Tolerating Malicious Device Drivers in Linux

This paper presents SUD, a system for running existing Linux device drivers as untrusted user-space processes. Even if the device driver is controlled by a malicious adversary, it cannot compromise the rest of the system. One significant challenge of fully isolating a driver is to confine the actions of its hardware device. SUD relies on IOMMU hardware, PCI express bridges, and messagesignaled interrupts to confine hardware devices. SUD runs unmodified Linux device drivers, by emulating a Linux kernel environment in user-space. A prototype of SUD runs drivers for Gigabit Ethernet, 802.11 wireless, sound cards, USB host controllers, and USB devices, and it is easy to add a new device class. SUD achieves the same performance as an in-kernel driver on networking benchmarks, and can saturate a Gigabit Ethernet link. SUD incurs a CPU overhead comparable to existing runtime driver isolation techniques, while providing much stronger isolation guarantees for untrusted drivers. Finally, SUD requires minimal changes to the kernel--just two kernel modules comprising 4,000 lines of code--which may at last allow the adoption of these ideas in practice.

[1]  Laurent Butti,et al.  Discovering and exploiting 802.11 wireless driver vulnerabilities , 2008, Journal in Computer Virology.

[2]  Willy Zwaenepoel,et al.  TwinDrivers: semi-automatic derivation of fast and safe hypervisor network drivers from guest OS drivers , 2009, ASPLOS.

[3]  Jimi Xenidis,et al.  Utilizing IOMMUs for Virtualization in Linux and Xen Muli , 2006 .

[4]  Michael M. Swift,et al.  Decaf: Moving Device Drivers to a Modern Language , 2009, USENIX Annual Technical Conference.

[5]  J. Löser,et al.  An I / O Architecture for Microkernel-Based Operating Systems , 2003 .

[6]  Asim Kadav,et al.  Tolerating hardware device failures in software , 2009, SOSP '09.

[7]  Christoforos E. Kozyrakis,et al.  Hardware Enforcement of Application Security Policies Using Tagged Memory , 2008, OSDI.

[8]  Krste Asanovic,et al.  Mondrix: memory isolation for linux using mondriaan memory protection , 2005, SOSP '05.

[9]  Emin Gün Sirer,et al.  Device Driver Safety Through a Reference Validation Mechanism , 2008, OSDI.

[10]  Gernot Heiser,et al.  User-Level Device Drivers: Achieved Performance , 2005, Journal of Computer Science and Technology.

[11]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[12]  Galen C. Hunt,et al.  Debugging in the (very) large: ten years of implementation and experience , 2009, SOSP '09.

[13]  Leonid Ryzhyk,et al.  Automatic device driver synthesis with termite , 2009, SOSP '09.

[14]  Peter Chubb Linux kernel infrastructure for user-level device drivers , 2004 .

[15]  Stefan Götz,et al.  Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines , 2004, OSDI.

[16]  Somesh Jha,et al.  The design and implementation of microdrivers , 2008, ASPLOS.

[17]  Brian N. Bershad,et al.  Recovering device drivers , 2004, TOCS.

[18]  Leonid Ryzhyk,et al.  Dingo: taming device drivers , 2009, EuroSys '09.

[19]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[20]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[21]  Herbert Bos,et al.  Failure Resilience for Device Drivers , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[22]  Archana Ganapathi,et al.  Windows XP Kernel Crash Analysis , 2006, LISA.

[23]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[24]  Roy H. Campbell,et al.  CuriOS: Improving Reliability through Operating System Structure , 2008, OSDI.

[25]  Herbert Bos,et al.  Fault isolation for device drivers , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[26]  Gil Neiger,et al.  Intel ® Virtualization Technology for Directed I/O , 2006 .

[27]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2003, SOSP '03.

[28]  Andrew S. Tanenbaum,et al.  Operating systems: design and implementation , 1987, Prentice-Hall software series.

[29]  Miguel Castro,et al.  Fast byte-granularity software fault isolation , 2009, SOSP '09.