-
XXX
-
Tolerating Malicious Driversin Linux
Silas Boyd-Wickizer and Nickolai Zeldovich
-
How could a device driver be malicious?
Today's device drivers are highly privilegedWrite kernel memory,
allocate memory, ...
Drivers are complex; developers write buggy code
Result: Attackers exploit vulnerabilities
-
How could a device driver be malicious?
Today's device drivers are highly privilegedWrite kernel memory,
allocate memory, ...
Drivers are complex; developers write buggy code
Result: Attackers exploit vulnerabilities
-
How could a device driver be malicious?
Today's device drivers are highly privilegedWrite kernel memory,
allocate memory, ...
Drivers are complex; developers write buggy code
Result: Attackers exploit vulnerabilities
-
Current approach
User-space drivers in μkernels (Minix, L4, ...)
Write device driver in new language (Termite)
Handle common faults (Nooks, microdrivers, ...)
-
Secure, efficient, & unmodified drivers on Linux
Goal
-
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernel
-
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernelConfine driver in a process
-
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernelConfine driver in a process
General purpose syscall API to
configure device
-
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernelConfine driver in a process
General purpose syscall API to
configure device
Confine device with IO virtualization HW.
-
Previous user-space drivers
Kernel
User
Kernel core
Networkstack
Hardware
Ethernetdriver
User User
Application
μkernelConfine driver in a process
General purpose syscall API to
configure device
IPC network driver APIE.g. tx_packet
Confine device with IO virtualization HW.
-
Current Linux driver architecture
Kernel
User
Ethernetdriver
Networkstack
Application
Hardware
netdeviceKernel RT
-
Current Linux driver architecture
Kernel
User
Ethernetdriver
Networkstack
Application
Hardware
netdeviceKernel RT
Kernel runtime (e.g. kmalloc)
-
Current Linux driver architecture
Kernel
User
Ethernetdriver
Networkstack
Application
Hardware
netdeviceKernel RT
Kernel runtime (e.g. kmalloc)
Network driver API (e.g. tx_packet)
-
Linux user-space driver problem
Kernel RT and driver APIs won't work for untrusted drivers in a
different AS
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
-
SUD's approach
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
-
SUD's approach
SUD UML handles calls to kernel RT
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
-
SUD's approach
SUD UML handles calls to kernel RT
Proxy driver and SUD UML allow reuse of existing driver APIs
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
Ethernetproxy driver
-
SUD's approach
SUD UML handles calls to kernel RT
Proxy driver and SUD UML allow reuse of existing driver APIs
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
Ethernetproxy driver
Network driver API
-
SUD's approach
SUD UML handles calls to kernel RT
Proxy driver and SUD UML allow reuse of existing driver APIs
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
Ethernetproxy driver
Network driver APISUD RPC
API
-
SUD's approach
SUD UML handles calls to kernel RT
Proxy driver and SUD UML allow reuse of existing driver APIs
Kernel
UserEthernetdriver
Networkstack
Application
Hardware
netdevice
User
Kernel RT
SUD UML
Ethernetproxy driver
Network driver APISUD RPC
API
Network driver API
-
SUD's results
Tolerate malicious device drivers
Proxy drivers small (~500 LOC)
One proxy driver per device class
Few kernel modifications (~50 LOC)
Unmodified drivers (6 test drivers)
High performance, low overhead
No need for new OS or language
-
Security challenge: prevent attacks
Problem: driver must perform privileged operationsMemory access,
driver API, DMA, interrupts, …
Attacks from driver code:Direct system attacks: memory
corruption, ...
Driver API attacks: invalid return value, deadlock, ...
Attacks from device:DMA to DRAM, peer-to-peer attacks, interrupt
storms
-
Practical challenges
High performance, low overheadChallenge: interact with hardware
and kernel at high
rate, kernel-user switch expensive
E.g. Ethernet driver ~100k times a second
Reuse existing drivers and kernelChallenge: drivers assume
fully-privileged kernel env.
Challenge: kernel driver API complex, non-uniform
-
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
-
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
-
Linux driver APIs
Linux defines a driver API for each device classDriver and
kernel functions and variables
-
Example: wireless driver API
Linux defines a driver API for each device classDriver and
kernel functions and variables
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
-
Example: wireless driver API
Linux defines a driver API for each device classDriver and
kernel functions and variables
Proxy drivers and SUD-UML convert API to RPCs
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
-
Example: wireless driver API
Linux defines a driver API for each device classDriver and
kernel functions and variables
Proxy drivers and SUD-UML convert API to RPCs
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
-
Example: wireless driver API
Linux defines a driver API for each device classDriver and
kernel functions and variables
Proxy drivers and SUD-UML convert API to RPCs
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
Called in a non-preemptable context
-
Example: wireless driver API
Linux defines a driver API for each device classDriver and
kernel functions and variables
Proxy drivers and SUD-UML convert API to RPCs
struct wireless_ops {
int (*tx)(struct sk_buff*);
int (*configure_filter)(int);
...
