DMAFV: Testing Device Drivers against DMA Faults

•

0 likes•100 views

Shinagawa Laboratory, The University of Tokyo

DMAFV: Testing Device Drivers against DMA Faults. Masanori Misono, Toshiki Hatanaka, Takahiro Shinagawa. In Proceedings of the 37th ACM Symposium On Applied Computing (ACM SAC 2022), Online, Apr 2022.

Software

DMAFV: Testing Device Drivers
against DMA Faults
○Masanori Misono†
, Toshiki Hatanaka, Takahiro Shinagawa
The University of Tokyo
The 37th ACM Symposium On Applied Computing (ACM SAC 2022), Apr 2022
†
Currently at TU Munich

Background (1/2)
● Device and device driver interaction
○ PIO/MMIO
○ DMA
2
Device Driver

Background (2/2)
● Devices can be malfunction or even malicious
● Device drivers should check values from devices
3
Device Driver
Anomaly values

Existing Methods (1/3)
● Static Analysis / Symbolic Execution
○ Pros
■ No need for actual devices
○ Cons
■ Require source code
■ False positives
4

Existing Methods (2/3)
● In-kernel page-fault based fault injection (PeriScope [NDSS’19])
○ Pros
■ Fine-grained monitoring
● MMIO and DMA region
○ Cons
■ OS-dependent
5
Device Driver
Kernel
Memory
Device memory region

Existing Methods (3/3)
● Hypervisor-based fault injection (FaultVisor, FaultVisor2 [SAC’16, CloudCom’18])
○ Pros
■ OS-independent
■ No need for source code
○ Cons
■ No DMA region support
6
Hypervisor
Device Driver
Memory
Device MMIO region

DMAFV
● Test DMA region using hypervisor-based fault injection
● Insight
○ Device holds DMA region information in its registers
7

Overview (1/2) DMA region detection
8
Hypervisor
Device Driver
DMA
Region
① Detect device’s DMA region by
consulting its registers
Memory
Device
Device MMIO register

Overview (2/2) Fault Injection
9
Hypervisor
Device Driver
DMA
Region
Memory
Device
② Perform fault injection by
trapping device driver’s memory
accesses to the DMA region
Device MMIO register

Example: NVMe device
● Use DMA-based command queues
● Addresses of queues are stored in device’s MMIO registers
○ ex) Admin command queue (ACQ) base address register
10
Memory ACQ
NVMe
ACQ
base

Prototype Implementation
● Hypervisor
○ BitVisor [VEE’09]
● Target Device
○ NVMe
● Implement NVMe’s command queue detector and fault injection scheme
11

Testing the Linux’s NVMe Device Driver
● Linux 4.20
● Fault injection during loading and
unloading device drivers
● DMAFV found a null-pointer
dereference
12

Future Work
● Automatic DMA region detection
● Test other OSs / hypervisors device drivers
14

Summary
● Checking values from devices in device drivers are crucial for security
● Existing methods lack OS-independent DMA-value tests
DMAFV:
● A novel way to test device drivers against DMA faults
○ Using hypervisor-based fault injection
○ Detect DMA region by consulting device’s registers
● Found a null pointer dereference bug in the Linux’s NVMe driver
15

Similar to DMAFV: Testing Device Drivers against DMA Faults

Unit 3 CO.pptx

NeerajaBhukya

Faults inside System Software

National Cheng Kung University

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012

DefCamp

Cloud Security with LibVMI

Tamas K Lengyel

VMS Troubleshooting Guide

Michael Dotson

Tolerating Hardware Device Failures in Software

asimkadav

Towards Isolated Execution at the Machine Level. Shu Anzai, Masanori Misono, Ryo Nakamura, Yohei Kuga, Takahiro Shinagawa . In Proceedings of the 13th ACM SIGOPS Asia-Pacific Workshop on Systems (APSys 2022), pp. 68-77, Aug 2022. doi:10.1145/3546591.3547530 Isolated execution with CPU-level protection, such as process sandboxes, virtual machines, and trusted execution environments, has long been studied to mitigate software vulnerabilities. However, the complexity of system software inevitably leads to vulnerabilities in isolated execution environments themselves, and the increase in hardware complexity makes it even more challenging to avoid hardware vulnerabilities. In this paper, we explore the possibility of isolated execution at the machine level using physically separated machines as an extreme case of isolation. We take advantage of recent hardware technologies to enable relatively low-latency communication between physical machines while dramatically reducing the attack surface and trusted computing base size compared to sharing computing resources on a single machine. As the first step in this direction, we discuss the security and performance of isolating processes to another machine with remote system calls and show its feasibility with preliminary experiments.

