Tool and framework for securely reading untrusted USB mass storage devices.

Overview

usbsas is a free and open source (GPLv3) tool and framework for securely reading untrusted USB mass storage devices.

Description

Following the concept of defense in depth and the principle of least privilege, usbsas's goal is to reduce the attack surface of the USB stack. To achieve this, most of the USB related tasks (parsing USB packets, SCSI commands, file systems etc.) usually executed in (privileged) kernel space has been moved to user space and separated in different processes (microkernel style), each being executed in its own restricted secure computing mode.

The main purpose of this project is to be deployed as a kiosk / sheep dip station to securely transfer files from an untrusted USB device to a trusted one.

It works on GNU/Linux and is written in Rust.

Features

usbsas can:

  • read files from an untrusted USB device (without using kernel modules like uas, usb_storage and the file system ones). Supported file systems are FAT, exFat, ext4, NTFS and ISO9660
  • analyze files with a remote antivirus
  • copy files on a new file system to a trusted USB device. Supported file systems are FAT, exFAT and NTFS
  • upload files to a remote server
  • make an image of a USB device
  • wipe a USB device

Applications

Applications built on top of usbsas:

  • Web client / server: This is the main application of usbsas, for deploying a secure USB to USB file transfer kiosk.
  • Fuse implementation: mount USB devices (read-only) with usbsas.
  • Python: usbsas can also be used with Python, a script that copies everything from a device to another is given as example.

Documentation

Contributing

Any contribution is welcome, be it code, bug report, packaging, documentation or translation.

License

Dependencies included in this project:

  • ntfs3g is GPLv2 (see ntfs3g/src/ntfs-3g/COPYING).
  • FatFs has a custom BSD-style license (see ff/src/ff/LICENSE.txt)
  • fontawesome is CC BY 4.0 (icons), SIL OFL 1.1 (fonts) and MIT (code) (see client/web/static/fontawesome/LICENSE.txt)
  • bootstrap is MIT (see client/web/static/bs/LICENSE)
  • Lato font is SIL OFL 1.1 (see client/web/static/fonts/LICENSE.txt)

usbsas is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

usbsas is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with usbsas. If not, see the gnu.org web site.

Comments
  • Setting up network transfert

    Setting up network transfert

    Hello, what is the config file to set up the network transfer of files, I saw in usbsas-net/src/uploader.rs some reference to http but I would like to know if it is possible to use sftp for the transfer (if yes, I can try to do the modification myself if you tell me where to do them, my first suggestion can be to set up a directory on the machine that is syncronized with the sftp server and use the local transfer to this directory)

    opened by Nabil-renault 9
  • Error while transfering files

    Error while transfering files

    Hello, when I try to transfer a file to the local storage, the process stops before reaching 100% with the message : “Run error: io error: execution error: Cmd failed”.

    Where does it come from and do you have an idea on how to fix that?

    opened by Nabil-renault 8
  • Cancel/next button positioning

    Cancel/next button positioning

    At the beginning, the first page tells us to insert the Source USB device, 20230620_161928

    once inserted, this message disappears and it tells us to insert the Destination USB device. The problem is that this message does not disappear and in French it is (I think) above the buttons which are therefore not clickable. 20230620_162131

    Then once the selection of files to transfer has been made, if you are in a directory with several files or sub-directories (side navigation bar present) the "cancel" and "start copying" buttons do not appear or are too low (in French and in English). 20230620_162322

    To overcome the problem, I go to the system directory of the key which contains only two files and there I can access the buttons. 20230620_162338

    Sorry for my english which is not perfect

    opened by Olivier-Odace 6
  • Problème à l'installation

    Problème à l'installation

    Bonjour,

    je rencontre un problème à l'installation avec ClamAv: Compiling clamav-rs v0.5.5 (https://github.com/losynix/clamav-rs?branch=c_cha r_i8#e80c4a0e) error[E0308]: mismatched types --> /root/.cargo/git/checkouts/clamav-rs-8b0568cf506f30f8/e80c4a0/src/error.r s:23:47 | 23 | let ptr = clamav_sys::cl_strerror(self.code); | ----------------------- ^^^^^^^^^ expected cl_error _t, found i32 | | | arguments to this function are incorrect | note: function defined here --> /home/olivier/usbsas/target/release/build/clamav-sys-b15cf930fc94104f/out /bindings.rs:305:12 | 305 | pub fn cl_strerror(clerror: cl_error_t) -> *const ::std::os::raw::c... | ^^^^^^^^^^^

    For more information about this error, try rustc --explain E0308. error: could not compile clamav-rs (lib) due to previous error warning: build failed, waiting for other jobs to finish...

