1. DMAFV: Testing Device Drivers
against DMA Faults
○Masanori Misono†
, Toshiki Hatanaka, Takahiro Shinagawa
The University of Tokyo
The 37th ACM Symposium On Applied Computing (ACM SAC 2022), Apr 2022
†
Currently at TU Munich
3. Background (2/2)
● Devices can be malfunction or even malicious
● Device drivers should check values from devices
3
Device Driver
Anomaly values
4. Existing Methods (1/3)
● Static Analysis / Symbolic Execution
○ Pros
■ No need for actual devices
○ Cons
■ Require source code
■ False positives
4
5. Existing Methods (2/3)
● In-kernel page-fault based fault injection (PeriScope [NDSS’19])
○ Pros
■ Fine-grained monitoring
● MMIO and DMA region
○ Cons
■ OS-dependent
5
Device Driver
Kernel
Memory
Device memory region
6. Existing Methods (3/3)
● Hypervisor-based fault injection (FaultVisor, FaultVisor2 [SAC’16, CloudCom’18])
○ Pros
■ OS-independent
■ No need for source code
○ Cons
■ No DMA region support
6
Hypervisor
Device Driver
Memory
Device MMIO region
7. DMAFV
● Test DMA region using hypervisor-based fault injection
● Insight
○ Device holds DMA region information in its registers
7
8. Overview (1/2) DMA region detection
8
Hypervisor
Device Driver
DMA
Region
① Detect device’s DMA region by
consulting its registers
Memory
Device
Device MMIO register
9. Overview (2/2) Fault Injection
9
Hypervisor
Device Driver
DMA
Region
Memory
Device
② Perform fault injection by
trapping device driver’s memory
accesses to the DMA region
Device MMIO register
10. Example: NVMe device
● Use DMA-based command queues
● Addresses of queues are stored in device’s MMIO registers
○ ex) Admin command queue (ACQ) base address register
10
Memory ACQ
NVMe
ACQ
base
12. Testing the Linux’s NVMe Device Driver
● Linux 4.20
● Fault injection during loading and
unloading device drivers
● DMAFV found a null-pointer
dereference
12
14. Future Work
● Automatic DMA region detection
● Test other OSs / hypervisors device drivers
14
15. Summary
● Checking values from devices in device drivers are crucial for security
● Existing methods lack OS-independent DMA-value tests
DMAFV:
● A novel way to test device drivers against DMA faults
○ Using hypervisor-based fault injection
○ Detect DMA region by consulting device’s registers
● Found a null pointer dereference bug in the Linux’s NVMe driver
15