research-article

DAMN: Overhead-Free IOMMU Protection for Networking

Authors:

Dan TsafrirAuthors Info & Claims

ASPLOS '18: Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 301 - 315

https://doi.org/10.1145/3173162.3173175

Published: 19 March 2018 Publication History

Abstract

DMA operations can access memory buffers only if they are "mapped" in the IOMMU, so operating systems protect themselves against malicious/errant network DMAs by mapping and unmapping each packet immediately before/after it is DMAed. This approach was recently found to be riskier and less performant than keeping packets non-DMAable and instead copying their content to/from permanently-mapped buffers. Still, the extra copy hampers performance of multi-gigabit networking. We observe that achieving protection at the DMA (un)map boundary is needlessly constraining, as devices must be prevented from changing the data only after the kernel reads it. So there is no real need to switch ownership of buffers between kernel and device at the DMA (un)mapping layer, as opposed to the approach taken by all existing IOMMU protection schemes. We thus eliminate the extra copy by (1)~implementing a new allocator called DMA-Aware Malloc for Networking (DAMN), which (de)allocates packet buffers from a memory pool permanently mapped in the IOMMU; (2)~modifying the network stack to use this allocator; and (3)~copying packet data only when the kernel needs it, which usually morphs the aforementioned extra copy into the kernel's standard copy operation performed at the user-kernel boundary. DAMN thus provides full IOMMU protection with performance comparable to that of an unprotected system.

References

[1]

Brian Aker. Memslap - load testing and benchmarking a server. http://docs.libmemcached.org/bin/memslap.html. libmemcached 1.1.0 documentation. Accessed: Jan 2018.

[2]

AMD Inc. AMD IOMMU architectural specification, rev 2.00. http://developer.amd.com/wordpress/media/2012/10/488821.pdf, Mar 2011. Accessed: Jan 2018.

[3]

Apple Inc. Thunderbolt device driver programming guide: Debugging VT-d I/O MMU virtualization. https://developer.apple.com/library/mac/documentation/HardwareDrivers/Conceptual/ThunderboltDevGuide/DebuggingThunderboltDrivers/DebuggingThunderboltDrivers.html, 2013. Accessed: Jan 2018.

[4]

ARM Holdings. ARM system memory management unit architecture specification -- SMMU architecture version 2.0. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0062d.c/IHI0062D_c_system_mmu_architecture_specification.pdf, 2013. Accessed: Jan 2018.

[5]

Damien Aumaitre and Christophe Devine. Subverting Windows 7 x64 kernel with DMA attacks. In Hack In The Box Security Conference (HITB), 2010. http://esec-lab.sogeti.com/static/publications/10-hitbamsterdam-dmaattacks.pdf. Accessed: Jan 2018.

[6]

Jens Axboe. Flexible I/O Tester. https://github.com/axboe/fio. Accessed: Jan 2018.

[7]

Michael Becher, Maximillian Dornseif, and Christian N. Klein. FireWire: all your memory are belong to us. In CanSecWest Applied Security Conference, 2005. https://cansecwest.com/core05/2005-firewire-cansecwest.pdf. Accessed: Jan 2018.

[8]

Jeff Bonwick and Jonathan Adams. Magazines and Vmem: Extending the Slab allocator to many CPUs and arbitrary resources. In USENIX Annual Technical Conference (ATC), pages 15--44, 2001. https://www.usenix.org/legacy/publications/library/proceedings/usenix01/full_papers/bonwick/bonwick.pdf.

Digital Library

[9]

James E.J. Bottomley. Dynamic DMA mapping using the generic device. https://www.kernel.org/doc/Documentation/DMA-API.txt. Linux kernel documentation. Accessed: Jan 2018.

[10]

James E.J. Bottomley. Integrating DMA into the generic device mode. In Ottawa Linux Symposium (OLS), pages 63--75, 2003. https://www.kernel.org/doc/ols/2003/ols2003-pages-63--75.pdf. Accessed: Jan 2018.

[11]

Jonathan Brossard. Hardware backdooring is pratical. In Black Hat, 2012. http://www.toucan-system.com/research/blackhat2012_brossard_hardware_backdooring.pdf. Accessed: Jan 2018.

[12]

Jonathan Corbet. Smarter shrinkers. https://lwn.net/Articles/550463/, May 2013. Accessed: Jan 2018.

