├── .gitignore
├── LICENSE
├── Makefile
├── README.md
├── config.h
└── silk.c


/.gitignore:
--------------------------------------------------------------------------------
 1 | .*
 2 | *.cmd
 3 | *.ko
 4 | *.mod.c
 5 | modules.order
 6 | Module.symvers
 7 | *.o
 8 | *.o.*
 9 | *.swp
10 | .tmp_versions
11 | tags
12 | cscope.*
13 | ncscope.*
14 | *.patch
15 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 Nate Brune
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | obj-m += silk.o
 2 | 
 3 | KERNELVER	?= $(shell uname -r)
 4 | KERNELDIR	?= /lib/modules/$(KERNELVER)/build
 5 | PWD		:= $(shell pwd)
 6 | 
 7 | all:
 8 | 	make -C $(KERNELDIR) M=$(PWD)
 9 | 
10 | clean:
11 | 	make -C $(KERNELDIR) M=$(PWD) clean
12 | 
13 | install:
14 | 	make -C $(KERNELDIR) M=$(PWD) modules_install
15 | 	/sbin/depmod -a $(KERNELVER)
16 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # silk-guardian
 2 | Silk Guardian is an anti-forensic LKM kill-switch that waits for a change on your usb ports then deletes precious files and turns off your computer.
 3 | 
 4 |  Inspired by [usbkill](https://github.com/hephaest0s/usbkill). 
 5 |  I remade this project as a Linux kernel driver for fun and to learn. Many people have contributed since, and I thank them.
 6 | 
 7 | To run:
 8 | 
 9 | ```shell
10 | make
11 | sudo insmod silk.ko
12 | ```
13 | 
14 | You will need to have the `linux-headers` package installed. If you haven't:
15 | 
16 | ```shell
17 | sudo apt-get install linux-headers
18 | ```
19 | ### Why?
20 | 
21 | There are 3 reasons (maybe more?) to use this tool:
22 | 
23 | - In case the police or other thugs come busting in. The police commonly uses a « [mouse jiggler](http://www.amazon.com/Cru-dataport-Jiggler-Automatic-keyboard-Activity/dp/B00MTZY7Y4/ref=pd_bxgy_pc_text_y/190-3944818-7671348) » to keep the screensaver and sleep mode from activating.
24 | - You don't want someone retrieve documents from your computer via USB or install malware or backdoors.
25 | - You want to improve the security of your (Full Disk Encrypted) home or corporate server (e.g. Your Raspberry).
26 | 
27 | > **[!] Important**: Make sure to use (partial) disk encryption ! Otherwise intruders will be able to access your harddrive.
28 | 
29 | > **Tip**: Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and insert the kernel module. If they steal your computer, the USB will be removed and the computer shuts down immediately.
30 | 
31 | ### Feature List
32 | 
33 | - Shutdown the computer when there is USB activity
34 | - Secure deletion of incriminating files before shutdown
35 | - No dependencies
36 | - Difficult to detect
37 | 
38 | ### To Do
39 | - Ability to whitelist USB devices ![](http://www.gia.edu/img/sprites/icon-green-check.png)
40 | - Remove files before shutdown ![](http://www.gia.edu/img/sprites/icon-green-check.png)
41 | - Remove userspace dependancy upon shutdown ![](http://www.gia.edu/img/sprites/icon-green-check.png)
42 | 
43 | More like... to-done. Way to go community you did it!
44 | 
45 | ### Change Log
46 | 2.0 - Updated to use notifier interface.
47 | 
48 | 1.5 - Updated to use shred and remove files on shutdown
49 | 
50 | 1.0 - Initial release.
51 | 
52 | ### Contact
53 | 
54 | [natebrune@gmail.com](mailto:natebrune@gmail.com)  
55 | [https://keybase.io/natebrune](https://keybase.io/natebrune)  
56 | [https://twitter.com/capitalisnn](https://twitter.com/capitalisnn)
57 | 


--------------------------------------------------------------------------------
/config.h:
--------------------------------------------------------------------------------
 1 | /* Files silk-guardian will remove upon detecting change in usb state. */
 2 | static char *remove_files[] = {
 3 | 	//"/home/user/privatekey",
 4 | 	//"/private/ssnumber.pdf",
 5 | 	NULL,	/* Must be NULL terminated */
 6 | };
 7 | 
 8 | char *sdmem_argv[] = {
 9 |     "/usr/bin/sdmem",
10 |     "-f", "-ll",
11 | };
12 | 
13 | /* How many times to shred file. The more iterations the longer it takes. */
14 | static char *shredIterations = "3";
15 | 
16 | /* List of all USB devices you want whitelisted (i.e. ignored) */
17 | static const struct usb_device_id whitelist_table[] = {
18 | 	{ USB_DEVICE(0x0000, 0x0000) },
19 | };
20 | 
21 | 
22 | /* comment this if normal shutdown isn't fast enough */
23 | /* Slower than kernel_power_off */
24 | #define USE_ORDERLY_SHUTDOWN
25 | 
26 | /* Uncomment to wipe ram upon shutdown with sdmem */
27 | /* #define WIPE_RAM */
28 | 


