Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
XXX
Tolerating Malicious Driversin Linux
Silas Boyd-Wickizer and Nickolai Zeldovich
How could a device driver be malicious?
Today's device drivers are highly privilegedWrite kernel memory, allocate memory, ...
Drivers are complex; developers write buggy code
Result: Attackers exploit vulnerabilities
How could a device driver be malicious?
Today's device drivers are highly privilegedWrite kernel memory, allocate memory, ...
Drivers are complex; developers write buggy code
Result: Attackers exploit vulnerabilities
How could a device driver be malicious?
Today's device drivers are highly privilegedWrite kernel memory, allocate memory, ...
Drivers are complex; developers write buggy code
Result: Attackers exploit vulnerabilities
Current approach
User-space drivers in μkernels (Minix, L4, ...)
Write device driver in new language (Termite)
Handle common faults (Nooks, microdrivers, ...)
Secure, efficient, & unmodified drivers on Linux
Goal
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernel
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernelConfine driver in a process
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernelConfine driver in a process
General purpose syscall API to
configure device
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernelConfine driver in a process
General purpose syscall API to
configure device
Confine device with IO virtualization HW.
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernelConfine driver in a process
General purpose syscall API to
configure device
IPC network driver APIE.g. tx_packet
Confine device with IO virtualization HW.
Current Linux driver architecture
Kernel
User
Ethernetdriver
Networkstack
Application
Hardware
netdeviceKernel RT
Current Linux driver architecture
Kernel
User
Ethernetdriver
Networkstack
Application
Hardware
netdeviceKernel RT
Kernel runtime (e.g. kmalloc)
Current Linux driver architecture
Kernel
User
Ethernetdriver
Networkstack
Application
Hardware
netdeviceKernel RT
Kernel runtime (e.g. kmalloc)
Network driver API (e.g. tx_packet)
Linux user-space driver problem
Kernel RT and driver APIs won't work for untrusted drivers in a different AS
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD's approach
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD's approach
SUD UML handles calls to kernel RT
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
SUD's approach
SUD UML handles calls to kernel RT
Proxy driver and SUD UML allow reuse of existing driver APIs
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
Ethernetproxy driver
SUD's approach
SUD UML handles calls to kernel RT
Proxy driver and SUD UML allow reuse of existing driver APIs
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
Ethernetproxy driver
Network driver API
SUD's approach
SUD UML handles calls to kernel RT
Proxy driver and SUD UML allow reuse of existing driver APIs
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
Ethernetproxy driver
Network driver APISUD RPC
API
SUD's approach
SUD UML handles calls to kernel RT
Proxy driver and SUD UML allow reuse of existing driver APIs
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
Ethernetproxy driver
Network driver APISUD RPC
API
Network driver API
SUD's results
Tolerate malicious device drivers
Proxy drivers small (~500 LOC)
One proxy driver per device class
Few kernel modifications (~50 LOC)
Unmodified drivers (6 test drivers)
High performance, low overhead
No need for new OS or language
Security challenge: prevent attacks
Problem: driver must perform privileged operationsMemory access, driver API, DMA, interrupts, …
Attacks from driver code:Direct system attacks: memory corruption, ...
Driver API attacks: invalid return value, deadlock, ...
Attacks from device:DMA to DRAM, peer-to-peer attacks, interrupt storms
Practical challenges
High performance, low overheadChallenge: interact with hardware and kernel at high
rate, kernel-user switch expensive
E.g. Ethernet driver ~100k times a second
Reuse existing drivers and kernelChallenge: drivers assume fully-privileged kernel env.