};
struct wireless_hw {
int conf;
int flags
....
};
Called in a non-preemptable context
Driver API variable
-
Wireless driver in SUD
Basic driver API → SUD RPC API→ driver API
Non-preemptable function: implement in proxy
Driver API variable: shadow variables
-
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
-
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Socket write
-
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UMLwireless_ops.tx
-
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
TX packet RPC
-
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_ops.tx
-
Example 1: transmit a packet
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
DMA TX
-
Example 2: non-preemptable callback
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
-
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML Acquires a spin lock
Example 2: non-preemptable callback
-
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UMLwireless_ops.configure_filter
Example 2: non-preemptable callback
-
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Filter RPC
Example 2: non-preemptable callback
-
Problem: unable to switch to user-space
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
-
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
-
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Register RX packet types
Example 2: non-preemptable callback
-
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
Acquires a spin lock
-
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
wireless_ops.configure_filter
-
Problem: unable to switch to user-space
Solution: implement directly in proxy driver
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
Example 2: non-preemptable callback
Return RX packet types
-
Example 3: driver API variables
Problem: user-space can't access API variables
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
-
Problem: user-space can't access API variables
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
Driver API variable
Example 3: driver API variables
-
Problem: user-space can't access API variables
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
Writes to wireless_hw
Example 3: driver API variables
-
Problem: user-space can't access API variables
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
Example 3: driver API variables
-
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and
after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
Example 3: driver API variables
-
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and
after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw
Shadow variable
Example 3: driver API variables
-
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and
after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw Writes to wireless_hw
Example 3: driver API variables
-
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and
after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw
Synchronize before sending RPC
Example 3: driver API variables
-
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and
after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw
Send RPC
Example 3: driver API variables
-
Problem: user-space can't access API variables
Solution: allocate a shadow copy and synchronize before and
after RPCs
Kernel
User
Wirelessproxy driver
Wirelesscore
Webbrowser
Hardware
Wirelessdriver
User
SUD UML
wireless_hw
wireless_hw
Reads updates from shadow variable
Example 3: driver API variables
-
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
-
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
-
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
-
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
Driver configures the device to execute attacks
-
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
Driver configures the device to execute attacksDMA to DRAM
-
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
Driver configures the device to execute attacksDMA to DRAM
Peer-to-peer messages
-
Attacks from hardware
CPU
PCI bus
DRAM
Memory interconnect
Driver configures the device to execute attacksDMA to DRAM
Peer-to-peer messages
Interrupt storms
-
Attacks from hardware
Driver configures the device to execute attacksDMA to DRAM
Peer-to-peer messages
Interrupt storms
HW access module prevents attacksInterposes on driver-device
communication
Uses IO virtualization to provide direct device access
-
IO virtualization hardware
CPU MSI
IOMMU PCI expressswitch
DRAM
Memory interconnect
APIC interconnect
-
IO virtualization hardware
CPU MSI
IOMMU PCI expressswitch
DRAM
Memory interconnect
APIC interconnect
Use IOMMU to map DMA buffer poolsPrevents DMA to DRAM
attacks
-
IO virtualization hardware
CPU MSI
IOMMU PCI expressswitch
DRAM
Memory interconnect
APIC interconnect
Use PCI ACS to prevent peer-to-peer messagingPrevents
peer-to-peer attacks
-
IO virtualization hardware
CPU MSI
IOMMU PCI expressswitch
DRAM
Memory interconnect
APIC interconnect
Use MSI to mask interruptsPrevents interrupt storms
-
Interrupt handlers in Linux
Kernel
Driver IRQ core
UserMSI
-
Interrupt handlers in Linux
Kernel
Driver IRQ core
UserMSI
-
Interrupt handlers in Linux
Driver called with IRQs disabled (non-preemptable)
Kernel
Driver IRQ core
UserMSI
-
Interrupt handlers in Linux
Kernel calls driver interrupt handler
Driver clears interrupt flag
Kernel
Driver IRQ core
UserMSI
-
Interrupt handlers with SUD
Kernel
HW accessmodule IRQ core
UserMSI
Driver
SUD UML
-
Interrupt handlers with SUD
Kernel calls HW access module interrupt handler
HW access module masks interrupt with MSI
Kernel
HW accessmodule IRQ core
UserMSI
Driver
SUD UML
-
Interrupt handlers with SUD
Kernel calls HW access module interrupt handler
HW access module masks interrupt with MSI
Kernel
HW accessmodule IRQ core
UserMSI
Driver
SUD UML
-
Interrupt handlers with SUD
Kernel calls HW access module interrupt handler
HW access module masks interrupt with MSI
Asynchronous RPC to driver
Kernel
HW accessmodule IRQ core
UserMSI
Driver
SUD UML
-
Interrupt handlers with SUD
Kernel calls HW access module interrupt handler
HW access module masks interrupt with MSI
Asynchronous RPC to driver
Driver clears interrupt
Kernel
HW accessmodule IRQ core
UserMSI
Driver
SUD UML
-
Interrupt handlers with SUD
HW access module masks interrupt with MSI
Asynchronous RPC to driver
Driver clears interrupt
HW access module unmasks MSI
Kernel
HW accessmodule IRQ core
UserMSI
Driver
SUD UML
-
SUD overview
Kernel
User
Proxy driver Kernel core
Application
Hardware
Driver
User
SUD UML
HW accessmodule
-
Prototype of SUD
Supports all Ethernet, wireless, USB, audio drivers
Tested: e1000e, ne2k-pci, iwlagn, snd_hda_intel, ehci_hcd,
uhci_hcd, ...
