Tolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich

Similar documents
Tolerating Malicious Device Drivers in Linux

Part 1: Introduction to device drivers Part 2: Overview of research on device driver reliability Part 3: Device drivers research at ERTOS

Advanced Computer Networks. End Host Optimization

Review: Hardware user/kernel boundary

Hardware OS & OS- Application interface

Operating System: Chap13 I/O Systems. National Tsing-Hua University 2016, Fall Semester

Last class: Today: Course administration OS definition, some history. Background on Computer Architecture

I/O Management Software. Chapter 5

Initial Evaluation of a User-Level Device Driver Framework

Nooks. Robert Grimm New York University

Operating System Design Issues. I/O Management

Arrakis: The Operating System is the Control Plane

I/O Management Software. Chapter 5

Background. IBM sold expensive mainframes to large organizations. Monitor sits between one or more OSes and HW

G Xen and Nooks. Robert Grimm New York University

OS Extensibility: SPIN and Exokernels. Robert Grimm New York University

Operating System Security

Predictable Interrupt Management and Scheduling in the Composite Component-based System

Chapter 13: I/O Systems

CSE 120 Principles of Operating Systems

Module 11: I/O Systems

The control of I/O devices is a major concern for OS designers

I/O Management Intro. Chapter 5

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Speeding up Linux TCP/IP with a Fast Packet I/O Framework

Tolerating Hardware Device Failures in Software. Asim Kadav, Matthew J. Renzelmann, Michael M. Swift University of Wisconsin Madison

The Kernel Abstraction. Chapter 2 OSPP Part I

The Kernel Abstraction

I/O Systems and Storage Devices

Demystifying Network Cards

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

IsoStack Highly Efficient Network Processing on Dedicated Cores

I/O Systems. Jo, Heeseung

HKG net_mdev: Fast-path userspace I/O. Ilias Apalodimas Mykyta Iziumtsev François-Frédéric Ozog

Spring 2017 :: CSE 506. Device Programming. Nima Honarmand

Systems Programming and Computer Architecture ( ) Timothy Roscoe

Module 12: I/O Systems

Developing Real-Time Applications

An Analysis of Linux Scalability to Many Cores

Anne Bracy CS 3410 Computer Science Cornell University

VirtuOS: an operating system with kernel virtualization. Ruslan Nikolaev, Godmar Back Virginia Tech

Lecture 15: I/O Devices & Drivers

Sugar: Secure GPU Acceleration in Web Browsers

Chapter 13: I/O Systems

CS 550 Operating Systems Spring System Call

19: I/O. Mark Handley. Direct Memory Access (DMA)

Anne Bracy CS 3410 Computer Science Cornell University

I/O. Fall Tore Larsen. Including slides from Pål Halvorsen, Tore Larsen, Kai Li, and Andrew S. Tanenbaum)

I/O. Fall Tore Larsen. Including slides from Pål Halvorsen, Tore Larsen, Kai Li, and Andrew S. Tanenbaum)

I/O Devices. Nima Honarmand (Based on slides by Prof. Andrea Arpaci-Dusseau)

Example Networks on chip Freescale: MPC Telematics chip

Silberschatz and Galvin Chapter 12

I/O Systems. Amir H. Payberah. Amirkabir University of Technology (Tehran Polytechnic)

Chapter 13: I/O Systems. Operating System Concepts 9 th Edition

Che-Wei Chang Department of Computer Science and Information Engineering, Chang Gung University

NTRDMA v0.1. An Open Source Driver for PCIe NTB and DMA. Allen Hubbe at Linux Piter 2015 NTRDMA. Messaging App. IB Verbs. dmaengine.h ntb.

CS 5460/6460 Operating Systems

Virtualization, Xen and Denali

CIS 21 Final Study Guide. Final covers ch. 1-20, except for 17. Need to know:

Architectural Support for Operating Systems

Pacifica Next Generation Architecture for Efficient Virtual Machines

CSE 153 Design of Operating Systems

Chapter 13: I/O Systems

C02: Interrupts and I/O

CSE 153 Design of Operating Systems Fall 18

CSE 120 Principles of Operating Systems


5.b Principles of I/O Hardware CPU-I/O communication

2 nd Half. Memory management Disk management Network and Security Virtual machine

