Alex Markuze, Ph.D. Thesis Seminar
For password to lecture, please contact: firstname.lastname@example.org
Advisor: Prof. Dan Tsafrir
Malicious I/O devices might compromise the OS using DMAs. The OS therefore utilizes the IOMMU to map and unmap every target buffer right before and after its DMA is processed, thereby restricting DMAs to their designated locations. This usage model, however, is neither truly secure nor can it support multi-gigabit I/O operations.
IOMMU provides protection at page granularity only, whereas DMA buffers can reside on the same page as other data leading to subpage vulnerabilities, which make the system vulnerable to DMA attacks, in which I/O devices access and manipulate memory regions not intended for their use. We first categorize subpage vulnerabilities into four categories, providing insight into the structure of DMA vulnerabilities. Then, to exploit these vulnerabilities, we identify a set of three vulnerability attributes that are sufficient to execute code injection attacks.
We then build analysis tools that detect subpage vulnerabilities and analyze the Linux kernel. We find that 72% of the device drivers expose sensitive callback pointers, which may be overwritten by a device to hijack kernel control flow.
Aided by the tools' output, we demonstrate novel code injection attacks on the Linux kernel we term Compound attacks. Specifically, while all previously reported attacks are single-step, i.e., with the vulnerability attributes present in a single page, in Compound attacks, the vulnerability attributes are initially incomplete. However, they can be attained by carefully exploiting standard OS behavior.
In order to provide performant and secure I/O we propose that OSes utilize the IOMMU differently. Our new usage model restricts device access to a set of shadow DMA buffers that are never unmapped. The DMAed data is copied to/from these shadow buffers, thus providing sub-page protection. Our key insight is that the cost of interacting with, and synchronizing access to the slow IOMMU hardware---required for zero-copy protection against devices---make copying preferable to zero-copying.
We implement our model in Linux and evaluate it with standard networking benchmarks utilizing a 40,Gb/s NIC. We demonstrate that despite being more secure than the safest preexisting usage model, our approach provides up to 5 times higher throughput. Additionally, whereas it is inherently less scalable than an IOMMU-less (unprotected) system, our approach incurs only 0%--25% performance degradation in comparison.
Next, we observe that achieving protection at the DMA (un)map boundary is needlessly constraining, as devices must be prevented from changing the data only after the kernel reads it. So there is no real need to switch ownership of buffers between kernel and device at the DMA (un)mapping layer, as opposed to the approach taken by all existing IOMMU protection schemes. We thus eliminate the extra copy by (1)implementing a new allocator called DMA-Aware Malloc for
Networking (DAMN), which (de)allocates packet buffers from a memory pool permanently mapped in the IOMMU; (2)modifying the network stack to use this allocator; and (3)copying packet data only when the kernel needs it, which usually morphs the aforementioned extra copy into the kernel's standard copy operation performed at the user-kernel boundary. DAMN thus provides full IOMMU protection with performance comparable to that of an unprotected system.