case (when the VM is not compromised).

I agree, however, that the feature could also be implemented directly in the input proxy of the USB VM, as filter for devices we want to plug into dom0. It's just that, frankly, it seems far simpler and more straightforward to leverage the argument in the RPC call.

Rudd-O commented Apr 30, 2017

Let's chat about case (2) a bit more in depth.

Let's suppose the VM is not compromised.

If it is not, then allowing me (the user) to say Yes to all to a specific mouse or keyboard, while blanket denying all other devices, is already a very useful feature.

I agree that, if the VM is compromised, this feature very much obviously does not help.

But it adds to the usability of the common use case (when the VM is not compromised).

I agree, however, that the feature could also be implemented directly in the input proxy of the USB VM, as filter for devices we want to plug into dom0. It's just that, frankly, it seems far simpler and more straightforward to leverage the argument in the RPC call.

@marmarek marmarek referenced this issue May 15, 2017

Closed

USB keyboard media keys only work when connected directly to dom0, not when used through USB qube #2781

@jpouellet

This comment has been minimized.

Show comment
Hide comment
@jpouellet

jpouellet May 26, 2017

Contributor

Considering the case of someone with internal keyboard attached via USB, where sys-usb is not compromised and you only want to whitelist input-proxy to only the internal keyboard, then depending on what we choose to use as the device identifier argument an attacker wishing to get keyboard access to dom0 may be forced to correctly guess some fields (many of which are unique per device) which together amount to enough bits to be improbable unless it's a targeted attack and you've posted verbose dmesgs online or such.

Furthermore, if you leave the policy as "allow" for your internal one and "ask" for others, you would know something's wrong well before an attacker would be able to brute-force the correct ID.
Contributor

jpouellet commented May 26, 2017
edited
Edited 1 time
  • @jpouellet jpouellet edited May 26, 2017 (most recent)

Considering the case of someone with internal keyboard attached via USB, where sys-usb is not compromised and you only want to whitelist input-proxy to only the internal keyboard, then depending on what we choose to use as the device identifier argument an attacker wishing to get keyboard access to dom0 may be forced to correctly guess some fields (many of which are unique per device) which together amount to enough bits to be improbable unless it's a targeted attack and you've posted verbose dmesgs online or such.

Furthermore, if you leave the policy as "allow" for your internal one and "ask" for others, you would know something's wrong well before an attacker would be able to brute-force the correct ID.
@jpouellet

This comment has been minimized.

Show comment
Hide comment
@jpouellet

jpouellet May 26, 2017

Contributor

Yes, I agree it's obviously not perfect, but when your hardware forces the alternative to be putting your whole usb controller in dom0, or using the input proxy without trying to authenticate the particular keyboard at all... well... I'd prefer this.

@marmarek makes a very good point about wanting to reduce the number of USB drivers loadable on demand in sys-usb by someone fuzzing your external port or something, but I see that as an orthogonal issue.
Contributor

jpouellet commented May 26, 2017
edited
Edited 1 time
  • @jpouellet jpouellet edited May 26, 2017 (most recent)

Yes, I agree it's obviously not perfect, but when your hardware forces the alternative to be putting your whole usb controller in dom0, or using the input proxy without trying to authenticate the particular keyboard at all... well... I'd prefer this.

@marmarek makes a very good point about wanting to reduce the number of USB drivers loadable on demand in sys-usb by someone fuzzing your external port or something, but I see that as an orthogonal issue.
@Rudd-O

This comment has been minimized.

Show comment
Hide comment
@Rudd-O

Rudd-O May 26, 2017

Rudd-O commented May 26, 2017

@andrewdavidwong andrewdavidwong added C: core enhancement help wanted labels Dec 16, 2017

@andrewdavidwong andrewdavidwong added this to the Far in the future milestone Dec 16, 2017

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Apr 2, 2018

Member

This turned out to be slightly less straightforward, because input device do not need to be a USB device (so USB ID doesn't apply there). But there is "PRODUCT" property of input device, which have similar content - bus identifier + bus-specific identifier. In case of USB, it is vendor + product id.
Member

marmarek commented Apr 2, 2018

This turned out to be slightly less straightforward, because input device do not need to be a USB device (so USB ID doesn't apply there). But there is "PRODUCT" property of input device, which have similar content - bus identifier + bus-specific identifier. In case of USB, it is vendor + product id.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment