Operating system (OS) kernel extensions, particularly device drivers, are one of the primary sources of vulnerabilities in commodity OS kernels. Vulnerabilities in driver code are often exploited by attackers, leading to attacks like privilege escalation, denial-of-service, and arbitrary code execution. Today, kernel extensions are fully trusted and operate within the core kernel without any form of isolation. But history suggests that this trust is often misplaced, emphasizing a need for some isolation in the kernel. We develop a new framework for isolating device drivers in the Linux kernel. Our work builds on three fundamental principles: (1) strong isolation of the driver code; (2) reuse of existing driver while making no or minimal changes to the source; and (3) achieving same or better performance compared to the nonisolated driver. In comparison to existing driver isolation schemes like driver virtual machines and user-level device driver implementations, our work strives to avoid modifying existing code and implements an I/O path without incurring substantial performance overhead.
We demonstrate our approach by isolating a unmodified driver for a null block device in the Linux kernel, achieving near-native throughput for block sizes ranging from 512B to 256KB and outperforming the nonisolated driver for block sizes of 1MB and higher.
The main idea of the work was to utilize the safe features of Rust programming language for systems programming.
Built a protection domain library to support fault isolation using the safe features of Rust, extended NetBricks with the protection domain library to contain faults. Also implemented recovery mechanism and automatic checkpointing of objects.
Related reading: 1. See publications 2. Morning paper’s discussion
SROP is a new kind of attack wherein, the attacker exploits the signal handling framework of the kernel. In Sigreturn Oriented Programming, an attacker causes a user-space program to call the sigreturn system call in order to get complete control control over the entire userspace context in one go. This attack is special in the sense that an attacker can coax any value into the registers they please by using SROP. Previously, an attacker would have to search for ROP gadgets to do this but now it can be accomplished with one sigreturn.