1. A Survey of Dynamic Techniques for Detecting Device Driver Errors Olatunji Ruwase LBA Reading Group 18 th May 2010

2. Introduction Terminology – Device Drivers in Windows – (Kernel) Modules in Linux Improve OS extensibility and customization – Use new hardware devices – Increase application performance Browsers RAMDISK Reduce OS Reliability – Typically written by non kernel developers – Linux Makes up over 50 % of source code 7X bug density relative to rest of kernel – 90 % of Windows XP crashes

3. Survey Methodology Instrumentation based techniques: SafeDrive, XFI, BGI – Protect against buggy, but not malicious drivers – Generic programming errors (23 % of Linux driver errors) Detected driver errors – No discussion of recovery from driver errors Key Ideas – Metadata – Instrumentation Limitations – False negatives – Not applicable to driver binaries – Interposition library complexity i.e kernel & driver function wrappers – Driver code restrictions Comparison to Lifeguard approach

4. SafeDrive [Zhou et al OSDI ‘06] Detected driver errors – Out-of-bounds access Key Ideas – Annotate driver and kernel header sources with pointer bounds information – Compile-time instrumentation of driver with bounds checks based on annotations – Kernel wrappers to track memory (de)allocation

5. Annotations & Runtime checks Linux e1000 network card driver

6. SafeDriver Compilation of SafeDrivers Block Diagram of SafeDriver in Linux

7. SafeDrive Limitations Concurrency breaks check/access atomicity Not applicable to driver binaries False Negatives – No memory access control i.e (r,w,x) violations Code restrictions –No casts between “significantly” different types –Array & length encapsulated in struct Annotation burden –4 % of driver source code –~ 943 LOC of kernel headers Fairly complex interposition library

8. XFI [Erlingsson et al OSDI’06] Detected driver errors –Unpermitted (r,w,x) memory access –Illegal control flow transfers Key Ideas – Accessible memory of driver Data sections and allocated memory Pointers passed by kernel – Binary rewriting & verification to load only instrumented drivers Control flow, stack overflow, memory range checks – Two stacks for driver execution Verified scoped stack: non pointer addressable local vars including return addr Allocation stack: pointer addressable local variables – Kernel & driver wrappers to maintain accessible memory and stacks

9. XFI Checks Call instruction check Memory write checks

10. XFI Module

11. XFI Limitations Concurrency breaks check/access atomicity Improper use of kernel API possible False Negatives –Buffer overflows –Wild pointer accesses Driver code restrictions – No global/static variable access via pointers – No privileged x86 instructions Complex interposition library

12. BGI [Castro et al SOSP ‘09] Detected driver errors – Unpermitted(read,write, type) memory access – Unpermitted control flow transfers – Misuse of kernel objects and API Key Ideas – Target drivers using Windows Driver Model(WDM) – Protection domains: Kernel & Driver – Byte-granularity access control lists(ACL) Permissions: {read,write,type, } Maintained by compiler instrumentation and kernel wrappers

13. BGI wrappers(initialize, insert)

14. BGI Drivers Generating a BGI driver Kernel address space with BGI drivers

15. BGI Limitations Concurrency breaks check/access atomicity Not applicable to driver binaries Driver code restrictions due to WDM (good ?) – No direct kernel object modification – No inline assembly – Proper static types of variables i.e no void * Kernel/driver complexity increased by wrappers – 16.7 KLOC, 262 kernel, 84 driver wrappers False Negatives – Buffer overflows not detected – Any function with same arg stack size could be called

16. Comparison to Lifeguard approach SafeDriveXFIBGILifeguard Check/Access atomicityNo Yes Works on driver binariesNoYesNoYes Complex interposition libraryMaybeYes No Restrictions on driver codeYes No Error containment requiredNo Yes