Why not USB? I believe "BadUSB" kind of attack (that may happen with specially crafted hardware only) can be mitigated by forbidding/whitelisting USB hardware that is not Mass Storage device.