Towards Isolated Execution at the Machine Level

Shinagawa Laboratory, The University of Tokyo

Using and Customizing the Android Framework / part 4 of Embedded Android Work...

Opersys inc.

BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds

Shinagawa Laboratory, The University of Tokyo

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...

Kuniyasu Suzaki

Pcp

Reanimation Bk

CPU Architecture

محمدعبد الحى

SECURITY SOFTWARE RESOLIUTIONS (SSR) .docx

bagotjesusa

UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheap

edlangley

Presentation1

mahalakshmimalini

Inside Android's UI

Opersys inc.

The root cause of most software exploits is bugs. Hardening, mitigations and containers are important, but they can't protect a system with thousands of bugs. In this presentation, Dmitry Vyukov will review the current [sad] situation with Linux kernel bugs and security implications based on their experience testing kernel for the past 3 years; overview a set of bug finding tools they are developing (syzbot, syzkaller, KASAN, KMSAN, KTSAN); and discuss problems and areas that require community help to improve the situation.

syzbot and the tale of million kernel bugs

Dmitry Vyukov

Inside Android's UI / ABS 2013

Opersys inc.

The workshop consists of a introduction on the embedded systems design. It starts by building a simple electronic embedded system design (microcontroler plus LCD) on the breadboard/protoboard. This will be used as target plataform. Later It is presented the low level side of C language as bitfields arrays and bitwise operations, pointers to fixed memory adresses/registers, how to access the microcontroler peripherals etc. These will be the base to develop a full embedded microkernel using ISO-C without the standard libraries.

Embedded systems development Defcon 19

Rodrigo Almeida

Paper sharing_Edge based intrusion detection for IOT devices

YOU SHENG CHEN

Similar to DMAFV: Testing Device Drivers against DMA Faults (20)

Unit 3 CO.pptx

Faults inside System Software

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012

Cloud Security with LibVMI

VMS Troubleshooting Guide

Tolerating Hardware Device Failures in Software

Towards Isolated Execution at the Machine Level

Using and Customizing the Android Framework / part 4 of Embedded Android Work...

BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...

Pcp

CPU Architecture

SECURITY SOFTWARE RESOLIUTIONS (SSR) .docx

UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheap

Presentation1

Inside Android's UI

syzbot and the tale of million kernel bugs

Inside Android's UI / ABS 2013

Embedded systems development Defcon 19

Paper sharing_Edge based intrusion detection for IOT devices

Recently uploaded

In the past six months, the AI landscape has undergone a massive transformation, ushering in a new era of productivity with the latest in Large Language Models (LLMs) and AI technology. This deep dive unlocks how to: Create CustomGPT Models: No coding needed to tailor AI for your unique projects. Integrate your own data, including PDFs and Excel sheets, making information handling a breeze. Plus, discover how to call your own actions/integrations for even more personalized utility. Navigate Advanced Prompting: Overcome AI's memory limits and utilize Retrieval-Augmented Generation for accessing your personalized data, streamlining how you interact with AI. Stay Ahead with AI Trends: Peek into the evolving world of LLMs, featuring newcomers like Google Gemini, Anthropic Claude, Open Sora, and Twitter Grok, and understand what their advancements mean for your productivity. Witness Real-Life Transformations: Through examples and prompt demonstrations, see firsthand how these AI strategies revolutionize routine tasks, from data analysis to content creation. Learn to leverage image output and input for advanced practical use cases, adding a new dimension to your productivity toolkit. No previous coding or AI experience is needed for this talk. Stay ahead in the fast-evolving world of work. Embrace the AI revolution and transform your workflow with advanced LLM techniques. Join us to ensure you're not left behind in the productivity race.

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques

VictorSzoltysek

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

masabamasaba

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

masabamasaba

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

masabamasaba

Looking for an efficient way to manage your finances? Look no further than our money management app. With easy-to-use features, you can track your expenses, create budgets, and monitor your savings goals all in one place. Our app provides real-time updates on your spending habits and helps you make smarter financial decisions. Take control of your finances today with our user-friendly money management app.

Right Money Management App For Your Financial Goals

Jhone kinadey

Data spaces in distributed environments should be allowed to evolve in agile ways providing data space owners with large flexibility about which data they store. Agility and heterogeneity, however, jeopardize data exchanges because representations may build on varying ontologies and data consumers may not rely on the semantic correctness of their queries in the context of semantically heterogeneous, evolving data spaces. Graph data spaces are one example of a powerful model for representing and querying data whose semantics may change over time. To assert and enforce conditions on individual graph data spaces, shape languages (e.g SHACL) have been developed. We investigate the question of how querying and programming can be guarded by reasoning over SHACL constraints in a distributed setting and we sketch a picture of how a future landscape based on semantically heterogeneous data spaces might look like.

