Genode drivers

[Norman Feske]

Hello Robert,

> I saw this thread in the l4-hackers mailing list:
> http://os.inf.tu-dresden.de/pipermail/l4-hackers/2012/005403.html
> 
> Could you please answer the same questions regarding drivers in genode.
> 
> Is it the same way as in L4Re?

the situation is similar. Unless an IOMMU is used, any device that can
perform DMA bus transactions is able to access the entire physical
memory (and also other devices on the system bus). A malicious driver
could program the device to read or write arbitrary memory including the
kernel memory.

IOMMUs are a protection measure against these kinds of attacks. Of the
kernels supported by Genode, only NOVA provides IOMMU support as of now.
However, Genode does not make use of it yet.

Note that despite of this security hole, running drivers in different
address spaces is still beneficial. Because driver stability problems
often stem from reasons unrelated DMA (i.e., improper device
initialization or faults in the driver logic), the ability to isolate
these kinds of faults to the driver's address space is valuable.

Furthermore, the execution of each device driver within an largely
isolated compartment drastically reduces the attack surface of the
individual driver and thereby reduces the chances of an attacker to take
over a driver (i.e., to execute a DMA attack).

Best regards
Norman

-- 
Dr.-Ing. Norman Feske
Genode Labs

http://www.genode-labs.com · http://genode.org

Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth