Static Detection of Unsafe DMA Accesses in Device Drivers

Investigate security risks posed by Direct Memory Access (DMA) in device drivers. Researchers propose a static approach for identifying and preventing unsafe DMA accesses. The study addresses various challenges and provides an evaluation of the proposed method.

• Security Risks
• DMA Accesses
• Device Drivers
• Detection
• Static Approach

olon Follow

Uploaded on Feb 24, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Static Detection of Unsafe DMA Accesses in Device Drivers Jia-Ju Bai (Tsinghua University) Tuo Li (Tsinghua University) Kangjie Lu (University of Minnesota) Shi-Min Hu (Tsinghua University) USENIX Security 21 1

2. Outline DMA Challenge SADA Approach Evaluation Conclusion 2

3. DMA 3

4. DMA type Coherent DMA buffer Synchronous Streaming DMA buffer Asynchronous 4

5. DMA Problems DMA attack Invalid mapping Improper checking of buffer creation Buffer-destroy omission 5

6. Security Risks of DMA Accesses Streaming DMA access Inconsistent DMA access 6

7. Security Risks of DMA Accesses Coherent DMA access Unchecked DMA access 7

8. Security Risks of DMA Accesses 8

9. DMA 9

10. DMA 10

11. Outline DMA Challenge SADA Approach Evaluation Conclusion 11

12. Challenges Identifying DMA accesses Checking the safety of DMA accesses Dropping false positives 12

13. Challenges 1: Identifying DMA accesses Identifying DMA accesses Handling DMA-buffer creation Identifying DMA accesses 13

14. Challenges 1: Identifying DMA accesses Identifying DMA accesses Handling DMA-buffer creation Identifying DMA accesses 14

15. Challenges 1: Identifying DMA accesses Identifying DMA accesses Handling DMA-buffer creation Identifying DMA accesses 15

16. Challenges 2: DMA-Access Safety Checking DMA-Access Safety Checking Checking streaming DMA access Checking coherent DMA access. Infinite looping Buffer overflow Invalid-pointer access Taint analysis 16

17. Challenges 2: DMA-Access Safety Checking DMA-Access Safety Checking Checking streaming DMA access Checking coherent DMA access. Infinite looping Buffer overflow Invalid-pointer access Taint analysis 17

18. Challenges 2: DMA-Access Safety Checking DMA-Access Safety Checking Checking streaming DMA access Checking coherent DMA access. Infinite looping Buffer overflow Invalid-pointer access Taint analysis 18

19. Challenges 2: DMA-Access Safety Checking DMA-Access Safety Checking Checking streaming DMA access Checking coherent DMA access. Infinite looping Buffer overflow Invalid-pointer access Taint analysis 19

20. Challenges 2: DMA-Access Safety Checking DMA-Access Safety Checking Checking streaming DMA access Checking coherent DMA access. Infinite looping Buffer overflow Invalid-pointer access Taint analysis 20

21. Challenges 2: DMA-Access Safety Checking DMA-Access Safety Checking Checking streaming DMA access Checking coherent DMA access. Infinite looping Buffer overflow Invalid-pointer access Taint analysis 21

22. Challenges 3: Code-Path Validation Code-Path Validation SMT solver Z3 Getting path constraints Adding constraints for triggering security bugs Solving all constraints 22

23. Outline DMA Challenge SADA Approach Evaluation Conclusion 23

24. SADA Approach 24

25. Outline DMA Challenge SADA Approach Evaluation Conclusion 25

26. Evaluation Eight Intel i7-3770 CPU@3.40GHz processors 16GB physical memory. x86-64 Linux 5.6 Configuration : allyesconfig 26

27. Evaluation Detection of Unsafe DMA Accesses Analyzing driver code It spends 270 minutes on analyzing 8.8M lines of source code in 14.6K source files. Identifying DMA accesses It identifies over 28K DMA accesses according to 2,781 created DMA buffers. Detecting unsafe DMA accesses SADA finds 321 unsafe DMA accesses, including 131 inconsistent DMA accesses and 190 unchecked DMA accesses. Security impact of unsafe DMA accesses Inconsistent DMA accesses: 123 Buffer-overflow: 121 Invalid-pointer accesses: 36 Infinite looping: 4 27

28. Evaluation False Positives and Negatives False positives The alias analyses used in SADA can make mistakes. False negatives Wrapper functions Function-pointer Neglect driver concurrency 28

29. Evaluation Root Causes and Fixing Suggestions 29

30. Outline DMA Challenge SADA Approach Evaluation Conclusion 30

31. Conclusion We propose a static approach named SADA, to automatically and accurately detect unsafe DMA accesses in device drivers. SADA integrates three key techniques, including a field-based alias analysis to identify DMA accesses, a flow-sensitive and pattern-based analysis to check the safety of each DMA access, and a code-path validation method to drop false positives. SADA finds 284 real unsafe DMA accesses, which can cause unexpected hardware behaviors or trigger security bugs. 31

32. END END 32