protecting commodity operating system kernels from vulnerable device drivers
DESCRIPTION
Protecting Commodity Operating System Kernels from Vulnerable Device Drivers. Shakeel Butt*, Vinod Ganapathy*, Michael Swift ^ , Chih-Cheng Chang*. *Rutgers University, ^ University of Wisconsin, Madison. Take home message. - PowerPoint PPT PresentationTRANSCRIPT
Protecting Commodity Operating System Kernels from Vulnerable
Device Drivers
Shakeel Butt*, Vinod Ganapathy*, Michael Swift^, Chih-Cheng Chang*
1
*Rutgers University,^University of Wisconsin, Madison
Take home message
Vulnerable device drivers can be compromised to hijack control of
commodity operating systems
2
This talkNew security architecture to contain
vulnerable device drivers
1. Device drivers dominate OS code base• Large percentage of OS is device driver code– 3.1 million out of 5.4 million LOC in Linux– 35K different drivers with over 112K versions in Win XP.
3
2. Device drivers execute in kernel mode
4
KernelKernel Device DriverDevice Driver DeviceDevice
ApplicationsApplications
Device DriverDevice Driver DeviceDevice
Device DriverDevice Driver DeviceDevice
Vulnerable device driver
5
KernelKernel
Device DriverDevice Driver DeviceDevice
ApplicationsApplicationsMalformed InputMalformed Input
3. Device drivers are vulnerable• Wireless drivers exploits in WinXP & OS X.– BroadCom, D-Link, NetGear [Cache 06]– Intel Wireless 2200BG & 2915ABG [Bulygin 07]– OS X Atheros driver [Maynor 07]
• Device drivers contain more bugs than kernel.
6
Outline
• Introduction• Background• Our Architecture• Evaluation• Summary
7
Related Work
• Driver isolation systems– Nooks [Swift 03]– SafeDrive [Zhou 06]
• User-level drivers– Windows UMDF– Linux User-Level Device Drivers [Leslie 05]
• Hybrid– Microdrivers [Ganapathy 08]
8
Microdrivers
9
KernelKernel
K-DriverK-DriverDeviceDevice
ApplicationsApplications
Device DriverDevice DriverU-driverU-driver
Benefit # 1: Reduced code in kernel
10
KernelKernel
K-DriverK-Driver DeviceDevice
ApplicationsApplications U-driverU-driver
Reduced in-kernel device drive codeReduced in-kernel device drive code
Benefit # 2: Compatibility
11
KernelKernel
K-DriverK-Driver DeviceDevice
ApplicationsApplications U-driverU-driver
Same interface with the KernelSame interface with the Kernel
Benefit # 3: Good performance
12
KernelKernel
K-DriverK-Driver DeviceDevice
ApplicationsApplications U-driverU-driver
Performance critical codePerformance critical code
Benefit # 4: Flexibility
13
KernelKernel
K-DriverK-Driver DeviceDevice
ApplicationsApplications U-driverU-driver
int get_status(char*)
U-driver & K-driver Communication
14
KernelKernel
K-DriverK-Driver
ApplicationsApplications U-driverU-driver
get_status(arg)
int get_status(char*)
Marshalling BufferMarshalling Buffer
Marshalling BufferMarshalling Buffer
15
KernelKernel
K-DriverK-Driver
ApplicationsApplications U-driverU-driver
get_status(arg)
int get_status(char*)
Marshalling BufferMarshalling Buffer
kern_fptr = {injected code}
Solution: RPC Monitor
16
KernelKernel
K-DriverK-Driver DeviceDevice
ApplicationsApplications
RPC monitorRPC monitor
U-driverU-driver
Outline
• Introduction• Background• Our Architecture• Evaluation• Summary
17
RPC Monitor
• Enforces– Data integrity constraints– Control flow policies
• Data integrity constraints are extracted automatically using dynamic analysis.
• Control flow policies are extracted automatically through static analysis.
18
Enforcing data integrity constraints
19
KernelKernel
K-DriverK-Driver
ApplicationsApplications U-driverU-driver
get_status(arg)
int get_status(char*)
Marshalling BufferMarshalling Buffer
RPC MonitorRPC MonitorMarshalling BufferMarshalling Buffer
Inferring data integrity constraints
21
KernelKernel
K-DriverK-Driver DeviceDevice
Training workloadTraining workload LoggerLogger
U-driverU-driver
TracesTraces
Data Integrity Constraints
Data Integrity ConstraintsDaikonDaikonTracesTraces
U-driverU-driver
Examples of data integrity constraints
Functions Constraints
rtl8139_init_module rtl8139_intr_mask = 0xC07F
rtl8139_init_module rtl8139_norx_intr_mask = 0xC02E
rtl8139_get_link dev->hard_start_xmit has only one value
rtl8139_get_link Len(dev->mc_list) == Orig(Len(dev->mc_list))
22
Enforcing control flow policies
• Scenario 1:– Return from function call in U-driver– RPC Monitor ensures that control returns to the
instruction following upcall instruction
• Scenario 2:– U-driver calls a function in Kernel or K-driver– RPC Monitor ensures that the function call is
allowed according to statically extracted policy
23
Outline
• Introduction• Background• Our Architecture• Evaluation• Summary
24
Experiment Setup
• QEMU 0.9.1 & VMWare Workstation 6• Implemented in Linux 2.6.18.1 kernel• Ported 4 device drivers
25
Goals of Evaluation
• Effectiveness– Simulated attacks– Fault injection experiment
• Performance
26
Fault Injection Experiment Setup
• Fault injector from SafeDrive [Zhou 06]• Types of faults– Removes assignment instructions– Changes if conditions– Changes loop counters
• Two device drivers– 8139too– 8139cp
27
Fault injection experiment
28
KernelKernel
K-DriverK-Driver
ApplicationsApplications
RPC monitorRPC monitor
U-driverU-driver
Driver Faults No Crash UD Clear In Log Detect8139too 400 49 26 212 113 95 (84%)
8139cp 400 134 14 147 105 64 (61%)
Faults
FaultsCrashedCrashed
System Log
System Log
System Log
System Log
Performance Experiment Setup
• Device drivers– Network drivers (8139too, 8139cp)– USB driver (uhci-hcd)
• Workload for network drivers– TCP send– TCP receive
• Workload for USB driver– Copy a file of 100MB
29
Performance
30
Summary
• Reduction of trusted code in kernel• Good common-case performance• Compatible with Commodity OS• Able to detect large number of faults
31
Thanks
Questions?
32