L4 Driver Security
doebel at os.inf.tu-dresden.de
Wed Jun 20 12:24:37 CEST 2012
>> 3. Untrusted, untested drivers can cause system crashes.
> Of course.
There's one thing to add, though: By running device drivers in dedicated
user-level processes, a crashing driver in the common case only takes
down its own process, but the rest of the system continues to run.
That's a major advantage, because you can have a monitoring process that
then restarts the driver  this way.
However, even a user space driver can still crash the system if it goes
rampant by misprogramming the DMA engine and you don't use an IOMMU.
 J. Herder et al. "Failure resilience for device drivers", DSN 2007
More information about the l4-hackers