Xen Network I/O Performance Analysis and Opportunities for Improvement

I/O Management Intro. Chapter 5

Operating Systems. Operating System Structure. Lecture 2 Michael O Boyle

Fault Isolation for Device Drivers

Chapter 2 Computer-System Structure

I/O Device Controllers. I/O Systems. I/O Ports & Memory-Mapped I/O. Direct Memory Access (DMA) Operating Systems 10/20/2010. CSC 256/456 Fall

CS 550 Operating Systems Spring Interrupt

CSE 120 Principles of Operating Systems

Computer Science. ! Other approaches:! Special systems designed for extensibility

Computer Architecture Background

Operating Systems: Principles and Practice. Mark Zbikowski Gary Kimura (kudos to Tom Anderson)

OpenOnload. Dave Parry VP of Engineering Steve Pope CTO Dave Riddoch Chief Software Architect

Syscalls, exceptions, and interrupts, oh my!

Input/Output. Today. Next. Principles of I/O hardware & software I/O software layers Disks. Protection & Security

Xen and the Art of Virtualization. CSE-291 (Cloud Computing) Fall 2016

Virtual Memory. Motivations for VM Address translation Accelerating translation with TLBs

Networks and distributed computing

Module 12: I/O Systems

I/O Devices. I/O Management Intro. Sample Data Rates. I/O Device Handling. Categories of I/O Devices (by usage)

操作系统概念 13. I/O Systems

Tuned Pipes: End-to-end Throughput and Delay Guarantees for USB Devices. Ahmad Golchin, Zhuoqun Cheng and Richard West Boston University

Input / Output. Kevin Webb Swarthmore College April 12, 2018

Introduction. CS3026 Operating Systems Lecture 01

Operating System Architecture. CS3026 Operating Systems Lecture 03

CSE 120 Principles of Operating Systems

HIGH-PERFORMANCE NETWORKING :: USER-LEVEL NETWORKING :: REMOTE DIRECT MEMORY ACCESS

Support for Smart NICs. Ian Pratt

A Userspace Packet Switch for Virtual Machines

Chapter 5 Input/Output. I/O Devices

Operating Systems. Introduction & Overview. Outline for today s lecture. Administrivia. ITS 225: Operating Systems. Lecture 1

Hardware Enforcement of Application Security Policies Using Tagged Memory

Transcription:

XXX

Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich

How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory,... Drivers are complex; developers write buggy code Result: Attackers exploit vulnerabilities

How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory,... Drivers are complex; developers write buggy code Result: Attackers exploit vulnerabilities

How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory,... Drivers are complex; developers write buggy code Result: Attackers exploit vulnerabilities

Current approach -space drivers in μkernels (Minix, L4,...) Write device driver in new language (Termite) Handle common faults (Nooks, microdrivers,...)

Goal Secure, efficient, & unmodified drivers on Linux

Previous user-space drivers μkernel Hardware Ethernet driver Network stack Application core

Previous user-space drivers Confine driver in a process μkernel Hardware Ethernet driver Network stack Application core

Previous user-space drivers Confine driver in a process μkernel Hardware Ethernet driver Network stack Application core General purpose syscall API to configure device

Previous user-space drivers Confine driver in a process μkernel Hardware Ethernet driver Network stack Application Confine device with IO virtualization HW. core General purpose syscall API to configure device

Previous user-space drivers Confine driver in a process μkernel IPC network driver API E.g. tx_packet Hardware Ethernet driver Network stack Application Confine device with IO virtualization HW. core General purpose syscall API to configure device

Current Linux driver architecture Hardware Application Ethernet driver Network stack RT netdevice

Current Linux driver architecture Hardware runtime (e.g. kmalloc) Application Ethernet driver Network stack RT netdevice

Current Linux driver architecture Hardware runtime (e.g. kmalloc) Network driver API (e.g. tx_packet) Application Ethernet driver Network stack RT netdevice

Linux user-space driver problem RT and driver APIs won't work for untrusted drivers in a different AS Ethernet driver Hardware Application Network stack RT netdevice

SUD's approach Ethernet driver Hardware Application Network stack RT netdevice

SUD's approach SUD UML handles calls to kernel RT Ethernet driver Hardware SUD UML Application Network stack RT netdevice

SUD's approach SUD UML handles calls to kernel RT Proxy driver and SUD UML allow reuse of existing driver APIs Ethernet driver Hardware SUD UML Application Ethernet proxy driver Network stack RT netdevice

SUD's approach SUD UML handles calls to kernel RT Proxy driver and SUD UML allow reuse of existing driver APIs Ethernet driver Hardware SUD UML Application Network driver API Ethernet proxy driver Network stack RT netdevice