    Il y'a t-il quelque chose a faire?

    Cordialement,

    opened by Olivier-Odace 6
  • USB to disk no clamv ?

    USB to disk no clamv ?

    I've been testing the solution for several weeks now, and I've noticed something about clamav's antivirus scanning. When I perform a USB to USB scan, clamav intervenes before depositing the file(s) on the target USB key. In the case of a USB to hard disk scan, there is no verification.

    I've searched the documentation as well as inspecting the toml configuration files, and I haven't seen anything that explicitly shows how to activate the same functionality that is used with USB to USB.

    Is this a deliberate choice on the part of the solution? Is it possible to activate this feature? If so, how? Could this be a bug in the way I've compiled the solution ?

    I'd also like to ask if it's possible to have "servers" that only scan and "clients" that send their data to these same servers to validate the status of the files scanned by the clients. It seems to me that this is possible :

    [analyzer] url = "http://127.0.0.1:8042/api/scanbundle"

    According to the documentation and in the configuration files, by changing the local IP to private or public

    Thanks in advance for your answers 😀️

    enhancement 
    opened by Etupia 4
  • Read It Twice! A mass-storage-based TOCTTOU attack

    Read It Twice! A mass-storage-based TOCTTOU attack

    Hi everyone,

    I loved your presentation during SSTIC 2022!

    Would you mind sharing the procedure to create a USB drive for exploit the mass-storage-based TOCTTOU attack? I read carefully the article 'Read It Twice! A mass-storage-based TOCTTOU attack' and slides from Collin Mulliner and Benjamin Michéle without finding anything relevant for that.

    My main goal is to do a demo to my colleague and making awareness inside my company about USB attacks. If you can't or don't want to provide such details publicly, I'll be happy to continue discussion on Twitter.

    Also, did you implented a way to protect against

    • Such attack on your physical kiosk?
    • USB Killer devices?

    Regards, WikiJM

    question 
    opened by wikijm 4
  • post_copy don't work

    post_copy don't work

    Hi, If I configure POST_COPY, the client no longer loads. (looping wait animation).

    [post_copy] description = "Archive transfer" command_bin = "/bin/cp" command_args = [ "%SOURCE_FILE%" "/home/olivier/USBSAS/BCKP/" ]

    Do I need to configure anything else?

    opened by ALDOlivier31 3
  • build(deps): bump ntfs from 0.3.1 to 0.4.0

    build(deps): bump ntfs from 0.3.1 to 0.4.0

    Bumps ntfs from 0.3.1 to 0.4.0.

    Changelog

    Sourced from ntfs's changelog.

    [0.4.0] - 2023-06-13

    Added

    • Added Display implementation for all flags structures

    Changed

    • Replaced NtfsString by U16StrLe from my new nt-string crate
    • Replaced abandoned binread dependency by its binrw successor crate
    • Upgraded bitflags dependency to 2.3.1 (#28)
      Note that this changes the output of the Debug implementation of the flags structures. If you need something similar to the previous output, use the new Display implementation instead.
    • Upgraded memoffset dependency to 0.9.0 (#28)

    Fixed

    • Fixed broken intra-doc link to NtfsIndexRoot
    Commits
    • 3110caf Bump version to 0.4.0 and add changes to CHANGELOG.md
    • 0a97c2c Fix broken intra-doc link.
    • 206a369 Group use clauses consistently within the entire crate.
    • 509b1d6 Replace abandoned binread dependency by its binrw successor crate.
    • a490444 Merge pull request #28 from poliorcetics/dep-update
    • 38ac006 Merge branch 'master' into dep-update
    • 578c531 Implement suggested traits and use Display over Debug in ntfs-shell.
    • ea4b054 Replace NtfsString by U16StrLe from my nt-string crate.
    • 36a845d deps: Update bitflags and memoffset
    • 8537120 Revert 6f08b0c17210b9fd26cef532cc94baf5dc42da6c and disable the clippy warnin...
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 2
  • Adding a report file

    Adding a report file

    Is it possible to add at the end of the transfer a report file that induces the list of transferred files, as well as the antivirus used with the update date of the virus list?

    enhancement 
    opened by ALDOlivier31 2
  • build(deps): bump positioned-io from 0.2.2 to 0.3.0

    build(deps): bump positioned-io from 0.2.2 to 0.3.0

    Bumps positioned-io from 0.2.2 to 0.3.0.

    Changelog

    Sourced from positioned-io's changelog.

