SecureUSB

Can't or won't trust just any USB attached device? Have cryptographic certainty of trust, on top of organization level management for devices can be used where, and know when they are used.

Comment

Trident USB: Turning USB Insecurity on its Head!

The Insecurity We're Tackling: USB drives are a double-edged sword. Essential for many workflows, yet a notorious gateway for malware, data theft, and unauthorized access. For non-technical users, secure alternatives are often cumbersome, while IT administrators lack effective, centralized control and visibility over USB usage. This gaping security hole is what Trident USB confronts.

Our Vision: Secure. Simplified. Imagine a world where using a USB stick is inherently secure. Users simply plug in an authorized stick into an authorized machine – no complex steps. Administrators, meanwhile, gain granular control, real-time monitoring, and a comprehensive audit trail from a central dashboard. This is the future Trident USB delivers.

What Trident USB Does: From Threat to Trust

Trident USB transforms vulnerable USB ports into policy-enforced, monitored endpoints. Here's the core loop:

  1. Connection & Detection: A user plugs a Trident-managed USB stick into a machine running our lightweight Python agent.
  2. Mutual Authentication Challenge:
    • The agent detects the new USB device (initially not as mass storage).
    • It initiates a cryptographic challenge with the stick to verify its identity against policies stored in our central Supabase backend.
    • The stick, in turn, can (in future iterations with more capable hardware) challenge the agent/host.
  3. Policy Enforcement via Supabase Edge Function: The agent queries a Supabase Edge Function (fn_get_effective_policy) which resolves a hierarchical policy (Global -> Group -> Agent -> Stick specific overrides) to determine if access should be granted.
  4. Secure Access or Denial:
    • Authenticated & Authorized: The stick (if it's a specialized hardware stick, or a standard stick with our software-defined security) re-enumerates as a mass storage device, granting access.
    • Authentication Failed / Unauthorized: Access is denied, and the agent can automatically eject the stick based on the effective policy.
  5. Comprehensive Logging: All events (connection, auth attempts, policy decisions, access granted/denied) are logged to Supabase for central auditing and appear in the dashboard. Logs can also be written to the stick itself if permitted by policy.

How We Built It: The Trident Ecosystem

Trident USB comprises three core, interconnected components:

  • 1. The Secure USB Stick (Concept & Software Simulation):

    • Hardware Vision: A microcontroller-based USB stick that initially presents as a serial device for the authentication handshake, then re-enumerates as mass storage upon successful authentication.
    • Current Implementation (Hackathon Scope): For this hackathon, we simulate this behavior using standard USB sticks. The "authentication" is based on a public_key file on the stick being validated against an expected_public_key stored in Supabase, linked via a unique stick_id in a config.file on the stick. The "re-enumeration" is conceptually handled by the agent allowing or denying mount access.

  • 2. The Python Client Agent:

    • A robust Python script running on Linux endpoints (design is adaptable for other OS).
    • Responsibilities:
      • Detects USB connections and disconnections (usb-monitor, psutil).
      • Manages a persistent agent_identity (agent_setup.py).
      • Reads stick configuration (config.file).
      • Performs authentication against Supabase (auth.py, supabase_client.py).
      • Fetches and applies effective policies from Supabase Edge Functions.
      • Executes actions like robustly ejecting unauthorized sticks (usb_utils.py).
      • Handles detailed, contextual logging to local files and Supabase (logger_setup.py, SupabaseListHandler).

  • 3. The Central Management Dashboard & Supabase Backend:

    • Intuitive Web UI: (Screenshots provided) A comprehensive dashboard for:
      • Registering and managing USB sticks, client agents, and user/computer groups.
      • Defining a sophisticated policy hierarchy (Global, Group, Agent, Stick overrides).
      • Viewing real-time event logs and security alerts.
      • Monitoring system health and Supabase connectivity.
    • Powerful Supabase Backend:
      • PostgreSQL Database: Stores all entity data, policies, and logs.
      • Authentication: Manages user access to the dashboard.
      • Realtime APIs & REST APIs: Facilitate communication between agents and the dashboard.
      • Serverless Edge Functions (Deno/TypeScript): The fn_get_effective_policy function is the heart of our dynamic policy resolution, ensuring the correct policy is applied based on the specific agent-stick interaction. This keeps complex decision-making logic centralized and secure.