Trusted code Lines of codePCI access module 2800Ethernet proxy
driver 300Wireless proxy driver 600Audio proxy driver 550
Untrusted code Lines of codeUser-mode runtime 5000Drivers 5000 –
50,000 (each)
-
Trusted code Lines of codePCI access module 2800Ethernet proxy
driver 300Wireless proxy driver 600Audio proxy driver 550
Untrusted code Lines of codeUser-mode runtime 5000Drivers 5000 –
50,000 (each)
Prototype of SUD
Supports all Ethernet, wireless, USB, audio drivers
Tested: e1000e, ne2k-pci, iwlagn, snd_hda_intel, ehci_hcd,
uhci_hcd, ...
-
Trusted code Lines of codePCI access module 2800Ethernet proxy
driver 300Wireless proxy driver 600Audio proxy driver 550
Untrusted code Lines of codeUser-mode runtime 5000Drivers 5000 –
50,000 (each)
Prototype of SUD
Supports all Ethernet, wireless, USB, audio drivers
Tested: e1000e, ne2k-pci, iwlagn, snd_hda_intel, ehci_hcd,
uhci_hcd, ...
-
Performance
For most devices, does not matterPrinters, cameras, …
Stress-test: e1000e gigabit network cardRequires high
throughput
Requires low latency
Many device driver interactions
Test machine: 1.4GHz dual core Thinkpad
-
Performance questions?
What performance does SUD get?Network throughput, latency
How much does it cost?CPU cycles
-
SUD achieves same device performance
TCP UDP TX UDP RX UDP latency0
0.2
0.4
0.6
0.8
1
LinuxSud
Normalized throughput relative to Linux
TCP: streaming (950 Mbps in both cases)
UDP: one-byte-data packets
Thr
ough
put r
elat
ive
to L
inux
-
CPU cost is low
TCP UDP TX UDP RX UDP latency0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
LinuxSud
SUD overhead: user-kernel switch, TLB misses
Overheads not significant for many workloads(packets larger than
min. packet size)
CP
U u
tiliz
atio
n
-
Future directions
Explore hierarchical untrusted device driversPCI bus → SATA
controller → SATA disk → …
Explore giving apps direct hardware accessSafe HW access for
network analyzer, X server, …
Performance analysis and optimizationsSUD specific device
drivers, super pages, ...
-
Related work
Mircokernels (Minix, L4, ...)Simple drivers, driver API designed
for user-space
Nooks, microdriversHandles common bugs, many changes to
kernel
Languages (e.g. Termite), source code analysisComplimentary to
user-space drivers
No need for new OS or language
-
Summary
Driver bugs lead to system crashes or exploits
SUD protects Linux from malicious drivers using proxy drivers
and IO virtualization HWRuns unmodified Linux device drivers
High performance, low overheads
Few modifications to Linux kernel
-
Security evaluation
Manually constructed potential attacksMemory corruption,
arbitrary upcall responses,
not responding at all, arbitrary DMA, ...
Relied on security heavily during developmentSUD caught all bugs
in user-mode driver framework
No crashes / reboots required to develop drivers
Ideal, but not done: red-team evaluation?
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide
9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide
17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide
25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide
33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide
41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide
49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide
57Slide 58Slide 59Slide 60Slide 61Slide 62Slide 63Slide 64Slide
65Slide 66Slide 67Slide 68Slide 69Slide 70Slide 71Slide 72Slide
73Slide 74Slide 75Slide 76Slide 77Slide 78Slide 79Slide 80Slide
81Slide 82Slide 83Slide 84Slide 85Slide 86Slide 87Slide 88Slide
89Slide 90Slide 91Slide 92Slide 93Slide 94Slide 95
