Hey List,
me again with one (hopefully final) question.
I'm learning about Driver Security in L4Re. I have some statements which I would like to have confirmed to understand the underlying principles:
1. L4 Drivers use DMA and are therefore able to write directly to the device memory and thus can cause crashes or damage if not carefully implemented. 2. While the L4Re Io-Server manages the access of drivers to the hardware's address spaces, it doesn't prevent drivers to write "bad" things into the device memory. 3. Untrusted, untested drivers can cause system crashes.
best regards
Tobi
Hey,
I'm learning about Driver Security in L4Re. I have some statements which I would like to have confirmed to understand the underlying principles:
- L4 Drivers use DMA and are therefore able to write directly to the
device memory and thus can cause crashes or damage if not carefully implemented.
Yes.
- While the L4Re Io-Server manages the access of drivers to the
hardware's address spaces, it doesn't prevent drivers to write "bad" things into the device memory.
Yes.
- Untrusted, untested drivers can cause system crashes.
Of course.
Cheers, Bjoern
Hi again,
- Untrusted, untested drivers can cause system crashes.
Of course.
There's one thing to add, though: By running device drivers in dedicated user-level processes, a crashing driver in the common case only takes down its own process, but the rest of the system continues to run. That's a major advantage, because you can have a monitoring process that then restarts the driver [1] this way.
However, even a user space driver can still crash the system if it goes rampant by misprogramming the DMA engine and you don't use an IOMMU.
Bjoern
[1] J. Herder et al. "Failure resilience for device drivers", DSN 2007
l4-hackers@os.inf.tu-dresden.de