[13]

Jonathan Corbet. An introduction to compound pages. https://lwn.net/Articles/619514/, Nov 2014. Accessed: Jan 2018.

[14]

Maximillian Dornseif. 0wned by an iPod. In PACific SECurity -- applied security conferences and training in Pacific Asia (PacSec), 2004. https://pacsec.jp/psj04/psj04-dornseif-e.ppt. Accessed: Jan 2018.

[15]

DPDK. http://dpdk.org/. Accessed: Jan 2018.

[16]

Lo"ıc Duflot, Yves-Alexis Perez, Guillaume Valadon, and Olivier Levillain. Can you still trust your network card? Technical report, French Network and Information Security Agency (FNISA), Mar 2010. http://www.ssi.gouv.fr/uploads/IMG/pdf/csw-trustnetworkcard.pdf. Accessed: Jan 2018.

[17]

Brad Fitzpatrick. Distributed caching with memcached. Linux Journal, 2004(124), Aug 2004. http://www.linuxjournal.com/article/7451. Accessed: Jan 2018.

Digital Library

[18]

Google LLC. Google infrastructure security design overview. https://cloud.google.com/security/security-design, Jan 2017. Google Cloud Whitepaper. Accessed: Jan 2018.

[19]

IBM Corporation. PowerLinux servers -- 64-bit DMA concepts. http://pic.dhe.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liabm/liabmconcepts.htm. Accessed: Jan 2018.

[20]

IBM Corporation. AIX kernel extensions and device support programming concepts. http://public.dhe.ibm.com/systems/power/docs/aix/71/kernextc_pdf.pdf, 2013. Accssed: Jan 2018.

[21]

Intel TXT Overview. https://www.kernel.org/doc/Documentation/intel_txt.txt. Linux kernel documentation. Accessed: Jan 2018.

[22]

Intel Corporation. Intel trusted execution technology. http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/trusted-execution-technology-security-paper.pdf, 2012. Accessed: Jan 2018.

[23]

Intel Corporation. Intel virtualization technology for directed I/O, architecture specification - architecture specification - Rev. 2.5. http://www.intel.com/content/dam/www/public/us/en/documents/product-specifications/vt-directed-io-spec.pdf, Nov 2017. Accessed: Jan 2018.

[24]

Joerg Roedel. AMD IOMMU DMA-API scalability improvements, Linux patch. https://lists.linuxfoundation.org/pipermail/iommu/2015-December/015245.html, Dec 2015. Accessed: Jan 2018.

[25]

Intel-IOMMU.txt -- Linux IOMMU support. https://www.kernel.org/doc/Documentation/Intel-IOMMU.txt. Linux kernel documentation. Accessed: Jan 2018.

[26]

Moshe Malka, Nadav Amit, Muli Ben-Yehuda, and Dan Tsafrir. rIOMMU: Efficient IOMMU for I/O devices that employ ring buffers. In ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 355--368, 2015.

Digital Library

[27]

Moshe Malka, Nadav Amit, and Dan Tsafrir. Efficient intra-operating system protection against harmful DMAs. In USENIX Conference on File and Storage Technologies (FAST), pages 29--44, 2015. https://www.usenix.org/system/files/conference/fast15/fast15-paper-malka.pdf.

Digital Library

[28]

Vinod Mamtani. DMA directions and Windows. http://download.microsoft.com/download/a/f/d/afdfd50d-6eb9--425e-84e1-b4085a80e34e/sys-t304_wh07.pptx, 2007. Accessed: Jan 2018.

[29]

Alex Markuze, Adam Morrison, and Dan Tsafrir. True IOMMU protection from DMA attacks: When copy is faster than zero copy. In ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 249--262, 2016.

Digital Library

[30]

Mellanox Technologies. ConnectX-5 Ex 100,Gb/s Ethernet Single and Dual QSFP28 Port Adapter Cards User Manual. http://www.mellanox.com/related-docs/user_manuals/ConnectX-5_Ethernet_Single_and_Dual_QSFP28_Port_Adapter_Card_User_Manual.pdf, 2018. Accessed: Jan 2018.

[31]

Bosko Milekic. Network buffer allocation in the FreeBSD operating system. In The Technical BSD Conference (BSDCan), 2004. https://www.bsdcan.org/2004/papers/NetworkBufferAllocation.pdf. Accessed: Jan 2018.

[32]

The netfilter.org project. http://www.netfilter.org/. Accessed: Jan 2018.

[33]

Netperf -- a network performance benchmark. https://github.com/HewlettPackard/netperf. Accessed: Jan 2018.

[34]

Omer Peleg, Adam Morrison, Benjamin Serebrin, and Dan Tsafrir. Utilizing the IOMMU Scalably. In USENIX Annual Technical Conference (ATC), pages 549--562, 2015. https://www.usenix.org/system/files/conference/atc15/atc15-paper-peleg.pdf.

Digital Library

[35]

Simon Peter, Jialin Li, Irene Zhang, Dan R. K. Ports, Doug Woos, Arvind Krishnamurthy, Thomas Anderson, and Timothy Roscoe. Arrakis: The operating system is the control plane. In USENIX Symposium on Operating System Design and Implementation (OSDI), pages 1--16, 2014. https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-peter_simon.pdf.

Digital Library

[36]

Arjun Singh, Joon Ong, Amit Agarwal, Glen Anderson, Ashby Armistead, Roy Bannon, Seb Boving, Gaurav Desai, Bob Felderman, Paulie Germano, Anand Kanagala, Hong Liu, Jeff Provost, Jason Simmons, Eiichi Tanda, Jim Wanderer, Urs Hölzle, Stephen Stuart, and Amin Vahdat. Jupiter rising: A decade of Clos topologies and centralized control in Google's datacenter network. Communications of the ACM (CACM), 59(9):88--97, Aug 2016.

Digital Library

[37]

SPIEGEL Staff. Inside TAO: Documents Reveal Top NSA Hacking Unit. Der Spiegel, Dec 2013. http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html. Accessed: Jan 2018.

[38]

Patrick Stewin and Iurii Bystrov. Understanding DMA malware. In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pages 21--41, 2012.

Digital Library

[39]

Arrigo Triulzi. I 0wn the NIC, now I want a shell! In PACific SECurity -- applied security conferences and training in Pacific Asia (PacSec), 2008. http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-PACSEC08-Project-Maux-II.pdf. Accessed: Jan 2018.

[40]

Thomas Willhalm, Roman Dementiev, and Patrick Fay. Intel performance counter monitor. http://www.intel.com/software/pcm, Jan 2017. Intel Developer Zone. Accessed: Jan 2018.

[41]

Mitch Williams. i40e: enable packet split only when IOMMU present, Linux commit. https://github.com/torvalds/linux/commit/2bc7ee8ac5439efec66fa20a8dc01c0a2b5af739. Accessed: Aug 2018.

[42]

Zongwei Zhou, Virgil D. Gligor, James Newsome, and Jonathan M. McCune. Building verifiable trusted path on commodity x86 computers. In IEEE Symposium on Security and Privacy (S&P), pages 616--630, 2012.

Digital Library

Cited By

Hur WRo W(2025)Enhancing IOMMU Efficiency in Heterogeneous SaCs: A Study on Cache Policy Impacts2025 International Conference on Electronics, Information, and Communication (ICEIC)10.1109/ICEIC64972.2025.10879735(1-4)Online publication date: 19-Jan-2025
https://doi.org/10.1109/ICEIC64972.2025.10879735
Guo KLi DLuo BShen YPeng KLuo NDai SLiang CSong JYang HZhang XMi ZWitchel EArpaci-Dusseau ARossbach CKeeton K(2024)VPRI: Efficient I/O Page Fault Handling via Software-Hardware Co-Design for IaaS CloudsProceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles10.1145/3694715.3695957(541-557)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3694715.3695957
Rubin BAgarwal SCai QAgarwal RWitchel EArpaci-Dusseau ARossbach CKeeton K(2024)Fast & Safe IO Memory ProtectionProceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles10.1145/3694715.3695943(95-109)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3694715.3695943
Show More Cited By

Index Terms

DAMN: Overhead-Free IOMMU Protection for Networking
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software organization and properties
    1. Contextual software domains
      1. Operating systems
        Memory management

Recommendations

True IOMMU Protection from DMA Attacks: When Copy is Faster than Zero Copy
ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems

Malicious I/O devices might compromise the OS using DMAs. The OS therefore utilizes the IOMMU to map and unmap every target buffer right before and after its DMA is processed, thereby restricting DMAs to their designated locations. This usage model, ...
DAMN: Overhead-Free IOMMU Protection for Networking
ASPLOS '18

