XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are...
Transcript of XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are...
![Page 1: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/1.jpg)
XXX
![Page 2: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/2.jpg)
Tolerating Malicious Driversin Linux
Silas Boyd-Wickizer and Nickolai Zeldovich
![Page 3: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/3.jpg)
How could a device driver be malicious?
Today's device drivers are highly privileged
Write kernel memory, allocate memory, ...
Drivers are complex; developers write buggy code
Result: Attackers exploit vulnerabilities
![Page 4: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/4.jpg)
How could a device driver be malicious?
Today's device drivers are highly privileged
Write kernel memory, allocate memory, ...
Drivers are complex; developers write buggy code
Result: Attackers exploit vulnerabilities
![Page 5: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/5.jpg)
How could a device driver be malicious?
Today's device drivers are highly privileged
Write kernel memory, allocate memory, ...
Drivers are complex; developers write buggy code
Result: Attackers exploit vulnerabilities
![Page 6: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/6.jpg)
Current approach
User-space drivers in μkernels (Minix, L4, ...)
Write device driver in new language (Termite)
Handle common faults (Nooks, microdrivers, ...)
![Page 7: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/7.jpg)
Secure, efficient, & unmodified drivers on Linux
Goal
![Page 8: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/8.jpg)
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernel
![Page 9: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/9.jpg)
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernelConfine driver in a process
![Page 10: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/10.jpg)
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernelConfine driver in a process
General purpose syscall API to
configure device
![Page 11: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/11.jpg)
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernelConfine driver in a process
General purpose syscall API to
configure device
Confine device with IO virtualization HW.
![Page 12: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/12.jpg)
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernelConfine driver in a process
General purpose syscall API to
configure device
IPC network driver APIE.g. tx_packet
Confine device with IO virtualization HW.
![Page 13: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/13.jpg)
Current Linux driver architecture
Kernel
User
Ethernetdriver
Networkstack
Application
Hardware
netdeviceKernel RT
![Page 14: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/14.jpg)
Current Linux driver architecture
Kernel
User
Ethernetdriver
Networkstack
Application
Hardware
netdeviceKernel RT
Kernel runtime (e.g. kmalloc)
![Page 15: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/15.jpg)
Current Linux driver architecture
Kernel
User
Ethernetdriver
Networkstack
Application
Hardware
netdeviceKernel RT
Kernel runtime (e.g. kmalloc)
Network driver API (e.g. tx_packet)
![Page 16: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/16.jpg)
Linux user-space driver problem
Kernel RT and driver APIs won't work for untrusted drivers in a different AS
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
![Page 17: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/17.jpg)
SUD's approach
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
![Page 18: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/18.jpg)
SUD's approach
SUD UML handles calls to kernel RT
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
![Page 19: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/19.jpg)
SUD's approach
SUD UML handles calls to kernel RT
Proxy driver and SUD UML allow reuse of existing driver APIs
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
Ethernetproxy driver
![Page 20: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/20.jpg)
SUD's approach
SUD UML handles calls to kernel RT
Proxy driver and SUD UML allow reuse of existing driver APIs
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
Ethernetproxy driver
Network driver API
![Page 21: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/21.jpg)
SUD's approach
SUD UML handles calls to kernel RT
Proxy driver and SUD UML allow reuse of existing driver APIs
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
Ethernetproxy driver
Network driver API
SUD RPC API
![Page 22: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/22.jpg)
SUD's approach
SUD UML handles calls to kernel RT
Proxy driver and SUD UML allow reuse of existing driver APIs
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
Ethernetproxy driver
Network driver API
SUD RPC API
Network driver API
![Page 23: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/23.jpg)
SUD's results
Tolerate malicious device drivers
Proxy drivers small (~500 LOC)
One proxy driver per device class
Few kernel modifications (~50 LOC)
Unmodified drivers (6 test drivers)
High performance, low overhead
No need for new OS or language
![Page 24: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/24.jpg)
Security challenge: prevent attacks
Problem: driver must perform privileged operations
Memory access, driver API, DMA, interrupts, …
Attacks from driver code:
Direct system attacks: memory corruption, ...