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Steffen Staab

%in kempton park+277-882-255-28 abortion pills for sale in kempton park

masabamasaba

MakeMyPass" Online Bus Pass Management System illustrates the flow of activities and actions that occur within the system to accomplish specific tasks or use cases. This type of diagram focuses on representing the sequence of activities and decision points involved in a particular process. Below is an example outline and description of key elements that could be included in an Activity Diagram for the system:

BUS PASS MANGEMENT SYSTEM USING PHP.pptx

alwaysnagaraju26

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

ThousandEyes

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

Shane Coughlan

In the realm of real-time applications, Large Language Models (LLMs) have long dominated language-centric tasks, while tools like OpenCV have excelled in the visual domain. However, the future (maybe) lies in the fusion of LLMs and deep learning, giving birth to the revolutionary concept of Large Action Models (LAMs). Imagine a world where AI not only comprehends language but mimics human actions on technology interfaces. For example, the Rabbit r1 device presented at CES 2024, driven by an AI operating system and LAM, brings this vision to life. It executes complex commands, leveraging GUIs with unprecedented ease. In this presentation, join me on a journey as a software engineer tinkering with WebRTC, Janus, and LLM/LAMs. Together, we’ll evaluate the current state of these AI technologies, unraveling the potential they hold for shaping the future of real-time applications.

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications

Alberto González Trastoy

At the recent Microsoft Ignite 2023 conference, Microsoft unveiled a groundbreaking strategy that will redefine enterprise work management. The plan involves integrating Microsoft’s key planning tools, Microsoft To Do, Microsoft Planner, and Microsoft Project for the web into a unified experience called “Microsoft Planner.” What does this new strategy from Microsoft mean for current users? Join us and learn how best to take advantage of this announcement while gaining a clear path on how to elevate the current state of Microsoft Planner from a basic task manager to a comprehensive tool for Enterprise Work Management using OnePlan. Learn how OnePlan’s integration with Microsoft Planner allows for strategic alignment with business goals through advanced features like strategic planning, portfolio management, resource management, financial management, and more!

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

OnePlan Solutions

At TECUNIQUE, we're a stable and steadily growing Indian software services company with over 14 years of industry experience. Specializing in offshore software development and quality assurance services, we've built a reputation for delivering unique and effective solutions to start-ups, software development companies, enterprises, and digital agencies. We pride ourselves on our commitment to excellence and innovation. By blending insightful business domain knowledge with exceptional technical prowess, we craft tailor-made solutions that meet the unique needs of our clients. Our dedicated teams are adept in specific technologies, ensuring seamless integration of skills and delivering reliable, scalable, and high-quality software solutions aligned with our clients' preferences. Bespoke Dedicated Teams: Crafted to meet your specific needs and technology preferences, our dedicated teams are committed to delivering top-notch software solutions. Offshore Software Development: Accelerate your software development and scale up quickly with our 12+ years of expertise in offshore development. Quality Assurance Services: Ensure the quality of your software products with our dedicated teams of experienced QA professionals. IT Staff Augmentation: Overcome skill gaps with our client-centric software team, offering staff augmentation services. Expert Software Services: Unlock our capabilities in custom software development, product development, and quality assurance. Mission and Vision: Our mission at TECUNIQUE is to be the catalyst for our clients' success in the dynamic domain of software development. Rooted in our core values of respect, authenticity, and responsibility, we strive to ease the software outsourcing experience, reducing both time and cost to market for our clients. We envision ourselves as the leading Indian software services company, renowned for our unwavering commitment to excellence and innovation. www.tecunique.com

TECUNIQUE: Success Stories: IT Service provider

mohitmore19

%in Midrand+277-882-255-28 abortion pills for sale in midrand

masabamasaba

Azure Native Qumulo scales elastically for common High Performance Compute (HPC) workloads based on application requirements for: Financial Services, Automotive, Genomics / Life Sciences, Media and Entertainment, Energy, Oil and Gas, etc. Performance can be dialed UP (and back down) much higher than the examples shown here. These slides offer a glimpse into ANQ's HPC capabilities, although at a smaller scale. We invite YOU to do your own testing (with a free ANQ trial) and work with us to test your HPC workloads in Azure.

Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf

ryanfarris8

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Philip Schwarz

In an era where security concerns are paramount, the integration of artificial intelligence (AI) into CCTV cameras has revolutionized surveillance capabilities. One of the most significant advancements is the ability to achieve real-time threat detection, enabling immediate responses to potential security breaches. This blog explores how AI is reshaping surveillance through real-time threat detection and the implications of this technology.

Optimizing AI for immediate response in Smart CCTV

shikhaohhpro

Test automation is a cornerstone of software development and quality assurance in today's rapidly evolving digital landscape. Its significance cannot be overstated. Businesses can enhance efficiency, productivity, and accelerate software delivery to market through automation, streamlining testing processes effectively. This comprehensive guide addresses the best practices for test automation in 2024. It offers a detailed checklist to empower you to optimize your automation efforts and maintain a competitive edge.

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

kalichargn70th171

The title is not connected to what is inside

shinachiaurasa2

Recently uploaded (20)

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

Right Money Management App For Your Financial Goals

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

%in kempton park+277-882-255-28 abortion pills for sale in kempton park

BUS PASS MANGEMENT SYSTEM USING PHP.pptx

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

TECUNIQUE: Success Stories: IT Service provider

%in Midrand+277-882-255-28 abortion pills for sale in midrand

Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Optimizing AI for immediate response in Smart CCTV

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

The title is not connected to what is inside

DMAFV: Testing Device Drivers against DMA Faults

1. DMAFV: Testing Device Drivers against DMA Faults ○Masanori Misono† , Toshiki Hatanaka, Takahiro Shinagawa The University of Tokyo The 37th ACM Symposium On Applied Computing (ACM SAC 2022), Apr 2022 † Currently at TU Munich

2. Background (1/2) ● Device and device driver interaction ○ PIO/MMIO ○ DMA 2 Device Driver

3. Background (2/2) ● Devices can be malfunction or even malicious ● Device drivers should check values from devices 3 Device Driver Anomaly values

4. Existing Methods (1/3) ● Static Analysis / Symbolic Execution ○ Pros ■ No need for actual devices ○ Cons ■ Require source code ■ False positives 4

5. Existing Methods (2/3) ● In-kernel page-fault based fault injection (PeriScope [NDSS’19]) ○ Pros ■ Fine-grained monitoring ● MMIO and DMA region ○ Cons ■ OS-dependent 5 Device Driver Kernel Memory Device memory region

6. Existing Methods (3/3) ● Hypervisor-based fault injection (FaultVisor, FaultVisor2 [SAC’16, CloudCom’18]) ○ Pros ■ OS-independent ■ No need for source code ○ Cons ■ No DMA region support 6 Hypervisor Device Driver Memory Device MMIO region

7. DMAFV ● Test DMA region using hypervisor-based fault injection ● Insight ○ Device holds DMA region information in its registers 7

8. Overview (1/2) DMA region detection 8 Hypervisor Device Driver DMA Region ① Detect device’s DMA region by consulting its registers Memory Device Device MMIO register

9. Overview (2/2) Fault Injection 9 Hypervisor Device Driver DMA Region Memory Device ② Perform fault injection by trapping device driver’s memory accesses to the DMA region Device MMIO register

10. Example: NVMe device ● Use DMA-based command queues ● Addresses of queues are stored in device’s MMIO registers ○ ex) Admin command queue (ACQ) base address register 10 Memory ACQ NVMe ACQ base

11. Prototype Implementation ● Hypervisor ○ BitVisor [VEE’09] ● Target Device ○ NVMe ● Implement NVMe’s command queue detector and fault injection scheme 11

12. Testing the Linux’s NVMe Device Driver ● Linux 4.20 ● Fault injection during loading and unloading device drivers ● DMAFV found a null-pointer dereference 12

13. Overhead Evaluation (NVMe) 13

14. Future Work ● Automatic DMA region detection ● Test other OSs / hypervisors device drivers 14

15. Summary ● Checking values from devices in device drivers are crucial for security ● Existing methods lack OS-independent DMA-value tests DMAFV: ● A novel way to test device drivers against DMA faults ○ Using hypervisor-based fault injection ○ Detect DMA region by consulting device’s registers ● Found a null pointer dereference bug in the Linux’s NVMe driver 15

DMAFV: Testing Device Drivers against DMA Faults

Recommended

Recommended

More Related Content

Similar to DMAFV: Testing Device Drivers against DMA Faults

Similar to DMAFV: Testing Device Drivers against DMA Faults (20)

More from Shinagawa Laboratory, The University of Tokyo

More from Shinagawa Laboratory, The University of Tokyo (9)

Recently uploaded

Recently uploaded (20)

DMAFV: Testing Device Drivers against DMA Faults