Challenge: kernel driver API complex, non-uniform
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
Linux driver APIs
Linux defines a driver API for each device classDriver and kernel functions and variables
Example: wireless driver API
Linux defines a driver API for each device classDriver and kernel functions and variables
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
Example: wireless driver API
Linux defines a driver API for each device classDriver and kernel functions and variables
Proxy drivers and SUD-UML convert API to RPCs
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
Example: wireless driver API
Linux defines a driver API for each device classDriver and kernel functions and variables
Proxy drivers and SUD-UML convert API to RPCs
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
Example: wireless driver API
Linux defines a driver API for each device classDriver and kernel functions and variables
Proxy drivers and SUD-UML convert API to RPCs
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
Called in a non-preemptable context
Example: wireless driver API
Linux defines a driver API for each device classDriver and kernel functions and variables
Proxy drivers and SUD-UML convert API to RPCs
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
Called in a non-preemptable context
Driver API variable
Wireless driver in SUD
Basic driver API → SUD RPC API→ driver API
Non-preemptable function: implement in proxy
Driver API variable: shadow variables
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Socket write
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UMLwireless_ops.tx
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
TX packet RPC
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_ops.tx
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
DMA TX
Example 2: non-preemptable callback
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML Acquires a spin lock
Example 2: non-preemptable callback
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UMLwireless_ops.configure_filter
Example 2: non-preemptable callback
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Filter RPC
Example 2: non-preemptable callback
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Register RX packet types
Example 2: non-preemptable callback
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
Acquires a spin lock
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
wireless_ops.configure_filter
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
Return RX packet types
Example 3: driver API variables
Problem: user-space can't access API variables
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
Problem: user-space can't access API variables
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
Driver API variable
Example 3: driver API variables
Problem: user-space can't access API variables
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
Writes to wireless_hw
Example 3: driver API variables
Problem: user-space can't access API variables
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
Example 3: driver API variables
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
Example 3: driver API variables
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw
Shadow variable
Example 3: driver API variables
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw Writes to wireless_hw
Example 3: driver API variables
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw
Synchronize before sending RPC
Example 3: driver API variables
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw
Send RPC
Example 3: driver API variables
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw
Reads updates from shadow variable
Example 3: driver API variables
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
Driver configures the device to execute attacks
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
Driver configures the device to execute attacksDMA to DRAM
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
Driver configures the device to execute attacksDMA to DRAM
Peer-to-peer messages
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
Driver configures the device to execute attacksDMA to DRAM
Peer-to-peer messages
Interrupt storms
Attacks from hardware
Driver configures the device to execute attacksDMA to DRAM
Peer-to-peer messages
Interrupt storms
HW access module prevents attacksInterposes on driver-device communication
Uses IO virtualization to provide direct device access
IO virtualization hardware
CPU MSI
IOMMU PCI expressswitch
DRAM
Memory interconnect
APIC interconnect
IO virtualization hardware
CPU MSI
IOMMU PCI expressswitch
DRAM
Memory interconnect
APIC interconnect
Use IOMMU to map DMA buffer poolsPrevents DMA to DRAM attacks
IO virtualization hardware
CPU MSI
IOMMU PCI expressswitch
DRAM
Memory interconnect
APIC interconnect
Use PCI ACS to prevent peer-to-peer messagingPrevents peer-to-peer attacks
IO virtualization hardware
CPU MSI
IOMMU PCI expressswitch
DRAM
Memory interconnect
APIC interconnect
Use MSI to mask interruptsPrevents interrupt storms
Interrupt handlers in Linux
Kernel
Driver IRQ core
UserMSI
Interrupt handlers in Linux
Kernel
Driver IRQ core
UserMSI
Interrupt handlers in Linux
Driver called with IRQs disabled (non-preemptable)
Kernel
Driver IRQ core
UserMSI
Interrupt handlers in Linux
Kernel calls driver interrupt handler
Driver clears interrupt flag
Kernel
Driver IRQ core
UserMSI
Interrupt handlers with SUD
Kernel
HW accessmodule IRQ core
UserMSI
Driver
SUD UML
Interrupt handlers with SUD
Kernel calls HW access module interrupt handler
HW access module masks interrupt with MSI
Kernel
HW accessmodule IRQ core
UserMSI
Driver
SUD UML
Interrupt handlers with SUD
Kernel calls HW access module interrupt handler
HW access module masks interrupt with MSI
Kernel
HW accessmodule IRQ core
UserMSI
Driver
SUD UML
Interrupt handlers with SUD
Kernel calls HW access module interrupt handler
HW access module masks interrupt with MSI
Asynchronous RPC to driver
Kernel
HW accessmodule IRQ core
UserMSI
Driver
SUD UML
Interrupt handlers with SUD
Kernel calls HW access module interrupt handler
HW access module masks interrupt with MSI
Asynchronous RPC to driver
Driver clears interrupt
Kernel
HW accessmodule IRQ core
UserMSI
Driver
SUD UML
Interrupt handlers with SUD
HW access module masks interrupt with MSI
Asynchronous RPC to driver
Driver clears interrupt
HW access module unmasks MSI
Kernel
HW accessmodule IRQ core
UserMSI
Driver
SUD UML
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
Prototype of SUD
Supports all Ethernet, wireless, USB, audio drivers
Tested: e1000e, ne2k-pci, iwlagn, snd_hda_intel, ehci_hcd, uhci_hcd, ...
