Shakeel Butt @ Rutgers UniversityVinod Ganapathy @ Rutgers University

Michael M. Swift @ University of Wisconsin-MadisonChih-Cheng Chang @ Rutgers University

ACSAC 2009

Protecting Commodity Operating System Kernels from

Vulnerable Device Drivers

IntroductionBackground and scopeDesignImplementationEvaluationRelated WorkSummary

Outline

Device drivers execute with kernel privilege in most commodity operating systems and have unrestricted access to kernel data structure.

Propose a security architecture that offers commodity operating systems the benefits of executing device drivers in user mode without affecting common-case performance

Introduction

Threats at the kernel/driver interfaceKernel data structures are routinely updated

by device drivers, and the kernel impose no restrictions on the memory regions accessible to drivers or devices.

Threats at the driver/device interfaceA compromised driver can maliciously modify

the state of the device

Background and Scope

GoalsKernel data structure integrityGood common-case performanceCompatibility

Design

Architecture

Design

MicrodriverConsist of k-driver & u-driver

Microdriver runtimeCommunicationObject tracking

RPC monitorMonitor data transferMonitor control transfer

Design

Background on Microdrivers

Implementation

Microdriver split tool - DriverSlicerSplitterCode generator

Invariant inference tool – DaikonFront endInference engine

Implementation

Monitoring kernel data structure updatesTraining phace

Inferring data structure integrity constraintsConstancy of scalars and pointersRelationships between variablesRanges/sets of valuesLinked list invariants

Implementation

Enforcement phaseEnforcing data structure integrity constraints

Invariant table Vault table

Implementation

Monitoring control transfersExtracting control transfer policies

Static analysisEnforcing control transfer policies

UpcallDowncall

Inplementation

Conduct on four driversRealTek RTL-8139 (8139too)RealTek RTL-8139C+ (8139cp)Ensoniq sound card (ens1371)USB interface (uhci-hcd)

Evaluation

Privilege separation

Evaluation

Ability to prevent attacksControl hijacking via injected downcallsControl hijacking via modified function

pointersNon-control data attacks

Evaluation

False positives and negatives

Evaluation

PerformanceTCP receive and send buffer sizes of 87KB and

16KB, respectively.Copy a 140MB file into a USB diskPlay a 256-Kbps MP3

Evaluation

Hardware-based isolation techniquesVirtual machine-based techniquesLanguage-based mechanismsMicrokernelsUser-mode driver frameworks

Related Work

Better isolate kernel data from device drivers without sacrificing performance.

Compatible with commodity operating system.

Summary