protecting commodity operating system kernels from vulnerable device drivers
DESCRIPTION
Protecting Commodity Operating System Kernels from Vulnerable Device Drivers. Shakeel Butt @ Rutgers University Vinod Ganapathy @ Rutgers University Michael M. Swift @ University of Wisconsin-Madison Chih -Cheng Chang @ Rutgers University ACSAC 2009. Outline. Introduction - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/1.jpg)
Shakeel Butt @ Rutgers UniversityVinod Ganapathy @ Rutgers University
Michael M. Swift @ University of Wisconsin-MadisonChih-Cheng Chang @ Rutgers University
ACSAC 2009
Protecting Commodity Operating System Kernels from
Vulnerable Device Drivers
![Page 2: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/2.jpg)
IntroductionBackground and scopeDesignImplementationEvaluationRelated WorkSummary
Outline
![Page 3: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/3.jpg)
Device drivers execute with kernel privilege in most commodity operating systems and have unrestricted access to kernel data structure.
Propose a security architecture that offers commodity operating systems the benefits of executing device drivers in user mode without affecting common-case performance
Introduction
![Page 4: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/4.jpg)
Threats at the kernel/driver interfaceKernel data structures are routinely updated
by device drivers, and the kernel impose no restrictions on the memory regions accessible to drivers or devices.
Threats at the driver/device interfaceA compromised driver can maliciously modify
the state of the device
Background and Scope
![Page 5: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/5.jpg)
GoalsKernel data structure integrityGood common-case performanceCompatibility
Design
![Page 6: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/6.jpg)
Architecture
Design
![Page 7: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/7.jpg)
MicrodriverConsist of k-driver & u-driver
Microdriver runtimeCommunicationObject tracking
RPC monitorMonitor data transferMonitor control transfer
Design
![Page 8: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/8.jpg)
Background on Microdrivers
Implementation
![Page 9: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/9.jpg)
Microdriver split tool - DriverSlicerSplitterCode generator
Invariant inference tool – DaikonFront endInference engine
Implementation
![Page 10: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/10.jpg)
Monitoring kernel data structure updatesTraining phace
Inferring data structure integrity constraintsConstancy of scalars and pointersRelationships between variablesRanges/sets of valuesLinked list invariants
Implementation
![Page 11: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/11.jpg)
Enforcement phaseEnforcing data structure integrity constraints
Invariant table Vault table
Implementation
![Page 12: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/12.jpg)
Monitoring control transfersExtracting control transfer policies
Static analysisEnforcing control transfer policies
UpcallDowncall
Inplementation
![Page 13: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/13.jpg)
Conduct on four driversRealTek RTL-8139 (8139too)RealTek RTL-8139C+ (8139cp)Ensoniq sound card (ens1371)USB interface (uhci-hcd)
Evaluation
![Page 14: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/14.jpg)
Privilege separation
Evaluation
![Page 15: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/15.jpg)
Ability to prevent attacksControl hijacking via injected downcallsControl hijacking via modified function
pointersNon-control data attacks
Evaluation
![Page 16: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/16.jpg)
False positives and negatives
Evaluation
![Page 17: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/17.jpg)
PerformanceTCP receive and send buffer sizes of 87KB and
16KB, respectively.Copy a 140MB file into a USB diskPlay a 256-Kbps MP3
Evaluation
![Page 18: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/18.jpg)
Hardware-based isolation techniquesVirtual machine-based techniquesLanguage-based mechanismsMicrokernelsUser-mode driver frameworks
Related Work
![Page 19: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers](https://reader035.vdocuments.us/reader035/viewer/2022070421/5681632b550346895dd3a503/html5/thumbnails/19.jpg)
Better isolate kernel data from device drivers without sacrificing performance.
Compatible with commodity operating system.
Summary