Help with materials for blocking some USB communication

[manes]

Hello,
I am currently working on bachelor thesis named "Access Controll for USB Bus". As title says, I need to make software, which will block some USB devices, depending on user input (specific type of USB, for example all mouses or all devices from specific vendor). Unfortunately, my supervisor is working in IT security sector but has no experience with USB devices in linux. So far, I figured out that I probably cant do that by writing device driver and found linux subsystem called "udev" with its daemon "udevd". Udev, among other things, detects newly plugged in devices and match them with correct driver. I need to stop udev before matching device with its driver and check it first - if it is on black list, block that device, if not, let it live its life. Problem is, I have no idea how to do it and have big problems find any documents and materials that would help me. So I want to ask, if there is anybody who would tell me more how these things work, or at least recommend any documents, which I should read. Anything would be helpful, I am kinda stuck at this point and need to move on to work on my thesis. Of course, I do not expect solution, just a little help which path should I take. Thank you in advance.

 

[arochester]

https://hal.inria.fr/hal-01373108/document ?
https://lwn.net/Articles/738306/ ?
https://www.tecmint.com/udev-for-device-detection-management-in-linux/ ?
https://github.com/editoblezd/usbsecurity-dev ?

 

[manes]

Well, I have already found out that udev rules exists, but I am afraid that I can not use them, because that would generate too much rules, or my finished aplication would not be user friendly. But that aplication on github repository and its documentation helped me a lot! I guess library libudev is exactly what I need to use. Thank you very much!

 

[JulienCC]

udev rules exists, but I am afraid that I can not use them, because that would generate too much rules

What makes you think that ? UDEV rules can use complex patterns.

Access Controll for USB Bus

I might be wrong but I think there is no such thing as a single USB bus. USB controllers on a system dont share a common bus. Each USB controller acts as a bus for the devices attached to it, but the is no cross-controller bus.

 

[manes]

What makes you think that ? UDEV rules can use complex patterns.

I thought about cases like: User is using only mouse and keyboard with his computer and he wants to stay safe, so why not to block all other devices? I did not find a way how to do such a rule, but maybe I just did not dive deep enough into UDEV rules.

I might be wrong but I think there is no such thing as a single USB bus. USB controllers on a system dont share a common bus. Each USB controller acts as a bus for the devices attached to it, but the is no cross-controller bus.

Well, I am also not sure about that, I think you are right but you are thinking about SW layer. Maybe I am wrong, but I guess there has to be something like bus for all communication in computer, which connects all devices. Maybe my supervisor means that one.

 

[JulienCC]

Maybe I am wrong, but I guess there has to be something like bus for all communication in computer, which connects all devices. Maybe my supervisor means that one.

USB is a protocol and of course all devices that are USB use this protocol. The most common bus across devices will be PCI. Most USB controllers are wired as PCI devices.
I ony said that because I found the "Bus" redundant in your thesis title and while I was thinking about it I realized that there is no such thing as a hardware bus bridging all USB devices.

Here are some random info you could use :

• control device module loading (modprobe), you can prevent some devices to be used by preventing their module to be loaded
• when it comes to usb devices, you can disable a whole class of use devices by disabling the matching kernel module
• you can tweak a generic "usb" module to add some filtering features, base on device ID for example
• https://github.com/USBGuard/usbguard probably plenty of info here