DMA operations can access memory buffers only if they are "mapped" in the IOMMU, so operating systems protect themselves against malicious/errant network DMAs by mapping and unmapping each packet immediately before/after it is DMAed. This approach was ...
True IOMMU Protection from DMA Attacks: When Copy is Faster than Zero Copy
ASPLOS'16

Malicious I/O devices might compromise the OS using DMAs. The OS therefore utilizes the IOMMU to map and unmap every target buffer right before and after its DMA is processed, thereby restricting DMAs to their designated locations. This usage model, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPLOS '18: Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems

March 2018

827 pages

ISBN:9781450349116

DOI:10.1145/3173162

General Chairs:
Xipeng Shen
North Carolina State University, USA
,
James Tuck
North Carolina State University, USA
,
Program Chairs:
Ricardo Bianchini
Microsoft Research, USA
,
Vivek Sarkar
Georgia Institute of Technology, USA

ACM SIGPLAN Notices Volume 53, Issue 2
ASPLOS '18
February 2018
809 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/3296957
Editor:
Matthew Fluet
Rodchester Institude of Technology
Issue’s Table of Contents

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 March 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Israel Science Foundation

Conference

ASPLOS '18

Sponsor:

ASPLOS '18: Architectural Support for Programming Languages and Operating Systems

March 24 - 28, 2018

VA, Williamsburg, USA

Acceptance Rates

ASPLOS '18 Paper Acceptance Rate 56 of 319 submissions, 18%;

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
625
Total Downloads

Downloads (Last 12 months)94
Downloads (Last 6 weeks)3

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hur WRo W(2025)Enhancing IOMMU Efficiency in Heterogeneous SaCs: A Study on Cache Policy Impacts2025 International Conference on Electronics, Information, and Communication (ICEIC)10.1109/ICEIC64972.2025.10879735(1-4)Online publication date: 19-Jan-2025
https://doi.org/10.1109/ICEIC64972.2025.10879735
Guo KLi DLuo BShen YPeng KLuo NDai SLiang CSong JYang HZhang XMi ZWitchel EArpaci-Dusseau ARossbach CKeeton K(2024)VPRI: Efficient I/O Page Fault Handling via Software-Hardware Co-Design for IaaS CloudsProceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles10.1145/3694715.3695957(541-557)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3694715.3695957
Rubin BAgarwal SCai QAgarwal RWitchel EArpaci-Dusseau ARossbach CKeeton K(2024)Fast & Safe IO Memory ProtectionProceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles10.1145/3694715.3695943(95-109)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3694715.3695943
Feng EFeng DDu DXia YZheng WZhao SChen HTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)sIOPMP: Scalable and Efficient I/O Protection for TEEsProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640378(1061-1076)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640378
Agarwal SAgarwal RMontazeri BMoshref MElmeleegy KRizzo Lde Kruijf MKumar GRatnasamy SCuller DVahdat A(2022)Understanding host interconnect congestionProceedings of the 21st ACM Workshop on Hot Topics in Networks10.1145/3563766.3564110(198-204)Online publication date: 14-Nov-2022
https://dl.acm.org/doi/10.1145/3563766.3564110
Xia YDu DHua ZZang BChen HGuan H(2022)Boosting Inter-process Communication with Architectural SupportACM Transactions on Computer Systems10.1145/353286139:1-4(1-35)Online publication date: 5-Jul-2022
https://dl.acm.org/doi/10.1145/3532861
Mi ZZhuang HZang BChen H(2022)General and Fast Inter-Process Communication via Bypassing Privileged SoftwareIEEE Transactions on Computers10.1109/TC.2021.313075171:10(2435-2448)Online publication date: 1-Oct-2022
https://doi.org/10.1109/TC.2021.3130751
Lv CZhang FGao XZhu C(2022)LA-vIOMMU: An Efficient Hardware-Software Co-design of IOMMU Virtualization2022 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom57177.2022.00038(246-253)Online publication date: Dec-2022
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom57177.2022.00038
Khan FAhmad SGürüler HCetin GWhangbo TKim C(2021)An Efficient and Reliable Algorithm for Wireless Sensor NetworkSensors10.3390/s2124835521:24(8355)Online publication date: 14-Dec-2021
https://doi.org/10.3390/s21248355
Li DMi ZXia YZang BChen HGuan H(2021)TwinVisorProceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles10.1145/3477132.3483554(638-654)Online publication date: 26-Oct-2021
https://dl.acm.org/doi/10.1145/3477132.3483554
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten