skip to main content
10.1145/3477314.3507082acmconferencesArticle/Chapter ViewAbstractPublication PagessacConference Proceedingsconference-collections
research-article

DMAFV: testing device drivers against DMA faults

Published: 06 May 2022 Publication History

Abstract

A device may produce invalid values due to a malfunction or infection with malicious firmware. On the other hand, many device drivers implicitly assume that devices will conform to specifications and often do not sufficiently check device input values. One approach to detect faulty device drivers is using fault injection. However, previous studies targeted the MMIO (memory mapped I/O) area and the I/O instructions, but not the DMA (direct memory access) area.
In this study, we propose a novel way to test device drivers against DMA faults by performing fault injection of the DMAed data. The proposed method identifies the DMA region by consulting the device's registers. Fault injection is realized by trapping memory accesses to the DMA region from the OS using a hypervisor and returning a fault-injected value. To reduce the overhead of the hypervisor, we use a thin hypervisor for fault injection.
Using the proposed method, we found one bug in the Linux NVMe driver. The bug had been reported and confirmed by a developer and fixed later. We evaluate the overhead of the method and it is small enough to allow for its practical use.

References

[1]
[n. d.]. AddressSanitizer --- Clang 13 documentation. https://clang.llvm.org/docs/AddressSanitizer.html accessed on 2021-08-26.
[2]
[n. d.]. BUS_DMA(9) FreeBSD Kernel Developer's Manual. https://www.freebsd.org/cgi/man.cgi?bus_dma accessed on 2021-08-26.
[3]
[n. d.]. DMA-API. https://www.kernel.org/doc/Documentation/DMA-API.txt accessed on 2021-08-26.
[4]
[n. d.]. nvme: avoid possible double fetch in handling CQE. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=62df80165d7f197c9c0652e7416164f294a96661 accessed on 2021-08-26.
[5]
[n. d.]. NVMe Base Specification. https://nvmexpress.org/developers/nvme-specification/ accessed on 2021-08-26.
[6]
[n. d.]. The Kernel Address Sanitizer (KASAN). https://www.kernel.org/doc/Documentation/dev-tools/kasan.rst accessed on 2021-08-26.
[7]
[n. d.]. The Undefined Behavior Sanitizer - UBSAN. https://www.kernel.org/doc/Documentation/dev-tools/ubsan.rst accessed on 2021-08-26.
[8]
[n. d.]. UndefinedBehaviorSanitizer --- Clang 13 documentation. https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html accessed on 2021-08-26.
[9]
2019. [PATCH 1/1] nvme pci: fix the check of the cqe->command_id. https://lore.kernel.org/linux-nvme/[email protected]/ accessed on 2021-08-26.
[10]
2020. nvme-pci: fix NULL req in completion handler. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=50b7c24390a53c78de546215282fb52980f1d7b7 accessed on 2021-08-26.
[11]
Markuze Alex, Shay Vargaftik, Gil Kupfer, Boris Pismeny, Nadav Amit, Adam Morrison, and Dan Tsafrir. 2021. Characterizing, Exploiting, and Detecting DMA Code Injection Vulnerabilities in the Presence of an IOMMU. In Proceedings of the 16th European Conference on Computer Systems. Association for Computing Machinery.
[12]
Jia-Ju Bai, Tuo Li, Kangjie Lu, and Shi-Min Hu. 2021. Static Detection of Unsafe DMA Accesses in Device Drivers. In Proceedings of the 30th USENIX Security Symposium. USENIX Association.
[13]
Andy Chou, Junfeng Yang, Benjamin Chelf, Seth Hallem, and Dawson Engler. 2001. An Empirical Study of Operating Systems Errors. In Proceedings of the 18th ACM Symposium on Operating Systems Principles. Association for Computing Machinery.
[14]
Domenico Cotroneo, Luigi De Simone, Francesco Fucci, and Roberto Natella. 2015. MoIO: Run-time monitoring for I/O protocol violations in storage device drivers. In Proceedings of the 26th International Symposium on Software Reliability Engineering. Institute of Electrical and Electronics Engineers.
[15]
Asim Kadav, Matthew J. Renzelmann, and Michael M. Swift. 2009. Tolerating Hardware Device Failures in Software. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. Association for Computing Machinery.
[16]
Stathis Maneas, Kaveh Mahdaviani, Tim Emami, and Bianca Schroeder. 2020. A Study of SSD Reliability in Large Scale Enterprise Storage Deployments. In Proceedings of the 18th USENIX Conference on File and Storage Technologies. USENIX Association.
