I saw this thread in the l4-hackers mailing list: http://os.inf.tu-dresden.de/pipermail/l4-hackers/2012/005403.html
Could you please answer the same questions regarding drivers in genode.
Is it the same way as in L4Re?
Hello Robert,
I saw this thread in the l4-hackers mailing list: http://os.inf.tu-dresden.de/pipermail/l4-hackers/2012/005403.html
Could you please answer the same questions regarding drivers in genode.
Is it the same way as in L4Re?
the situation is similar. Unless an IOMMU is used, any device that can perform DMA bus transactions is able to access the entire physical memory (and also other devices on the system bus). A malicious driver could program the device to read or write arbitrary memory including the kernel memory.
IOMMUs are a protection measure against these kinds of attacks. Of the kernels supported by Genode, only NOVA provides IOMMU support as of now. However, Genode does not make use of it yet.
Note that despite of this security hole, running drivers in different address spaces is still beneficial. Because driver stability problems often stem from reasons unrelated DMA (i.e., improper device initialization or faults in the driver logic), the ability to isolate these kinds of faults to the driver's address space is valuable.
Furthermore, the execution of each device driver within an largely isolated compartment drastically reduces the attack surface of the individual driver and thereby reduces the chances of an attacker to take over a driver (i.e., to execute a DMA attack).
Best regards Norman
-
Norman Feske -
Robert Campbell