To learn more about the Linux kernel, I decided to modify the Linux
USB storage driver as a project for an operating systems class. The
modified kernel module checks the serial number on a USB storage device,
and only allows authorized devices to be connected.
Click on an image to enlarge.
Only authorized USB storage devices are allowed to connect. This means
that sensitive data cannot be copied out to arbitrary flash drives or
external hard drives. It can also prevent malicious data from getting
onto secure machines from unknown sources.
I downloaded version 3.12.0 of the Linux kernel source code. All
modifications were done in drivers/usb/storage. I installed
the kernel on my system (Ubuntu 13.04), and used the insmode and
rmmod commands to load/unload the modified driver. Also, the
printk function came in handy to log output from the kernel
code, viewable with the dmesg command.
The original plan was to read a file containing valid serial numbers
in the get_device_info function of the usb.c file.
However, as I learned, it is bad to read files at the kernel level.
Thus, I instead used module parameters (passed with the insmod
command) to give the module a list of authorized serial numbers. If
a device was inserted that did not have a valid serial number, the
get_device_info function would return
-ENODEV, causing the clean-up routine to get executed,
and the device never connected.
The serial numbers were kept in a file (a script was used to pass
them in as parameters to the module as it was loaded). To make sure
the serial numbers could not be compromised and copied onto an
unauthorized USB device, they were encrypted using a SHA1 hash.
The kernel code then encrypted the serial number of the device
which was plugged in, and compared the hashes instead of the raw
I tested the modified module with four devices: two USB flash drives,
at 4GB and 8GB, and two external hard drives, at 500GB and 1TB. The
module successfully rejected all unauthorized devices, while letting
all valid devices connect normally with no performance loss.
As possible future work for this project, it would be great to have the
modified driver be loaded at system boot. I would also like to test the
implementation with USB 3.0 devices. Finally, it would be nice to use this
idea to prevent any unauthorized wireless devices from gaining access to