malicious device canary

[xahare]

Is is possible to set up virtualbox to intercept a device *before* the host os can do any thing with it? can a usb controller be passed to virtualbox? what about individual usb devices on the same bus that are not whitelisted for the host os? or other pci devices like thunderbolt or ethernet?

The idea is to have a usb canary to intercept potentially malicious usb devices before they can do anything to do the host os.

If not virtualbox, what other hypervisors can do this besides xen and kvm?

[socratis]

Is is possible to set up virtualbox to intercept a device *before* the host os can do any thing with it?

Yes, via the USB filters. In the worst case scenario (I'll explain) you create a "blank" USB filter and anything that gets connected to your host's USB controller(s) will be passed immediately to the guest.

Now, (and that's the danger) this "blank" filter will capture everything, including your mouse and keyboard, if they are USB based (99.9% these days). A way to limit that would be to fill in some values for the filter, if you know them, like the Vendor ID or the Product ID. That would limit the filter to what it can capture.

intercept potentially malicious usb devices

I have yet to see a USB stick/external HD do malicious things to a computer (unless you have enabled Autorun in Windows guests). XBox/PS controllers, phones and GPS devices have not been known to "attack" their host when they're just plugged in. What exactly did you have in mind?

[xahare]

thanks. does this get passed directly to the vm (assuming vt-d / iommu) or does the host parse it first?

what i had in mind was DMA attacks, badusb etc, or just mistakes in firmware.

[socratis]

(assuming vt-d / iommu)

First of all, VT-d and IOMMU have absolutely nothing to do with the USB filter mechanism, as far as I would know or common logic would dictate.

does this get passed directly to the vm or does the host parse it first?

The device is obviously parsed by the host first. It has to. You can't "steal" a hardware feature from the host and assign it directly to the guest. Simply put, the VirtualBox USB filter mechanism intercepts/interacts(?) with the low level USB mechanisms on the host, captures the device for itself (if there is a matching filter) and passes its raw messages to your guest.

what i had in mind was DMA attacks, badusb etc, or just mistakes in firmware.

I'm not sure about the DMA attack. I looked it up and this is what Wikipedia had to say about it:

Examples of connections that may allow DMA in some exploitable form include FireWire, CardBus, ExpressCard, Thunderbolt, PCI, and PCI Express.

No USB mention.
As far as the "bad USB" and "mistakes in firmware", I'm not sure if/how these can be exploited and "attack" the computer. I've not seen/heard it personally.