[17]
Valentin Jean Marie Manes, HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo. 2019. The Art, Science, and Engineering of Fuzzing: A Survey. IEEE Transactions on Software Engineering 01 (2019).
[18]
A. Theodore Markettos, Colin Rothwell, Brett F. Gutstein, Allison Pearce, Peter G. Neumann, Simon W. Moore, and Robert N. M. Watson. 2019. Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals. In Proceedings of the 2019 Network and Distributed Systems Security Symposium. Internet Society.
[19]
Masanori Misono, Masahiro Ogino, Takaaki Fukai, and Takahiro Shinagawa. 2018. FaultVisor2: Testing Hypervisor Device Drivers Against Real Hardware Failures. In Proceeding of the 10th IEEE International Conference on Cloud Computing Technology and Science. Institute of Electrical and Electronics Engineers.
[20]
Masanori Misono and Takahiro Shinagawa. 2021. POSTER: OS Independent Fuzz Testing of I/O Boundary. In Proceedings of the 2021 ACM Conference on Computer and Communications Security. Association for Computing Machinery.
[21]
Hui Peng and Mathias Payer. 2020. USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation. In Proceedings of the 29th USENIX Security Symposium. USENIX Association.
[22]
Bianca Schroeder and Garth A. Gibson. 2010. A Large-Scale Study of Failures in High-Performance Computing Systems. IEEE Transactions on Dependable and Secure Computing 4 (2010), 337--350.
[23]
Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, Kenji Kono, Shigeru Chiba, Yasushi Shinjo, and Kazuhiko Kato. 2009. BitVisor: A Thin Hypervisor for Enforcing I/O Device Security. In Proceedings of the 5th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. Association for Computing Machinery.
[24]
Dokyung Song, Felicitas Hetzelt, Dipanjan Das, Chad Spensky, Yeoul Na, Stijn Volckaert, Giovanni Vigna, Christopher Kruegel, Jean-Pierre Seifert, and Michael Franz. 2019. PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary. In Proceedings of the 2019 Network and Distributed Systems Security Symposium. Internet Society.
[25]
Dokyung Song, Felicitas Hetzelt, Jonghwan Kim, Brent Byunghoon Kang, Jean-Pierre Seifert, and Michael Franz. 2020. Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints. In Proceedings of the 29th USENIX Security Symposium. USENIX Association.
[26]
Satoru Takekoshi, Takahiro Shinagawa, and Kazuhiko Kato. 2016. Testing device drivers against hardware failures in real environments. In Proceedings of the 31st Annual ACM Symposium on Applied Computing. Association for Computing Machinery.
[27]
Fabian Toepfer and Dominik Maier. 2021. BSOD: Binary-only Scalable Fuzzing of Device Drivers. In Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses. Association for Computing Machinery.
[28]
Yong-Hao Zou, Jia-Ju Bai, Jielong Zhou, Jianfeng Tan, Chenggang Qin, and Shi-Min Hu. 2021. TCP-Fuzz: Detecting Memory and Semantic Bugs in TCP Stacks with Fuzzing. In Proceedings of the 2021 USENIX Annual Technical Conference. USENIX Association.

Cited By

View all
  • (2024)Confidential VMs Explained: An Empirical Analysis of AMD SEV-SNP and Intel TDXProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/37004188:3(1-42)Online publication date: 13-Dec-2024

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SAC '22: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing
April 2022
2099 pages
ISBN:9781450387132
DOI:10.1145/3477314
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 May 2022

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. DMA
  2. device driver
  3. fault injection
  4. security

Qualifiers

  • Research-article

Conference

SAC '22
Sponsor:

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25
The 40th ACM/SIGAPP Symposium on Applied Computing
March 31 - April 4, 2025
Catania , Italy

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)32
  • Downloads (Last 6 weeks)1
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Confidential VMs Explained: An Empirical Analysis of AMD SEV-SNP and Intel TDXProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/37004188:3(1-42)Online publication date: 13-Dec-2024

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media