Device Driver Safety Through a Reference Validation Mechanism

Device drivers typically execute in supervisor mode and thus must be fully trusted. This paper describes how to move them out of the trusted computing base, by running them without supervisor privileges and constraining their interactions with hardware devices. An implementation of this approach in the Nexus operating system executes drivers in user space, leveraging hardware isolation and checking their behavior against a safety specification. These Nexus drivers have performance comparable to inkernel, trusted drivers, with a level of CPU overhead acceptable for most applications. For example, the monitored driver for an Intel e1000 Ethernet card has throughput comparable to a trusted driver for the same hardware under Linux. And a monitored driver for the Intel i810 sound card provides continuous playback. Drivers for a disk and a USB mouse have also been moved successfully to operate in user space with safety specifications.

[1]  Edsger W. Dijkstra,et al.  The structure of the “THE”-multiprogramming system , 1968, CACM.

[2]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[3]  James P Anderson Computer Security Technology Planning Study. Volume 2 , 1972 .

[4]  D.W. Boettner,et al.  The michigan terminal system , 1975, Proceedings of the IEEE.

[5]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[6]  L. J. Fraim Scomp: A Solution to the Multilevel Security Problem , 1983, Computer.

[7]  Brian N. Bershad,et al.  An I/O System for Mach 3.0 , 1991, USENIX MACH Symposium.

[8]  Rudolf Ruland,et al.  Two years of experience with a μ-Kernel based OS , 1991, OPSR.

[9]  Emin Gün Sirer,et al.  Protection is a software issue , 1995, Proceedings 5th Workshop on Hot Topics in Operating Systems (HotOS-V).

[10]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[11]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[12]  Peter M. Chen,et al.  The systematic improvement of fault tolerance in the Rio file cache , 1999, Digest of Papers. Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing (Cat. No.99CB36352).

[13]  Laurent Réveillère,et al.  Devil: an IDL for hardware programming , 2000, OSDI.

[14]  YangJunfeng,et al.  An empirical study of operating systems errors , 2001 .

[15]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[16]  Gernot Heiser,et al.  Towards Untrusted Device Drivers , 2003 .

[17]  HarrisTim,et al.  Xen and the art of virtualization , 2003 .

[18]  J. Löser,et al.  An I / O Architecture for Microkernel-Based Operating Systems , 2003 .

[19]  James Hendricks,et al.  Secure bootstrap is not enough: shoring up the trusted computing base , 2004, EW 11.

[20]  Martín Abadi,et al.  An Overview of the Singularity Project , 2005 .

[21]  Emin Gün Sirer,et al.  Nexus: a new operating system for trustworthy computing , 2005, SOSP '05.

[22]  Gernot Heiser,et al.  User-Level Device Drivers: Achieved Performance , 2005, Journal of Computer Science and Technology.

[23]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[24]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[25]  George C. Necula,et al.  SafeDrive: safe and recoverable extensions using language-based techniques , 2006, OSDI '06.

[26]  Gil Neiger,et al.  Intel ® Virtualization Technology for Directed I/O , 2006 .

[27]  J. Herder A Lightweight Method for Building Reliable Operating Systems Despite Unreliable Device Drivers Technical Report IRCS-018 , January 2006 , 2006 .

[28]  Galen C. Hunt,et al.  Solving the starting problem: device drivers as self-describing artifacts , 2006, EuroSys '06.

[29]  Brian N. Bershad,et al.  Recovering device drivers , 2004, TOCS.

[30]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[31]  Chris Hawblitzel,et al.  Checking the hardware-software interface in spec# , 2007, PLOS '07.

[32]  Andrew Warfield,et al.  Safe Hardware Access with the Xen Virtual Machine Monitor , 2007 .

[33]  Somesh Jha,et al.  Microdrivers: A New Architecture for Device Drivers , 2007, HotOS.

[34]  Robert Grimm,et al.  Jeannie: granting java native interface developers their wishes , 2007, OOPSLA.

[35]  Somesh Jha,et al.  The design and implementation of microdrivers , 2008, ASPLOS.