Trusted code Lines of codePCI access module 2800Ethernet proxy driver 300Wireless proxy driver 600Audio proxy driver 550
Untrusted code Lines of codeUser-mode runtime 5000Drivers 5000 – 50,000 (each)
Trusted code Lines of codePCI access module 2800Ethernet proxy driver 300Wireless proxy driver 600Audio proxy driver 550
Untrusted code Lines of codeUser-mode runtime 5000Drivers 5000 – 50,000 (each)
Prototype of SUD
Supports all Ethernet, wireless, USB, audio drivers
Tested: e1000e, ne2k-pci, iwlagn, snd_hda_intel, ehci_hcd, uhci_hcd, ...
Trusted code Lines of codePCI access module 2800Ethernet proxy driver 300Wireless proxy driver 600Audio proxy driver 550
Untrusted code Lines of codeUser-mode runtime 5000Drivers 5000 – 50,000 (each)
Prototype of SUD
Supports all Ethernet, wireless, USB, audio drivers
Tested: e1000e, ne2k-pci, iwlagn, snd_hda_intel, ehci_hcd, uhci_hcd, ...
Performance
For most devices, does not matterPrinters, cameras, …
Stress-test: e1000e gigabit network cardRequires high throughput
Requires low latency
Many device driver interactions
Test machine: 1.4GHz dual core Thinkpad
Performance questions?
What performance does SUD get?Network throughput, latency
How much does it cost?CPU cycles
SUD achieves same device performance
TCP UDP TX UDP RX UDP latency0
0.2
0.4
0.6
0.8
1
LinuxSud
Normalized throughput relative to Linux
TCP: streaming (950 Mbps in both cases)
UDP: one-byte-data packets
Thr
ough
put r
elat
ive
to L
inux
CPU cost is low
TCP UDP TX UDP RX UDP latency0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
LinuxSud
SUD overhead: user-kernel switch, TLB misses
Overheads not significant for many workloads(packets larger than min. packet size)
CP
U u
tiliz
atio
n
Future directions
Explore hierarchical untrusted device driversPCI bus → SATA controller → SATA disk → …
Explore giving apps direct hardware accessSafe HW access for network analyzer, X server, …
Performance analysis and optimizationsSUD specific device drivers, super pages, ...
Related work
Mircokernels (Minix, L4, ...)Simple drivers, driver API designed for user-space
Nooks, microdriversHandles common bugs, many changes to kernel
Languages (e.g. Termite), source code analysisComplimentary to user-space drivers
No need for new OS or language
Summary
Driver bugs lead to system crashes or exploits
SUD protects Linux from malicious drivers using proxy drivers and IO virtualization HWRuns unmodified Linux device drivers
High performance, low overheads
Few modifications to Linux kernel
Security evaluation
Manually constructed potential attacksMemory corruption, arbitrary upcall responses,
not responding at all, arbitrary DMA, ...
Relied on security heavily during developmentSUD caught all bugs in user-mode driver framework
No crashes / reboots required to develop drivers
Ideal, but not done: red-team evaluation?
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57Slide 58Slide 59Slide 60Slide 61Slide 62Slide 63Slide 64Slide 65Slide 66Slide 67Slide 68Slide 69Slide 70Slide 71Slide 72Slide 73Slide 74Slide 75Slide 76Slide 77Slide 78Slide 79Slide 80Slide 81Slide 82Slide 83Slide 84Slide 85Slide 86Slide 87Slide 88Slide 89Slide 90Slide 91Slide 92Slide 93Slide 94Slide 95