Driver API attacks: invalid return value, deadlock, ...
Attacks from device:
DMA to DRAM, peer-to-peer attacks, interrupt storms
![Page 25: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/25.jpg)
Practical challenges
High performance, low overhead
Challenge: interact with hardware and kernel at high rate, kernel-user switch expensive
E.g. Ethernet driver ~100k times a second
Reuse existing drivers and kernel
Challenge: drivers assume fully-privileged kernel env.
Challenge: kernel driver API complex, non-uniform
![Page 26: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/26.jpg)
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
![Page 27: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/27.jpg)
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
![Page 28: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/28.jpg)
Linux driver APIs
Linux defines a driver API for each device class
Driver and kernel functions and variables
![Page 29: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/29.jpg)
Example: wireless driver API
Linux defines a driver API for each device class
Driver and kernel functions and variablesstruct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
![Page 30: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/30.jpg)
Example: wireless driver API
Linux defines a driver API for each device class
Driver and kernel functions and variables
Proxy drivers and SUD-UML convert API to RPCs
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
![Page 31: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/31.jpg)
Example: wireless driver API
Linux defines a driver API for each device class
Driver and kernel functions and variables
Proxy drivers and SUD-UML convert API to RPCs
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
![Page 32: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/32.jpg)
Example: wireless driver API
Linux defines a driver API for each device class
Driver and kernel functions and variables
Proxy drivers and SUD-UML convert API to RPCs
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
Called in a non-preemptable context
![Page 33: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/33.jpg)
Example: wireless driver API
Linux defines a driver API for each device class
Driver and kernel functions and variables
Proxy drivers and SUD-UML convert API to RPCs
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
Called in a non-preemptable context
Driver API variable
![Page 34: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/34.jpg)
Wireless driver in SUD
Basic driver API → SUD RPC API→ driver API
Non-preemptable function: implement in proxy
Driver API variable: shadow variables
![Page 35: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/35.jpg)
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
![Page 36: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/36.jpg)
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Socket write
![Page 37: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/37.jpg)
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UMLwireless_ops.tx
![Page 38: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/38.jpg)
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
TX packet RPC
![Page 39: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/39.jpg)
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_ops.tx
![Page 40: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/40.jpg)
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
DMA TX
![Page 41: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/41.jpg)
Example 2: non-preemptable callback
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
![Page 42: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/42.jpg)
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML Acquires a spin lock
Example 2: non-preemptable callback
![Page 43: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/43.jpg)
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UMLwireless_ops.configure_filter
Example 2: non-preemptable callback
![Page 44: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/44.jpg)
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Filter RPC
Example 2: non-preemptable callback
![Page 45: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/45.jpg)
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
![Page 46: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/46.jpg)
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
![Page 47: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/47.jpg)
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Register RX packet types
Example 2: non-preemptable callback
![Page 48: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/48.jpg)
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
Acquires a spin lock
![Page 49: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/49.jpg)
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
wireless_ops.configure_filter
![Page 50: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/50.jpg)
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
Return RX packet types
![Page 51: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/51.jpg)
Example 3: driver API variables
Problem: user-space can't access API variables
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
![Page 52: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/52.jpg)
Problem: user-space can't access API variables
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
Driver API variable
Example 3: driver API variables
![Page 53: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/53.jpg)
Problem: user-space can't access API variables
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
Writes to wireless_hw
Example 3: driver API variables
![Page 54: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/54.jpg)
Problem: user-space can't access API variables
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