Challenges We Navigated (and Conquered!)

  • Designing a Robust Policy Hierarchy: Creating a flexible yet understandable system for policy inheritance (Global -> Group -> Agent -> Stick) and implementing its resolution efficiently via Supabase Edge Functions was a significant design challenge.
  • Reliable Agent-Side USB Management: Developing a Python agent that consistently detects USB events, correctly identifies mount points across different Linux setups, and performs robust, multi-step ejections (udisksctl unmount, udisksctl power-off, eject) required deep dives into system-level interactions.
  • Secure and Efficient Agent-Backend Communication: Ensuring that agents securely fetch keys and policies without compromising the system, and batching log uploads effectively.
  • (Conceptual) Microcontroller & Re-enumeration Logic: While simulated for the hackathon, designing the theoretical flow for a hardware stick that changes its USB enumeration post-authentication involved careful consideration of USB protocols and HALs (Hardware Abstraction Layers).
  • Contextual Logging for Actionable Insights: Implementing the ContextualFormatter and SupabaseListHandler to ensure logs are not just numerous, but rich with context (stick_id, agent_id, event_type) for easy filtering and analysis in the dashboard.

Accomplishments We're Proud Of

  • The End-to-End Working System: From agent detection on a Linux machine to policy enforcement based on rules set in a web dashboard, and seeing those events logged back centrally – it all works!
  • The Power of the Policy Engine: The fn_get_effective_policy Edge Function truly centralizes and simplifies complex access decisions, making the system highly adaptable. (python client for Linux: https://github.com/philscheuerer/SecureUSB)
  • Intuitive UI/UX: Creating a dashboard (see screenshots) that makes complex security management accessible and visually clear. (react UI: https://github.com/philscheuerer/trident-usb) + simplified UI demo: (https://preview--trident-usb.lovable.app/)
  • The Robustness of the Python Agent: It handles various scenarios gracefully, from initial stick detection to policy-driven ejection, with detailed logging every step of the way.
  • Thinking Beyond Software: Conceptualizing the hardware-software co-design for the ideal "Trident Stick," even if simulated for now, pushes the boundaries of typical USB security solutions. (Firmware-Experiments for USB-side: https://gitlab.gamedevregensburg.de/jackik1/secure-usb)

What We Learned

  • The Nuances of System-Level USB Interaction: There's a surprising amount of complexity in reliably detecting, identifying, and controlling USB devices programmatically across different environments.
  • The Power of Serverless for Dynamic Logic: Supabase Edge Functions proved invaluable for offloading complex decision-making (like policy resolution) from the client agent, enhancing security and maintainability.
  • The Importance of Iterative Design: Both the agent logic and the UI/UX evolved significantly as we encountered edge cases and sought clearer presentations of information.
  • Cryptography is Hard, But Essential: While we simplified the crypto for the hackathon (key comparison), the process reinforced the need for robust cryptographic primitives in a production system.
  • User Experience Matters, Even for Admin Tools: A powerful system is only effective if administrators can understand and use it efficiently.

What's Next for Trident USB: Expanding the Secure Perimeter

The current system provides a strong foundation. The future is exciting:

  • True Microcontroller-Based Trident Sticks: Implementing the hardware vision for enhanced physical security and tamper-resistance.
  • Cross-Platform Agent Support: Expanding agent compatibility to Windows and macOS.
  • File-Level Control & DLP: Implementing policies to control what data can be read/written, based on file types, DLP tags, etc.
  • Beyond Mass Storage: Extending Trident's protection to other USB device classes (e.g., serial devices, specialized hardware) ensuring only trusted peripherals can interact with critical systems. Imagine securing industrial control systems or medical devices.
  • Offline Policy Caching & Sync: Allowing agents to enforce policies even with intermittent network connectivity.
  • SIEM Integration & Advanced Analytics: Pushing logs to enterprise SIEMs and applying ML for anomaly detection in USB usage patterns.
  • Embedded Trident: Integrating Trident's core security directly into other embedded devices or machines that need secure peripheral access.

Trident USB is more than just a project; it's a vision for a fundamentally more secure way to interact with the ubiquitous USB interface.

Built With

Share this project:

Updates