    [0.3.0] - 2018-09-12

    • Renamed {Read,Write}BytesExt to {Read,Write}BytesAtExt to avoid overlap with byteorder.
    • {Read,Write}Int and {Read,Write}IntAt are now inherent methods of ByteIo.
    • Removed Deref and DerefMut implementations for ByteIo. Use ByteIo::get_ref() and ByteIo::get_mut() instead.
    • Removed Deref and DerefMut for SizeCursor. Cursor methods are now also implemented on SizeCursor. Use SizeCursor::as_cursor() or SizeCursor::as_cursor_mut() to borrow the underlying Cursor.
    • Fixed WriteAt for File on Windows: Writes were not working at all.
    • Fixed ReadAt for File on Windows: Positioned reads were moving the file cursor. The new implementation is much slower but no londer modifies the read position.
    • Various methods are now inlinable across crate boundaries.
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 2
  • build(deps): bump udev from `26955cd` to `68c1fe3`

    build(deps): bump udev from `26955cd` to `68c1fe3`

    Bumps udev from 26955cd to 68c1fe3.

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Hid Problem

    Hid Problem

    Hello, I have a few hid problems with the latest version of usbsas (kiosk installation on a debian 12 no desktop env.) :

    • When I boot the machine I first get a debian login screen (where I can't write anything hopefully) and it stays a few seconds before we can see the usbsas interface.
    • In the usbsas interface I have an issue with the mouse, such as when I stop moving the mouse even for a a very short time, the mouse goes back to the center of the screen which is problematic as it make difficult to click on button because we usually stop the mouse over them. Sometimes the issue is completely blocking the use of the mouse and unplugging and plugging the mouse again reduce the intensity of the bug but whithout fixing it.
    opened by Nabil-renault 4
  • Problème avec certains périphériques

    Problème avec certains périphériques

    Bonjour,

    Lorsque config.toml est paramétré de manière à déterminer un port USB source et un port USB de destination afin de permettre le transfert de données, un problème a été identifié avec certains périphériques. En effet, le périphérique de destination n’est pas monté dans certains cas comme lors de l’usage des périphériques ayant comme descripteur les information ci-dessous. Support 1 : idVendor 0x090c Silicon Motion, Inc. - Taiwan (formerly Feiya Technology Corp.) idProduct 0x1000 Flash Drive bcdDevice 11.00 iManufacturer 1 USB iProduct 2 Flash Disk iSerial 3 U16-C220313 Support 2 : idVendor 0x090c Silicon Motion, Inc. - Taiwan (formerly Feiya Technology Corp.) idProduct 0x1000 Flash Drive bcdDevice 11.00 iManufacturer 1 USB iProduct 2 Flash Disk iSerial 3 U16-C220303

    Par contre, lorsque config.toml n’est pas paramétré de manière à bloquer la source et la destination, les deux périphériques montent sans problème.

    opened by LJ1root 3
  • affichage écran fichier malveillant

    affichage écran fichier malveillant

    Bonjour,

    Dans le cadre de tests réalisés depuis la version 0.1.5, le kiosque ne fait pas toujours de retour à l’écran lors d’une détection de fichiers malveillants. Il réalise ce retour uniquement lorsqu’il y a un unique fichier malveillant candidat au transfert. À noter, l’analyse est effectuée par une solution indépendante (service déporté), ce comportement est également observé si utilisation de l’analyzer-server fourni de base. Voici les deux cas testés et largement reproductibles :

    • 1er cas : À partir d’une source contenant plusieurs fichiers à analyser, dont Eicar, le transfert est réalisé vers le support de sortie sans aucun retour à l’écran. Néanmoins, Eicar n’est pas transféré et est bien indiqué comme DIRTY dans le JSON du rapport.
    • 2nd cas : À partir d’une source contenant juste Eicar, l’analyse s’arrête avec un retour d’information à l’écran indiquant le non du fichier malveillant sans rien écrire sur le support de sortie.

    Pour les deux cas présentés, s’agit-il d’un comportement normal du kiosque ? Pour le 1er cas, pourquoi l’usager n’a pas de retour à l’écran concernant le fichier non transféré ? Pour le 2nd cas, pourquoi le kiosque n’écrit pas le rapport sur le support de sortie et arrête tout simplement le traitement.