--------------------------------------------------------------------------------
/silk.c:
--------------------------------------------------------------------------------
  1 | #define pr_fmt(fmt)	KBUILD_MODNAME ": " fmt
  2 | 
  3 | #include <linux/module.h>
  4 | #include <linux/kernel.h>
  5 | #include <linux/init.h>
  6 | #include <linux/usb.h>
  7 | #include <linux/reboot.h>
  8 | #include "config.h"
  9 | 
 10 | MODULE_LICENSE("GPL");
 11 | MODULE_AUTHOR("Greg Kroah-Hartman and Nate Brune");
 12 | MODULE_DESCRIPTION("A module that protects you from having a terrible horrible no good very bad day.");
 13 | 
 14 | static void panic_time(struct usb_device *usb)
 15 | {
 16 |   int i;
 17 |   struct device *dev;
 18 | 
 19 |   pr_info("shredding...\n");
 20 |   for (i = 0; remove_files[i] != NULL; ++i) {
 21 |     char *shred_argv[] = {
 22 |       "/usr/bin/shred",
 23 |       "-f", "-u", "-n",
 24 |       shredIterations,
 25 |       remove_files[i],
 26 |       NULL,
 27 |     };
 28 |     call_usermodehelper(shred_argv[0], shred_argv,
 29 |             NULL, UMH_WAIT_EXEC);
 30 |   }
 31 |   printk("...done.\n");
 32 | 
 33 |   #ifdef WIPE_RAM
 34 |     printk("running sdmem");
 35 |     call_usermodehelper(sdmem_argv[0], sdmem_argv, NULL, UMH_WAIT_EXEC);
 36 |   #endif
 37 | 
 38 |   for (dev = &usb->dev; dev; dev = dev->parent)
 39 |     mutex_unlock(&dev->mutex);
 40 |   printk("Syncing & powering off.\n");
 41 |   
 42 |   #ifdef USE_ORDERLY_SHUTDOWN
 43 |     orderly_poweroff(true);
 44 |   #else
 45 |     kernel_power_off();
 46 |   #endif
 47 | }
 48 | 
 49 | /*
 50 |  * returns 0 if no match, 1 if match
 51 |  *
 52 |  * Taken from drivers/usb/core/driver.c, as it's not exported for our use :(
 53 |  */
 54 | static int usb_match_device(struct usb_device *dev,
 55 |           const struct usb_device_id *id)
 56 | {
 57 |   if ((id->match_flags & USB_DEVICE_ID_MATCH_VENDOR) &&
 58 |       id->idVendor != le16_to_cpu(dev->descriptor.idVendor))
 59 |     return 0;
 60 | 
 61 |   if ((id->match_flags & USB_DEVICE_ID_MATCH_PRODUCT) &&
 62 |       id->idProduct != le16_to_cpu(dev->descriptor.idProduct))
 63 |     return 0;
 64 | 
 65 |   /* No need to test id->bcdDevice_lo != 0, since 0 is never
 66 |      greater than any unsigned number. */
 67 |   if ((id->match_flags & USB_DEVICE_ID_MATCH_DEV_LO) &&
 68 |       (id->bcdDevice_lo > le16_to_cpu(dev->descriptor.bcdDevice)))
 69 |     return 0;
 70 | 
 71 |   if ((id->match_flags & USB_DEVICE_ID_MATCH_DEV_HI) &&
 72 |       (id->bcdDevice_hi < le16_to_cpu(dev->descriptor.bcdDevice)))
 73 |     return 0;
 74 | 
 75 |   if ((id->match_flags & USB_DEVICE_ID_MATCH_DEV_CLASS) &&
 76 |       (id->bDeviceClass != dev->descriptor.bDeviceClass))
 77 |     return 0;
 78 | 
 79 |   if ((id->match_flags & USB_DEVICE_ID_MATCH_DEV_SUBCLASS) &&
 80 |       (id->bDeviceSubClass != dev->descriptor.bDeviceSubClass))
 81 |     return 0;
 82 | 
 83 |   if ((id->match_flags & USB_DEVICE_ID_MATCH_DEV_PROTOCOL) &&
 84 |       (id->bDeviceProtocol != dev->descriptor.bDeviceProtocol))
 85 |     return 0;
 86 | 
 87 |   return 1;
 88 | }
 89 | 
 90 | 
 91 | 
 92 | static void usb_dev_change(struct usb_device *dev)
 93 | {
 94 |   const struct usb_device_id *dev_id;
 95 | 
 96 |   /* Check our whitelist to see if we want to ignore this device */
 97 |    unsigned long whitelist_len = sizeof(whitelist_table)/sizeof(whitelist_table[0]);
 98 |    int i; // GNU89 standard
 99 |    for(i = 0; i < whitelist_len; i++)
100 |    {
101 |       dev_id = &whitelist_table[i];
102 |       if (usb_match_device(dev, dev_id))
103 |       {
104 |          pr_info("Device is ignored\n");
105 |          return;
106 |       }
107 |    }
108 | 
109 |   /* Not a device we were ignoring, something bad went wrong, panic! */
110 |   panic_time(dev);
111 | }
112 | 
113 | static int notify(struct notifier_block *self, unsigned long action, void *dev)
114 | {
115 |   switch (action) {
116 |   case USB_DEVICE_ADD:
117 |     /* We added a new device, lets check if its known */
118 |     usb_dev_change(dev);
119 |     break;
120 |   case USB_DEVICE_REMOVE:
121 |     /* A USB device was removed, possibly as security measure */
122 |     usb_dev_change(dev);
123 |     break;
124 |   default:
125 |     break;
126 |   }
127 |   return 0;
128 | }
129 | 
130 | static struct notifier_block usb_notify = {
131 |   .notifier_call = notify,
132 | };
133 | 
134 | static int __init silk_init(void)
135 | {
136 |   usb_register_notify(&usb_notify);
137 |   pr_info("Now watching USB devices...\n");
138 |   return 0;
139 | }
140 | module_init(silk_init);
141 | 
142 | static void __exit silk_exit(void)
143 | {
144 |   usb_unregister_notify(&usb_notify);
145 |   pr_info("No longer watching USB devices.\n");
146 | }
147 | module_exit(silk_exit);
148 | 


--------------------------------------------------------------------------------