check_state will not catch changes that don't change the total number of mounted file systems #18
Description
canary.operating_system.helpers.check_state will fail to catch any change in mounted file systems that does not change the total number of mounted file systems (as seen by psutil).
- Feature Request
- Bug Report
Expected Behavior
Consider a laptop with usb-canary running during screen lock, and the screen being locked while a usb disk containing a single ntfs partition is attached and that partition is mounted. Automount is enabled.
Now consider an attacker unplugs the ntfs usb disk and plugs in another ntfs-formatted, single-partition usb-disk. This other disk is auto-mounted. Note that this is a common scenario when a device has limited USB ports available.
usb-canary should immediately raise hell.
Current Behavior
usb-canary will not notice anything happened provided the change happened quick enough between two checks (likely).
Possible Solution
Properly compare states. Compare more than just device name, mountpoint, filesystem type and options. At least also monitor:
- Device path (usb port number and path through hubs)
- Device serial number from USB descriptors
- Filesystem UUID where available
- Partition and device UUIDs where available
- Other device parameters such as size and additional usb descriptor fields
Steps to Reproduce (for bugs)
(no poc provided)
Context
usb-canary at least on first glance looks like a security tool. Thus it should be secure.
Your Environment
This is independent of operating system.