Re: Malicious devices & vulnerabilties

[Alistair Crooks <agc () netbsd org>]

On Mon, Jan 09, 2012 at 03:48:20AM +0800, Eugene Teo wrote:
> On 01/08/2012 07:19 PM, Florian Weimer wrote:
> > * Xi Wang:
> >
> > > I am wondering where to draw the line.  Should such device drivers
> > > be considered vulnerable or not?  Thanks.
> >
> > I think they should be considered vulnerable.  Some applications need
> > some robustness to attacks even from the local console (e.g., student
> > computer rooms).
> >
> > USB is also a popular transport in many air-gapped environments.
>
> I would consider them vulnerable with low security impacts. If you are
> fixing such issues, do post them to the list.

One very interesting datapoint here is Antti Kantee's rump subsystem
in NetBSD

        http://www.netbsd.org/docs/rump/
        http://blog.netbsd.org/tnf/entry/runnable_userspace_meta_programs_in

which allows for userspace-mounting of devices and filesystems
thereon.  Unknown provenance USB sticks are one of the use cases
mentioned.

        + rump_msdos:  USB sticks with FAT file systems are a common
        sight.  Mounting an untrusted image from removable media with
        the file system driver running in the kernel is risky in many
        ways:  inopportune unplugging of the media or a corrupted file
        system may have adverse effects such as system crashes or
        worse.  By using the rump_msdos command instead of
        mount_msdos, the file system service runs in userspace and is
        accessed via puffs.  This isolates the main kernel from any
        resulting problems such as buffer overflows.

        The usage of mount_msdos and rump_msdos are equivalent...

If USB is a transport in air-gapped environments, I personally have a
concern with that. A good thing airgaps aren't used for anything in RL,
right? ;-)

Regards,
Alistair

PS. Obvious disclaimer - I am biased.
PPS. Just reading REAMDE right now
--
Alistair Crooks
{agc,security-officer}@NetBSD.org