SUD's approach SUD UML handles calls to kernel RT Proxy driver and SUD UML allow reuse of existing driver APIs Ethernet driver Hardware SUD RPC API SUD UML Application Network driver API Ethernet proxy driver Network stack RT netdevice

SUD's approach SUD UML handles calls to kernel RT Proxy driver and SUD UML allow reuse of Network driver API existing driver APIs Ethernet driver Hardware SUD RPC API SUD UML Application Network driver API Ethernet proxy driver Network stack RT netdevice

SUD's results Tolerate malicious device drivers Proxy drivers small (~500 LOC) One proxy driver per device class Few kernel modifications (~50 LOC) Unmodified drivers (6 test drivers) High performance, low overhead No need for new OS or language

Security challenge: prevent attacks Problem: driver must perform privileged operations Memory access, driver API, DMA, interrupts, Attacks from driver code: Direct system attacks: memory corruption,... Driver API attacks: invalid return value, deadlock,... Attacks from device: DMA to DRAM, peer-to-peer attacks, interrupt storms

Practical challenges High performance, low overhead Challenge: interact with hardware and kernel at high rate, kernel-user switch expensive E.g. Ethernet driver ~100k times a second Reuse existing drivers and kernel Challenge: drivers assume fully-privileged kernel env. Challenge: kernel driver API complex, non-uniform

SUD overview Hardware Driver SUD UML Application HW access module Proxy driver core

SUD overview Hardware Driver SUD UML Application HW access module Proxy driver core

Linux driver APIs Linux defines a driver API for each device class Driver and kernel functions and variables

Example: wireless driver API Linux defines a driver API for each device class Driver and kernel functions and variables struct wireless_ops { int (*tx)(struct sk_buff*); int (*configure_filter)(int);... }; struct wireless_hw { int conf; int flags... };

Example: wireless driver API Linux defines a driver API for each device class Driver and kernel functions and variables struct wireless_ops { int (*tx)(struct sk_buff*); int (*configure_filter)(int);... }; struct wireless_hw { int conf; int flags... }; Proxy drivers and SUD-UML convert API to RPCs

Example: wireless driver API Linux defines a driver API for each device class Driver and kernel functions and variables struct wireless_ops { int (*tx)(struct sk_buff*); int (*configure_filter)(int);... }; struct wireless_hw { int conf; int flags... }; Proxy drivers and SUD-UML convert API to RPCs

Example: wireless driver API Linux defines a driver API for each device class Driver and kernel functions and variables struct wireless_ops { }; int (*tx)(struct sk_buff*); int (*configure_filter)(int);... struct wireless_hw { }; int conf; int flags... Called in a nonpreemptable context Proxy drivers and SUD-UML convert API to RPCs

Example: wireless driver API Linux defines a driver API for each device class Driver and kernel functions and variables struct wireless_ops { }; int (*tx)(struct sk_buff*); int (*configure_filter)(int);... struct wireless_hw { }; int conf; int flags... Driver API variable Called in a nonpreemptable context Proxy drivers and SUD-UML convert API to RPCs

driver in SUD Basic driver API SUD RPC API driver API Non-preemptable function: implement in proxy Driver API variable: shadow variables

Example 1: transmit a packet Hardware driver SUD UML Web browser proxy driver core

Example 1: transmit a packet Socket write Hardware driver SUD UML Web browser proxy driver core

Example 1: transmit a packet Hardware driver SUD UML Web browser wireless_ops.tx proxy driver core

Example 1: transmit a packet TX packet RPC Hardware driver SUD UML Web browser proxy driver core

Example 1: transmit a packet wireless_ops.tx Hardware driver SUD UML Web browser proxy driver core

Example 1: transmit a packet DMA TX Hardware driver SUD UML Web browser proxy driver core

Example 2: non-preemptable callback Problem: unable to switch to user-space Hardware driver SUD UML Web browser proxy driver core

Example 2: non-preemptable callback Problem: unable to switch to user-space Hardware driver SUD UML Web browseracquires a spin lock proxy driver core

Example 2: non-preemptable callback Problem: unable to switch to user-space Hardware Web driver browser SUD UML wireless_ops.configure_filter proxy driver core

Example 2: non-preemptable callback Problem: unable to switch to user-space Filter RPC Hardware driver SUD UML Web browser proxy driver core

Example 2: non-preemptable callback Problem: unable to switch to user-space Hardware driver SUD UML Web browser proxy driver core

