usbsas v0.1.4 releases: securely reading untrusted USB mass storage devices

usbsas

usbsas is a free and open-source (GPLv3) tool and framework for securely reading untrusted USB mass storage devices.

Following the concept of defense-in-depth and the principle of least privilege, usbsas’s goal is to reduce the attack surface of the USB stack. To achieve this, most of the USB-related tasks (parsing USB packets, SCSI commands, file systems, etc.) usually executed in (privileged) kernel space has been moved to user space and separated into different processes (microkernel style), each being executed in its own restricted secure computing mode.

The main purpose of this project is to be deployed as a kiosk/sheep dip station to securely transfer files from an untrusted USB device to a trusted one.

It works on GNU/Linux and is written in Rust.

Features

usbsas can:

• read files from an untrusted USB device (without using kernel modules like uas, usb_storage, and the file system ones). Supported file systems are FAT, exFat, ext4, NTFS and ISO9660
• analyze files with a remote antivirus
• copy files on a new file system to a trusted USB device. Supported file systems are FAT, exFAT and NTFS
• upload files to a remote server
• make an image of a USB device
• wipe a USB device

Applications

Applications built on top of usbsas:

• Web client/server: This is the main application of usbsas, for deploying a secure USB to a USB file transfer kiosk.
• Fuse implementation: mount USB devices (read-only) with usbsas.
• Python: usbsas can also be used with Python, a script that copies everything from one device to another is given as an example.

Changelog v0.1.4

• File export by @losynix in #190
• Update ff by @losynix in #192
• Update ntfs3g to v2022.10.3 by @losynix in #193
• Fix deb pkg and comm.py by @losynix in #194
• python: fix fstype in protobuf request by @losynix in #195
• Fix error names (silly copy/paste mistakes) by @losynix in #196
• usb ack retry if timeout by @losynix in #197
• Refactor and rename privileges / sandbox crate by @losynix in #199
• Refactor process spawning by @losynix in #200
• Split deb pkg and Makefile for live-iso by @losynix in #201
• File export fix header by @tdrrdt in #203

Install & Use

Copyright (C) 2022 cea-sec