Example 3: driver API variables
![Page 55: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/55.jpg)
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
Example 3: driver API variables
![Page 56: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/56.jpg)
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw
Shadow variable
Example 3: driver API variables
![Page 57: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/57.jpg)
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw Writes to wireless_hw
Example 3: driver API variables
![Page 58: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/58.jpg)
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw
Synchronize before sending RPC
Example 3: driver API variables
![Page 59: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/59.jpg)
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw
Send RPC
Example 3: driver API variables
![Page 60: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/60.jpg)
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw
Reads updates from shadow variable
Example 3: driver API variables
![Page 61: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/61.jpg)
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
![Page 62: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/62.jpg)
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
![Page 63: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/63.jpg)
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
![Page 64: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/64.jpg)
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
Driver configures the device to execute attacks
![Page 65: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/65.jpg)
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
Driver configures the device to execute attacks
DMA to DRAM
![Page 66: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/66.jpg)
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
Driver configures the device to execute attacks
DMA to DRAM
Peer-to-peer messages
![Page 67: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/67.jpg)
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
Driver configures the device to execute attacks
DMA to DRAM
Peer-to-peer messages
Interrupt storms
![Page 68: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/68.jpg)
Attacks from hardware
Driver configures the device to execute attacks
DMA to DRAM
Peer-to-peer messages
Interrupt storms
HW access module prevents attacks
Interposes on driver-device communication
Uses IO virtualization to provide direct device access
![Page 69: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/69.jpg)
IO virtualization hardware
CPU MSI
IOMMUPCI express
switch
DRAM
Memory interconnect
APIC interconnect
![Page 70: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/70.jpg)
IO virtualization hardware
CPU MSI
IOMMUPCI express
switch
DRAM
Memory interconnect
APIC interconnect
Use IOMMU to map DMA buffer pools
Prevents DMA to DRAM attacks
![Page 71: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/71.jpg)
IO virtualization hardware
CPU MSI
IOMMUPCI express
switch
DRAM
Memory interconnect
APIC interconnect
Use PCI ACS to prevent peer-to-peer messaging
Prevents peer-to-peer attacks
![Page 72: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/72.jpg)
IO virtualization hardware
CPU MSI
IOMMUPCI express
switch
DRAM
Memory interconnect
APIC interconnect
Use MSI to mask interrupts
Prevents interrupt storms
![Page 73: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/73.jpg)
Interrupt handlers in Linux
Kernel
Driver IRQ core
UserMSI
![Page 74: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/74.jpg)
Interrupt handlers in Linux
Kernel
Driver IRQ core
UserMSI
![Page 75: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/75.jpg)
Interrupt handlers in Linux
Driver called with IRQs disabled (non-preemptable)
Kernel
Driver IRQ core
UserMSI
![Page 76: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/76.jpg)
Interrupt handlers in Linux
Kernel calls driver interrupt handler
Driver clears interrupt flag
Kernel
Driver IRQ core
UserMSI
![Page 77: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/77.jpg)
Interrupt handlers with SUD
Kernel
HW accessmodule
IRQ core
UserMSI
Driver
SUD UML
![Page 78: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/78.jpg)
Interrupt handlers with SUD
Kernel calls HW access module interrupt handler
HW access module masks interrupt with MSI
Kernel
HW accessmodule
IRQ core
UserMSI
Driver
SUD UML
![Page 79: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/79.jpg)
Interrupt handlers with SUD
Kernel calls HW access module interrupt handler
HW access module masks interrupt with MSI
Kernel
HW accessmodule
IRQ core
UserMSI
Driver
SUD UML
![Page 80: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/80.jpg)
Interrupt handlers with SUD
Kernel calls HW access module interrupt handler
HW access module masks interrupt with MSI
Asynchronous RPC to driver
Kernel
HW accessmodule
IRQ core
UserMSI
Driver
SUD UML
![Page 81: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/81.jpg)
Interrupt handlers with SUD
Kernel calls HW access module interrupt handler
HW access module masks interrupt with MSI
Asynchronous RPC to driver
Driver clears interrupt
Kernel
HW accessmodule
IRQ core
UserMSI
Driver
SUD UML
![Page 82: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/82.jpg)
Interrupt handlers with SUD
HW access module masks interrupt with MSI
Asynchronous RPC to driver
Driver clears interrupt
HW access module unmasks MSI
Kernel
HW accessmodule
IRQ core
UserMSI
Driver
SUD UML
![Page 83: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/83.jpg)
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
![Page 84: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/84.jpg)
Prototype of SUD
Supports all Ethernet, wireless, USB, audio drivers
Tested: e1000e, ne2k-pci, iwlagn, snd_hda_intel, ehci_hcd, uhci_hcd, ...