Example 2: non-preemptable callback Problem: unable to switch to user-space Solution: implement directly in proxy driver Hardware driver SUD UML Web browser proxy driver core

Example 2: non-preemptable callback Problem: unable to switch to user-space Solution: implement directly in proxy driver Hardware driver SUD UML Register RX Web packet types browser proxy driver core

Example 2: non-preemptable callback Problem: unable to switch to user-space Solution: implement directly in proxy driver Hardware driver SUD UML Web browseracquires a spin lock proxy driver core

Example 2: non-preemptable callback Problem: unable to switch to user-space Solution: implement directly in proxy driver Hardware driver SUD UML Web browser wireless_ops.configure_filter proxy driver core

Example 2: non-preemptable callback Problem: unable to switch to user-space Solution: implement directly in proxy driver Hardware driver SUD UML Web Return RX browser packet types proxy driver core

Example 3: driver API variables Problem: user-space can't access API variables Hardware driver SUD UML Web browser proxy driver core wireless_hw

Example 3: driver API variables Problem: user-space can't access API variables Hardware driver SUD UML Web browser proxy driver Driver API variable core wireless_hw

Example 3: driver API variables Problem: user-space can't access API variables Hardware driver SUD UML Web browser Writes to wireless_hw proxy driver core wireless_hw

Example 3: driver API variables Problem: user-space can't access API variables Hardware driver SUD UML Web browser proxy driver core wireless_hw

Example 3: driver API variables Problem: user-space can't access API variables Solution: allocate a shadow copy and synchronize before and after RPCs Hardware driver SUD UML Web browser proxy driver core wireless_hw

Example 3: driver API variables Problem: user-space can't access API variables Solution: allocate a shadow copy and synchronize before and after RPCs Shadow variable Hardware driver SUD UML wireless_hw Web browser proxy driver core wireless_hw

Example 3: driver API variables Problem: user-space can't access API variables Solution: allocate a shadow copy and synchronize before and after RPCs Hardware driver SUD UML wireless_hw Web browser Writes to wireless_hw proxy driver core wireless_hw

Example 3: driver API variables Problem: user-space can't access API variables Solution: allocate a shadow copy and synchronize before and after RPCs Synchronize before driver Hardware SUD UML sending RPC wireless_hw Web browser proxy driver core wireless_hw

Example 3: driver API variables Problem: user-space can't access API variables Solution: allocate a shadow copy and synchronize before and after RPCs Hardware Send RPC driver SUD UML Web browser wireless_hw proxy driver core wireless_hw

Example 3: driver API variables Problem: user-space can't access API variables Reads updates from Solution: allocate a shadow shadow copy variableand synchronize before and after RPCs Hardware driver SUD UML wireless_hw Web browser proxy driver core wireless_hw

SUD overview Hardware Driver SUD UML Application HW access module Proxy driver core

SUD overview Hardware Driver SUD UML Application HW access module Proxy driver core

Attacks from hardware CPU Memory interconnect PCI bus DRAM

Attacks from hardware Driver configures the device to execute attacks CPU Memory interconnect PCI bus DRAM

Attacks from hardware Driver configures the device to execute attacks DMA to DRAM CPU Memory interconnect PCI bus DRAM

Attacks from hardware Driver configures the device to execute attacks DMA to DRAM Peer-to-peer messages CPU Memory interconnect PCI bus DRAM

Attacks from hardware Driver configures the device to execute attacks DMA to DRAM Peer-to-peer messages Interrupt storms CPU Memory interconnect PCI bus DRAM

Attacks from hardware Driver configures the device to execute attacks DMA to DRAM Peer-to-peer messages Interrupt storms HW access module prevents attacks Interposes on driver-device communication Uses IO virtualization to provide direct device access

IO virtualization hardware APIC interconnect CPU MSI Memory interconnect IOMMU PCI express switch DRAM

IO virtualization hardware Use IOMMU to map DMA buffer pools Prevents DMA to DRAM attacks APIC interconnect CPU MSI Memory interconnect IOMMU PCI express switch DRAM

IO virtualization hardware Use PCI ACS to prevent peer-to-peer messaging Prevents peer-to-peer attacks APIC interconnect CPU MSI Memory interconnect IOMMU PCI express switch DRAM

IO virtualization hardware Use MSI to mask interrupts Prevents interrupt storms APIC interconnect CPU MSI Memory interconnect IOMMU PCI express switch DRAM

