Shakeel Butt @ Rutgers UniversityVinod Ganapathy @ Rutgers University
Michael M. Swift @ University of Wisconsin-MadisonChih-Cheng Chang @ Rutgers University
ACSAC 2009
Protecting Commodity Operating System Kernels from
Vulnerable Device Drivers
IntroductionBackground and scopeDesignImplementationEvaluationRelated WorkSummary
Outline
Device drivers execute with kernel privilege in most commodity operating systems and have unrestricted access to kernel data structure.
Propose a security architecture that offers commodity operating systems the benefits of executing device drivers in user mode without affecting common-case performance
Introduction
Threats at the kernel/driver interfaceKernel data structures are routinely updated
by device drivers, and the kernel impose no restrictions on the memory regions accessible to drivers or devices.
Threats at the driver/device interfaceA compromised driver can maliciously modify
the state of the device
Background and Scope
GoalsKernel data structure integrityGood common-case performanceCompatibility
Design
Architecture
Design
MicrodriverConsist of k-driver & u-driver
Microdriver runtimeCommunicationObject tracking
RPC monitorMonitor data transferMonitor control transfer
Design
Background on Microdrivers
Implementation
Microdriver split tool - DriverSlicerSplitterCode generator
Invariant inference tool – DaikonFront endInference engine
Implementation
Monitoring kernel data structure updatesTraining phace
Inferring data structure integrity constraintsConstancy of scalars and pointersRelationships between variablesRanges/sets of valuesLinked list invariants
Implementation
Enforcement phaseEnforcing data structure integrity constraints
Invariant table Vault table
Implementation
Monitoring control transfersExtracting control transfer policies
Static analysisEnforcing control transfer policies
UpcallDowncall
Inplementation
Conduct on four driversRealTek RTL-8139 (8139too)RealTek RTL-8139C+ (8139cp)Ensoniq sound card (ens1371)USB interface (uhci-hcd)
Evaluation
Privilege separation
Evaluation
Ability to prevent attacksControl hijacking via injected downcallsControl hijacking via modified function
pointersNon-control data attacks
Evaluation
False positives and negatives
Evaluation
PerformanceTCP receive and send buffer sizes of 87KB and
16KB, respectively.Copy a 140MB file into a USB diskPlay a 256-Kbps MP3
Evaluation
Hardware-based isolation techniquesVirtual machine-based techniquesLanguage-based mechanismsMicrokernelsUser-mode driver frameworks
Related Work
Better isolate kernel data from device drivers without sacrificing performance.
Compatible with commodity operating system.
Summary
Top Related