Trusted code Lines of codePCI access module 2800Ethernet proxy driver 300Wireless proxy driver 600Audio proxy driver 550
Untrusted code Lines of codeUser-mode runtime 5000Drivers 5000 – 50,000 (each)
![Page 85: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/85.jpg)
Trusted code Lines of codePCI access module 2800Ethernet proxy driver 300Wireless proxy driver 600Audio proxy driver 550
Untrusted code Lines of codeUser-mode runtime 5000Drivers 5000 – 50,000 (each)
Prototype of SUD
Supports all Ethernet, wireless, USB, audio drivers
Tested: e1000e, ne2k-pci, iwlagn, snd_hda_intel, ehci_hcd, uhci_hcd, ...
![Page 86: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/86.jpg)
Trusted code Lines of codePCI access module 2800Ethernet proxy driver 300Wireless proxy driver 600Audio proxy driver 550
Untrusted code Lines of codeUser-mode runtime 5000Drivers 5000 – 50,000 (each)
Prototype of SUD
Supports all Ethernet, wireless, USB, audio drivers
Tested: e1000e, ne2k-pci, iwlagn, snd_hda_intel, ehci_hcd, uhci_hcd, ...
![Page 87: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/87.jpg)
Performance
For most devices, does not matter
Printers, cameras, …
Stress-test: e1000e gigabit network card
Requires high throughput
Requires low latency
Many device driver interactions
Test machine: 1.4GHz dual core Thinkpad
![Page 88: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/88.jpg)
Performance questions?
What performance does SUD get?
Network throughput, latency
How much does it cost?
CPU cycles
![Page 89: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/89.jpg)
SUD achieves same device performance
TCP UDP TX UDP RX UDP latency0
0.2
0.4
0.6
0.8
1
LinuxSud
Normalized throughput relative to Linux
TCP: streaming (950 Mbps in both cases)
UDP: one-byte-data packets
Thr
ough
put
rela
tive
to L
inux
![Page 90: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/90.jpg)
CPU cost is low
TCP UDP TX UDP RX UDP latency0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
LinuxSud
SUD overhead: user-kernel switch, TLB misses
Overheads not significant for many workloads(packets larger than min. packet size)
CP
U u
tiliz
atio
n
![Page 91: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/91.jpg)
Future directions
Explore hierarchical untrusted device drivers
PCI bus → SATA controller → SATA disk → …
Explore giving apps direct hardware access
Safe HW access for network analyzer, X server, …
Performance analysis and optimizations
SUD specific device drivers, super pages, ...
![Page 92: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/92.jpg)
Related work
Mircokernels (Minix, L4, ...)
Simple drivers, driver API designed for user-space
Nooks, microdrivers
Handles common bugs, many changes to kernel
Languages (e.g. Termite), source code analysis
Complimentary to user-space drivers
No need for new OS or language
![Page 93: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/93.jpg)
Summary
Driver bugs lead to system crashes or exploits
SUD protects Linux from malicious drivers using proxy drivers and IO virtualization HW
Runs unmodified Linux device drivers
High performance, low overheads
Few modifications to Linux kernel
![Page 94: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/94.jpg)
![Page 95: XXX - static.usenix.org · How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex; developers](https://reader036.fdocuments.us/reader036/viewer/2022090609/605f322b6d47bb07cb489b88/html5/thumbnails/95.jpg)
Security evaluation
Manually constructed potential attacks
Memory corruption, arbitrary upcall responses,not responding at all, arbitrary DMA, ...
Relied on security heavily during development
SUD caught all bugs in user-mode driver framework
No crashes / reboots required to develop drivers
Ideal, but not done: red-team evaluation?