    Merci pour votre retour.

    opened by LJ1root 3
Releases(v0.2.0)
Owner
CEA IT Security
IT Security at the French Alternative Energies and Atomic Energy Commission
CEA IT Security
A new pure-Rust library for cross-platform low-level access to USB devices.

nusb A new pure-Rust library for cross-platform low-level access to USB devices. Documentation Compared to rusb and libusb Pure Rust, no dependency on

Kevin Mehall 23 Oct 30, 2023
RnR is a command-line tool to securely rename multiple files and directories that supports regular expressions

RnR is a command-line tool to securely rename multiple files and directories that supports regular expressions. Features Batch rename files and direct

Ismael González Valverde 219 Dec 31, 2022
Tool for mass import of hosts into Zabbix (and other API functions)

zabbix-tools A CLI tool for interacting with Zabbix API built in Rust. Designed for Zabbix 6.0. Functions added to test API and add hosts manually or

null 1 Apr 21, 2022
CLI tool for mass tweet deletion

Damae Damae is a simple CLI tool for mass-deleting tweets. Its name comes from the Latin phrase "damnatio memoriae", which means "condemnation of memo

null 3 Jan 30, 2022
1 library and 2 binary crates to run SSH/SCP commands on a "mass" of hosts in parallel

massh 1 library and 2 binary crates to run SSH/SCP commands on a "mass" of hosts in parallel. The binary crates are CLI and GUI "frontends" for the li

null 2 Oct 16, 2022
command line tools for coprolite research (paleontology and archaeology): estimate the producer's body mass based on coprolite diameter by the use of regression models

OVERVIEW OF COPROSIZE coprosize employs power, exponential and cubic regression models allowing to estimate the producer's body mass based on coprolit

Piotr Bajdek 7 Nov 25, 2022
Detect polymer contaminants in mass spectra.

?? mzsniffer ?? Detect polymer contaminants in mass spectra. Introduction Mzsniffer is a command line application to quickly detect common polymer con

Will Fondrie 4 Mar 13, 2023
Rust client-side implementation of the rock usb protocol

Utility crates to interact with Rockchip devices Rockchip SoCs implement a custom USB protocol when starting in a special recovery mode (sometimes cal

Collabora 12 Mar 14, 2023
An open source, programmed in rust, privacy focused tool for reading programming resources (like stackoverflow) fast, efficient and asynchronous from the terminal.

Falion An open source, programmed in rust, privacy focused tool for reading programming resources (like StackOverFlow) fast, efficient and asynchronou

Obscurely 17 Dec 20, 2022
Desktop app for reading and downloading manga. With clean distraction-free design and no clutter

Tonbun Tonbun is a desktop app for reading and downloading manga. With clean distraction-free design and no clutter. Build with Rust, Tauri, Vue.js, a

null 23 Nov 30, 2022
An event replay tool for the Trento storage backend.

photofinish - a little, handy tool to replay events This tiny CLI tool aims to fulfill the need to replay some events and get fixtures. Photofinish re

null 5 Nov 10, 2022
Captures packets and streams them to other devices. Built for home network analysis and A&D CTFs.

?? shiny-donut shiny-donut is a packet capture app that supports streaming packets from a remote system to another device. The main use for this is to

Justin Perez 3 Nov 30, 2022
Rust crate `needleman_wunsch` of the `fasebare` package: reading FASTA sequences, Needleman-Wunsch alignment

fasebare Rust crate needleman_wunsch of the fasebare package: reading FASTA sequences, Needleman-Wunsch alignment. Synopsis The crate needleman_wunsch

Laurent Bloch 2 Nov 19, 2021
📚 flow state reading in the terminal

fsrx ?? (f)low (s)tate (r)eading e(x)change – flow state reading in the terminal Inspired by (but not affiliated with) Renato Casutt and his revolutio

colby thomas 276 Dec 14, 2022
Pure rust library for reading / writing DNG files providing access to the raw data in a zero-copy friendly way.

DNG-rs   A pure rust library for reading / writing DNG files providing access to the raw data in a zero-copy friendly way. Also containing code for re

apertus° - open source cinema 4 Dec 1, 2022
Reading Getting Friendly With CPU Caches

Getting Friendly With CPU Caches Reading Getting Friendly With CPU Caches, by Miki Tebeka and William Kennedy, inspired me to look at some Rust equiva

Herbert 6 Jul 25, 2023
A blazingly fast rust-based bionic reader for blazingly fast reading within a terminal console 🦀

This Rust-based CLI tool reads text and returns it back in bionic reading format for blazingly fast loading and even faster reading! Bionic reading is

Ismet Handzic 5 Aug 5, 2023
📚 flow state reading in the terminal

fsrx ??(f)low (s)tate (r)eading e(x)change – flow state reading in the terminal Inspired by (but not affiliated with) Renato Casutt and his revolution

Colby Thomas 296 Oct 26, 2023
Revolutionize handheld gaming with adaptive game settings. Optimize graphics and gameplay experience based on real-time system metrics. Open-source project empowering developers to enhance games on portable devices

Welcome to the server-side application for the HarmonyLink project. This innovative software is developed with the Rust programming language and is ai

Jordon Brooks 5 Jun 28, 2023