Fast byte-granularity software fault isolation

Bugs in kernel extensions remain one of the main causes of poor operating system reliability despite proposed techniques that isolate extensions in separate protection domains to contain faults. We believe that previous fault isolation techniques are not widely used because they cannot isolate existing kernel extensions with low overhead on standard hardware. This is a hard problem because these extensions communicate with the kernel using a complex interface and they communicate frequently. We present BGI (Byte-Granularity Isolation), a new software fault isolation technique that addresses this problem. BGI uses efficient byte-granularity memory protection to isolate kernel extensions in separate protection domains that share the same address space. BGI ensures type safety for kernel objects and it can detect common types of errors inside domains. Our results show that BGI is practical: it can isolate Windows drivers without requiring changes to the source code and it introduces a CPU overhead between 0 and 16%. BGI can also find bugs during driver testing. We found 28 new bugs in widely used Windows drivers.

[1]  Love H. Seawright,et al.  VM/370 - A Study of Multiplicity and Usefulness , 1979, IBM Syst. J..

[2]  Stefan Götz,et al.  Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines , 2004, OSDI.

[3]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[4]  Amitabh Srivastava,et al.  Vulcan Binary transformation in a distributed environment , 2001 .

[5]  Somesh Jha,et al.  The design and implementation of microdrivers , 2008, ASPLOS.

[6]  Herbert Bos,et al.  Safe kernel programming in the OKE , 2002, 2002 IEEE Open Architectures and Network Programming Proceedings. OPENARCH 2002 (Cat. No.02EX571).

[7]  Margo I. Seltzer,et al.  MiSFIT: constructing safe extensible systems , 1998, IEEE Concurr..

[8]  Brian N. Bershad,et al.  Recovering device drivers , 2004, TOCS.

[9]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[10]  Информатика Windows Driver Kit , 2010 .

[11]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[12]  Zhe Yang,et al.  Modular checking for buffer overflows in the large , 2006, ICSE.

[13]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.

[14]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[15]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[16]  Gernot Heiser,et al.  User-Level Device Drivers: Achieved Performance , 2005, Journal of Computer Science and Technology.

[17]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[18]  Mark Sullivan,et al.  Software defects and their impact on system availability-a study of field failures in operating systems , 1991, [1991] Digest of Papers. Fault-Tolerant Computing: The Twenty-First International Symposium.

[19]  Jeffrey Katcher,et al.  PostMark: A New File System Benchmark , 1997 .

[20]  Brian N. Bershad,et al.  An I/O System for Mach 3.0 , 1991, USENIX MACH Symposium.

[21]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[22]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[23]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[24]  David Gay,et al.  Safe manual memory management , 2007, ISMM '07.

[25]  Krste Asanovic,et al.  Mondrix: memory isolation for linux using mondriaan memory protection , 2005, SOSP '05.

[26]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[27]  Herbert Bos,et al.  MINIX 3: a highly reliable, self-repairing operating system , 2006, OPSR.

[28]  George C. Necula,et al.  SafeDrive: safe and recoverable extensions using language-based techniques , 2006, OSDI '06.

[29]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[30]  Peter Chubb Get more device drivers out of the kernel , 2004 .

[31]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[32]  Ram Chillarege,et al.  Generation of an error set that emulates software faults based on field data , 1996, Proceedings of Annual Symposium on Fault Tolerant Computing.

[33]  James R. Larus,et al.  Singularity: rethinking the software stack , 2007, OPSR.

[34]  Christopher Small MiSFIT: A Tool for Constructing Safe Extensible C++ Systems , 1997, COOTS.

[35]  David Gay,et al.  Lightweight annotations for controlling sharing in concurrent data structures , 2009, PLDI '09.

[36]  Beng-Hong Lim,et al.  Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor , 2001, USENIX Annual Technical Conference, General Track.

[37]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[38]  Emin Gün Sirer,et al.  Device Driver Safety Through a Reference Validation Mechanism , 2008, OSDI.

[39]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[40]  Galen C. Hunt,et al.  Debugging in the (very) large: ten years of implementation and experience , 2009, SOSP '09.

[41]  Jochen Liedtke,et al.  The performance of μ-kernel-based systems , 1997, SOSP.

[42]  AbadiMartín,et al.  Control-flow integrity principles, implementations, and applications , 2009 .

[43]  YangJunfeng,et al.  An empirical study of operating systems errors , 2001 .

[44]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.