1

As a software developer I frequently work with various USB-attached peripherals in the prototype stage and their drivers.

Sometimes the peripherals come from companies that I do not know well or otherwise can't trust 100%, so there's a residual risk that the peripheral device + its driver contain a malicious component. I am most concerned about industrial spying here.

Concretely I would like to protect the source code and other sensitive documents on the developer machine (to which I attach the peripheral and install the driver) from being read by malicious drivers / spyware and being transferred to %malicious_organization% over the internet.

Would a normal Antivirus / Windows Defender help me achieve this? The situation may be that the malicious driver has been custom-developed and hence may not be a well-known piece of spyware.

How can I best achieve my data protection goals?

rsp1984
  • 143
  • 3

2 Answers2

3

How to protect a PC against sensitive data access by malicious app/driver

A driver, by definition, is part of the operating system. As such, whenever someone is able to place a malicious driver, it gets access at a system level of privileges. That means it can access every single bit of memory your computer has.

You lost the game.

The only way to effectively counter this are air-gap security. Ie. place your machine in a room without any link to the outside (and that would include unintentional RF radiation, eg by rhythmically bursting a PCIe bus, or by actually RF transmitting malicious hardware), and monitor personally who accesses the computer.

I'd love to say something uplifting about not having the driver installed in the hypervising operating system, but in a lesser privileged VM – but the reality is that you probably want to use the device in the same context that you're developing in (otherwise, you'd simply not install the device in a sensitive environment, at all), so that basically simply doesn't help.

Note that the problem doesn't stop at the software level – if your hardware is a PCIe, CardBus, PCI, AGP, PCMCIA, ISA, PXI, PCI-X, FireWire, Thunderbolt, or one of many storage device classes (Floppy, IDE, probably a lot of Sata devices, M.2,), typical "tightly coupled" buses like HyperTransport, AHB then it might get DMA – and thus, exactly that, Direct Memory Access, without any chance of the Operating system, an antivirus software or even just the CPU to interfere. Usages of this mechanism to read out, and exfiltrate, the contents of a PC's complete RAM have been demonstrated numerous times.

You use the USB tag, but you don't explain it in your question – USB itself doesn't give the devices DMA capabilities, but many USB host chipsets and device drivers actually have bugs that allow USB devices to essentially get memory access. Note that this leaves the "malicious driver" domain, and enters the "buggy host-integrated hardware" and "buggy driver" domain – and everyone having ever read a piece of consumer windows driver will agree that this class of drivers is the dominant one.

All in all, installing malicious hardware in your machines is pretty much the "evil maid" scenario, only that you are the evil maid yourself.

Marcus Müller
  • 5,843
  • 2
  • 16
  • 27
  • I guess that means that installing *any* 3rd party driver on a system with sensitive information comes with a huge data leak risk, correct? Would there be the option to protect certain folders on disk from being accessed without explicit permission or would a software firewall help to restrict outgoing traffic? – rsp1984 Nov 25 '16 at 22:43
  • @rsp1984 no. As said: your driver has access to *everything*. The OS can't stop it, because it is *part* of the OS. – Marcus Müller Nov 26 '16 at 00:29
  • How do big companies close this huge security hole then? If installing a driver for a USB device can easily punch a hole through the data security of an entire company, I'm sure some people have thought about solutions for this problem, no? – rsp1984 Nov 26 '16 at 14:35
  • @rsp1984 Can't you simply take the explanations I give and believe them? In security-critical environments, computers are air-gapped (*as explained in my answer*). For hardware takeovers, there's no software solution (*as explained in my answer*). Now, as explained, USB itself doesn't offer DMA, and thus you either need buggy drivers for host-control hardware, buggy host USB controllers, or a possibility to install a malicious driver (*as explained in my answer*). – Marcus Müller Nov 26 '16 at 14:45
  • I believe you but my common sense tells me to dig into this a bit more. I've worked at big companies with big IP before and machines (containing a lot of critical source code) were not air-gapped and employees in R&D were not stopped from trying out new hardware on these machines. According to you my past employers (big tech firms) would have basically opened the gates to big data breaches. I'm wondering for example if there are other security mechanisms that one can use on a network to stop sensitive data from "leaving home". – rsp1984 Nov 26 '16 at 14:53
  • @rsp1984 no. I'm going to stop responding now. It's really really annoying to just constantly repeat what I've already written in my answer. *Just because big companies don't do something doesn't mean it's not the right thing to do from a security perspective – there's always a trade-off between security and usability. Be it computers or locks on doors.* – Marcus Müller Nov 26 '16 at 15:15
  • @rsp1984 and, in companies that actually need the security (read: defense, RF semiconductor research, Semiconductor contract manufacturing), machines *are* air-gapped. So just because the companies you know don't do it, doesn't mean that people taking security seriously don't do it. I mean, "not plugging in random USB gizmos" is not a *rare* or *abstruse* security guideline. – Marcus Müller Nov 26 '16 at 15:16
  • Sure man, never meant to offend you or anything. Just being curious and asking questions, even if they might sound stupid. Your answers have been helpful so far. Thanks & best of luck. – rsp1984 Nov 26 '16 at 15:20
-1

Just find a way to plug the device from certain USB 2.0 (usb type c has integrated thunderbolt) port into a VM. You can build your sw outside of VM and then transfer binaries into VM. If you wanna connect PCI/PCI-E/FireWire/Thunderbolt devices securely you need a CPU with IOMMU (Vt-d) and a hypervisor supporting it which will virtualize the memory for your devices protecting you from dma attacks. But beware physical attacks and VM escapes! The device can extract some info by just being near your PC or measuring potentials on a bus wires relatively to a stable chemical voltage source. Remember that the device can act as a memory or a transmitter. Your pc hardware can also be used as a transmitter, so you need isolation. No emissions from your hardware should leave secured area in a meaningful form. But we are getting overparanoid. Your company should have a security department which staff should trained to solve such problems. The measures depend ot threat model.

KOLANICH
  • 892
  • 6
  • 14