Interrupt handlers in Linux MSI Driver IRQ core

Interrupt handlers in Linux MSI Driver IRQ core

Interrupt handlers in Linux Driver called with IRQs disabled (non-preemptable) MSI Driver IRQ core

Interrupt handlers in Linux calls driver interrupt handler Driver clears interrupt flag MSI Driver IRQ core

Interrupt handlers with SUD MSI Driver SUD UML HW access module IRQ core

Interrupt handlers with SUD calls HW access module interrupt handler HW access module masks interrupt with MSI MSI Driver SUD UML HW access module IRQ core

Interrupt handlers with SUD calls HW access module interrupt handler HW access module masks interrupt with MSI MSI Driver SUD UML HW access module IRQ core

Interrupt handlers with SUD calls HW access module interrupt handler HW access module masks interrupt with MSI Asynchronous RPC to driver MSI Driver SUD UML HW access module IRQ core

Interrupt handlers with SUD calls HW access module interrupt handler HW access module masks interrupt with MSI Asynchronous RPC to driver Driver clears interrupt MSI Driver SUD UML HW access module IRQ core

Interrupt handlers with SUD HW access module masks interrupt with MSI Asynchronous RPC to driver Driver clears interrupt HW access module unmasks MSI MSI Driver SUD UML HW access module IRQ core

SUD overview Hardware Driver SUD UML Application HW access module Proxy driver core

Prototype of SUD Trusted code Lines of code PCI access module 2800 Ethernet proxy driver 300 proxy driver 600 Audio proxy driver 550 Untrusted code Lines of code -mode runtime 5000 Drivers 5000 50,000 (each) Supports all Ethernet, wireless, USB, audio drivers Tested: e1000e, ne2k-pci, iwlagn, snd_hda_intel, ehci_hcd, uhci_hcd,...

Prototype of SUD Trusted code Lines of code PCI access module 2800 Ethernet proxy driver 300 proxy driver 600 Audio proxy driver 550 Untrusted code Lines of code -mode runtime 5000 Drivers 5000 50,000 (each) Supports all Ethernet, wireless, USB, audio drivers Tested: e1000e, ne2k-pci, iwlagn, snd_hda_intel, ehci_hcd, uhci_hcd,...

Prototype of SUD Trusted code Lines of code PCI access module 2800 Ethernet proxy driver 300 proxy driver 600 Audio proxy driver 550 Untrusted code Lines of code -mode runtime 5000 Drivers 5000 50,000 (each) Supports all Ethernet, wireless, USB, audio drivers Tested: e1000e, ne2k-pci, iwlagn, snd_hda_intel, ehci_hcd, uhci_hcd,...

Performance For most devices, does not matter Printers, cameras, Stress-test: e1000e gigabit network card Requires high throughput Requires low latency Many device driver interactions Test machine: 1.4GHz dual core Thinkpad

Performance questions? What performance does SUD get? Network throughput, latency How much does it cost? CPU cycles

SUD achieves same device performance 1 Throughput relative to Linux 0.8 0.6 0.4 0.2 Linux Sud 0 TCP UDP TX UDP RX UDP latency Normalized throughput relative to Linux TCP: streaming (950 Mbps in both cases) UDP: one-byte-data packets

CPU cost is low CPU utilization 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 Linux Sud 0 TCP UDP TX UDP RX UDP latency SUD overhead: user-kernel switch, TLB misses Overheads not significant for many workloads (packets larger than min. packet size)

Future directions Explore hierarchical untrusted device drivers PCI bus SATA controller SATA disk Explore giving apps direct hardware access Safe HW access for network analyzer, X server, Performance analysis and optimizations SUD specific device drivers, super pages,...

Related work Mircokernels (Minix, L4,...) Simple drivers, driver API designed for user-space Nooks, microdrivers Handles common bugs, many changes to kernel Languages (e.g. Termite), source code analysis Complimentary to user-space drivers No need for new OS or language

Summary Driver bugs lead to system crashes or exploits SUD protects Linux from malicious drivers using proxy drivers and IO virtualization HW Runs unmodified Linux device drivers High performance, low overheads Few modifications to Linux kernel

Security evaluation Manually constructed potential attacks Memory corruption, arbitrary upcall responses, not responding at all, arbitrary DMA,... Relied on security heavily during development SUD caught all bugs in user-mode driver framework No crashes / reboots required to develop drivers Ideal, but not done: red-team evaluation?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback