SlideShare a Scribd company logo

Faults inside System Software

National Cheng Kung University
National Cheng Kung University

Faults inside system software were analyzed, with a focus on diagnosing faults in device drivers. Approaches to deal with faulty drivers included runtime isolation and static analysis. Runtime isolation involves running each driver in a separate process or virtual machine to isolate failures. Static analysis techniques inspect source code for issues like concurrency errors, protocol violations, and invalid register values without needing to execute the code. The talk provided statistics on driver faults, discussed the Linux driver model and common bug causes, and outlined techniques like instrumentation and specification-based development to improve driver correctness and security.

Technology
1 of 50
Download to read offline
Faults inside System Software Jim Huang ( 黃敬群 ) <jserv@0xlab.org> June 6, 2013 / NCU, Taiwan
Rights to copy Attribution – ShareAlike 3.0 You are free to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. License text: http://creativecommons.org/licenses/by-sa/3.0/legalcode © Copyright 2013 0xlab http://0xlab.org/ Corrections, suggestions, contributions and translations are welcome! Latest update: June 8, 2013
Goals of This Presentation • Analysis of Large-scale system software • Diagnose faults inside system software, especially for device drivers • Deal with faulty device driver implementation
Agenda • General Analysis about Faulty system software • Approaches to Deal – Runtime Isolation – Static Analysis
General Analysis about Faulty System Software
Some statistics • Drivers cause 85% of Windows XP crashes. – Michael M. Swift, Brian N. Bershad, Henry M. Levy: “Improving the Reliability of Commodity Operating Systems”, SOSP 2003 • Error rate in Linux drivers is 3x (maximum: 10x) higher than for the rest of the kernel – Life expectancy of a bug in the Linux kernel (~2.4): 1.8 years – Andy Chou, Junfeng Yang, Benjamin Chelf, Seth Hallem, Dawson R. Engler: “An Empirical Study of Operating System Errors”, SOSP 2001
• Causes for driver bugs – 23% programming error – 38% mismatch regarding device specification – 39% OS-driver-interface misconceptions – Leonid Ryzhyk, Peter Chubb, Ihor Kuz and Gernot Heiser: “Dingo: Taming device drivers”, EuroSys 2009 Some statistics
• [Aug 8, 2008] Bug report: e1000 PCI-X network cards rendered broken by Linux 2.6.27-rc – overwritten NVRAM on card • [Oct 1, 2008] Intel releases quickfix – map NVRAM somewhere else • [Oct 15, 2008] Reason found: – dynamic ftrace framework tries to patch __init code, but .init sections are unmapped after running init code – NVRAM got mapped to same location – scary cmpxchg() behavior on I/O memory • [Nov 2, 2008] dynamic ftrace reworked for Linux 2.6.28-rc3 Anecdote: Linux e1000 NVRAM bug FTrace & NIC driver!
Linux Device Driver bugs [Dingo: Taming device drivers, 2009]
• consists of – 7702 features – 893 Kconfig files – 31281 source files – 88897 #ifdef blocks Linux version 3.0
Even worse...
• Devices connected by buses (USB, PCI, PCIx) • Host chipset (DMA logic, IRQ controller) connects buses and CPU System Layout
Example: Intel 925x chipset
• Problem: more and more devices – need means of dynamic device discovery • Probing – try out every driver to see if it works • Plug-n-Play – first try of dynamic system description – device manufacturers provide unique IDs • PCI: dedicated config space • ACPI: system description without relying on underlying bus/chipset Bus & Devices
• Intel, 1996 • Tree of devices – root = Host Controller (UHCI, OHCI, EHCI) – Device drivers use Host Controller (HC) to communicate with their device via USB Request Blocks (URBs) – USB is a serial bus • HC serializes URBs • Wide range of device classes (input, storage, peripherals, ...) – classes allow generic drivers Bus: USB
• BlackHat 2013 – MACTANS: INJECTING MALWARE INTO IOS DEVICES VIA MALICIOUS CHARGERS – http://www.blackhat.com/us-13/briefings.html#Lau • "we demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger. We first examine Apple’s existing security mechanisms to protect against arbitrary software installation, then describe how USB capabilities can be leveraged to bypass these defense mechanisms." Attack iOS through USB charger!
Device Driver Model
Bugs in Linux Device Driver
Bugs in Linux Device Driver Device protocol violation examples: ✗ Issuing a command to uninitialized device ✗ Writing an invalid register value ✗ Incorrectly managing DMA descriptors
Linux Device Driver Bug Portion
Bugs in Linux Device Driver Mellanox Infinihost controller Driver if(cur_state==IB_RESET && new_state==IB_RESET){ return 0; }
Linux Device Driver Bug Portion
Concurrency errors
• Markus Peloquin, Lena Olson, Andrew Coonce, University of Wisconsin–Madison, “Simultaneity Safari: A Study of Concurrency Bugs in Device Drivers" (2009) • Types of Device Driver Bugs Further study about concurrency bugs
Linux Device Driver Bug Portion
Approaches
General methods
Approaches: Runtime Isolation
SUD-UML [Tolerating Malicious Device Drivers in Linux, MIT CSAIL] • In user-space, there is an unmodified Ethernet device driver running on top of SUD -UML. • A separate driver process runs for each device driver. Shown in kernel-space are two SUD kernel modules, an Ethernet proxy driver (used by all Ethernet device drivers in SUD), and a safe PCI device access module (used by all PCI card drivers in SUD).
• Microkernel (MINIX/L4) / Hybrid kernel (XNU/DragonFly BSD) style • Isolate components – device drivers (disk, network, graphic, …) – stacks (TCP/IP, file systems, ...) • Separate address spaces each – More robust components • Problems – Overhead • hardware multiplexing • context switches – Need to handle I/O privileges User-level Drivers
• LeVasseur et. al.: "Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines”, OSDI 2004 • provide a Linux environment to run drivers on L4 microkernel – Device Driver Environment (DDE) Device Driver OS: Virtualization technique
Approaches: Static Analysis
• Coccinelle: Faults in Linux: Ten Years Later (ASPLOS 2011) • Dingo: Taming Device Drivers (EuroSys 2009) • KLEE: Automatic generation of high-coverage tests (EuroSys 2008) • RWset: Attacking path explosion (TACAS 2008) • EXE: Automatically generating inputs of death (CCS 2006) Static Analysis
Static Analysis: Instrumentation C Program Translator Instrumented C Program Compile & Execute Halt: Memory Safety Violation Success • Facts – 50% of software errors are due to pointers – 50% of security errors due to buffer overruns • Run-time bookkeeping for memory safety – Array bounds information – Some run-time type information
• C statement “p++”, infer p is not SAFE struct { int a; int b; } *p1, *p2; int *q = (int *)p1; // this cast is fine int **r = (int **)p2; // this one is not: // p2 and r must be DYN • DYNamic Pointer: Static Analysis: Instrumentation On use: - null check - bounds check - tag check/update Can do: - dereference - pointer arithmetic - arbitrary typecasts DYN DYN int home ptr DYN pointer len tags 1 1 0
• “static”: no test runs • “C”: full ANSI C + (GNU C) • Examples int *c = (int *)malloc(sizeof(int)*10); c[i] = 1; c[i + f()] = 1; c[*k + (*g)()] = 1; x = c+5; x[1] = 1; z->a = c; (z->a)[i] = 1; foo(c+2); int foo(int *d) {… d[i] = 1; …} Static Analyzer for Detecting Buffer Overrun Errors in C
Static Analyzer: Internals C files C’ files x1 = F1(x1,…,xN) x2 = F2(x1,…,xN) … xN = FN(x1,…,xN) equation solver bug identification
Static Analyzer – Example: cdc_acm.c (Linux device driver)
Static Analyzer – Coverity
• Observations: – drivers fail to obey device spec – developers misunderstand OS interface – multi-threading is bad • Drivers run as part of the kernel – Need to deal with concurrent invocations – Shared state must be maintained • Synchronization is hard to get right – Race conditions and deadlocks – 20% of bugs in device drivers Securing Driver: Dingo [Dingo: Taming device drivers, 2009]
• Tingu: state-chart-based specification of device protocols – Event-based state transition – Timeouts – Variables Securing Driver: Dingo
• Device driver architecture • Single-threaded – Builtin atomicity – Not a performance problem for most drivers • Event-based – Developers implement a Tingu specification • Can use Tingu specs to generate runtime driver monitors Securing Driver: Dingo
Deal with concurrency bugs
Event-based Device Driver
• DevIL (OSDI 2000): generate driver from an IDL spec of the device interface “...our vision is that Devil specifications either should be written by device vendors or should be widely available aspublic domain libraries...” • Termite (SOSP 2009): use device driver spec (VHDL) to generate – Lets vendors generate drivers on their own • RevNIC (EuroSys 2010): – Obtain I/O trace from existing driver (Windows) – Analyze driver binary – Generate Linux driver Insightful Researches
Conclusion • Device drivers are hard than expected while quality and stability are considered. • Security risks exist inside every area of system software. Device driver is the major. • It is a common technique to introduce virtual buses for isolating device resources. • Performing static analysis as early as possible when you design the device driver model and adapt legacy implementations upon the revised frameworks.
Reference • “Dingo: Taming Device Drivers”, Leonid Ryzhyk, Peter Chubb, Ihor Kuz, Gernot Heiser, UNSW/NICTA/Open Kernel Labs (2009) • "Hardware and Device Drivers", Björn Döbel, TU Dresden (2012) • "Configuration Coverage in the Analysis of Large-Scale System Software", Reinhard Tartler, Daniel Lohmann, Christian Dietrich, Christoph Egger, Julio Sincero, Friedrich-Alexander University (2011) • “AIRAC: A Static Analyzer for Detecting All Buffer Overrun Errors in C Programs", Kwangkeun Yi, Seoul National University (2005) • “CCured: Taming C Pointers”, George Necula, Scott McPeak, Wes Weimer, Berkeley (2002)
http://0xlab.org

Recommended

Hints for L4 Microkernel
Hints for L4 MicrokernelHints for L4 Microkernel
Hints for L4 MicrokernelNational Cheng Kung University
 
Plan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXPlan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXNational Cheng Kung University
 
olibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linuxolibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded LinuxNational Cheng Kung University
 
Embedded Hypervisor for ARM
Embedded Hypervisor for ARMEmbedded Hypervisor for ARM
Embedded Hypervisor for ARMNational Cheng Kung University
 
Microkernel Evolution
Microkernel EvolutionMicrokernel Evolution
Microkernel EvolutionNational Cheng Kung University
 
Unix v6 Internals
Unix v6 InternalsUnix v6 Internals
Unix v6 InternalsNational Cheng Kung University
 
Embedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesEmbedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesNational Cheng Kung University
 
Construct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoTConstruct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoTNational Cheng Kung University
 

Recommended

Hints for L4 Microkernel
Hints for L4 MicrokernelHints for L4 Microkernel
Hints for L4 MicrokernelNational Cheng Kung University
 
Plan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXPlan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXNational Cheng Kung University
 
olibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linuxolibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded LinuxNational Cheng Kung University
 
Embedded Hypervisor for ARM
Embedded Hypervisor for ARMEmbedded Hypervisor for ARM
Embedded Hypervisor for ARMNational Cheng Kung University
 
Microkernel Evolution
Microkernel EvolutionMicrokernel Evolution
Microkernel EvolutionNational Cheng Kung University
 
Unix v6 Internals
Unix v6 InternalsUnix v6 Internals
Unix v6 InternalsNational Cheng Kung University
 
Embedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesEmbedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesNational Cheng Kung University
 
Construct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoTConstruct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoTNational Cheng Kung University
 
Implement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVMImplement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVMNational Cheng Kung University
 
Android Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and OrganizationAndroid Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and OrganizationNational Cheng Kung University
 
L4 Microkernel :: Design Overview
L4 Microkernel :: Design OverviewL4 Microkernel :: Design Overview
L4 Microkernel :: Design OverviewNational Cheng Kung University
 
Embedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesEmbedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesNational Cheng Kung University
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsNational Cheng Kung University
 
μ-Kernel Evolution
μ-Kernel Evolutionμ-Kernel Evolution
μ-Kernel EvolutionSergio Shevchenko
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-timeNational Cheng Kung University
 
Microkernel-based operating system development
Microkernel-based operating system developmentMicrokernel-based operating system development
Microkernel-based operating system developmentSenko Rašić
 
Introduction to Microkernels
Introduction to MicrokernelsIntroduction to Microkernels
Introduction to MicrokernelsVasily Sartakov
 
A tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorA tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorLouie Lu
 
Xvisor: embedded and lightweight hypervisor
Xvisor: embedded and lightweight hypervisorXvisor: embedded and lightweight hypervisor
Xvisor: embedded and lightweight hypervisorNational Cheng Kung University
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android InternalsNational Cheng Kung University
 
Priority Inversion on Mars
Priority Inversion on MarsPriority Inversion on Mars
Priority Inversion on MarsNational Cheng Kung University
 
Microkernel design
Microkernel designMicrokernel design
Microkernel designmicrokerneldude
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDBNational Cheng Kung University
 
Understanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineUnderstanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineNational Cheng Kung University
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 National Cheng Kung University
 
Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and RealityNational Cheng Kung University
 
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesQi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesNational Cheng Kung University
 
Gnu linux for safety related systems
Gnu linux for safety related systemsGnu linux for safety related systems
Gnu linux for safety related systemsDTQ4
 
進階嵌入式系統開發與實作 (2013 秋季班 ) 課程說明
進階嵌入式系統開發與實作 (2013 秋季班 ) 課程說明進階嵌入式系統開發與實作 (2013 秋季班 ) 課程說明
進階嵌入式系統開發與實作 (2013 秋季班 ) 課程說明National Cheng Kung University
 
Open Source from Legend, Business, to Ecosystem
Open Source from Legend, Business, to EcosystemOpen Source from Legend, Business, to Ecosystem
Open Source from Legend, Business, to EcosystemNational Cheng Kung University
 

More Related Content

What's hot

F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsNational Cheng Kung University
 
Microkernel-based operating system development
Microkernel-based operating system developmentMicrokernel-based operating system development
Microkernel-based operating system developmentSenko Rašić
 
Introduction to Microkernels
Introduction to MicrokernelsIntroduction to Microkernels
Introduction to MicrokernelsVasily Sartakov
 
A tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorA tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorLouie Lu
 
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesQi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesNational Cheng Kung University
 
Gnu linux for safety related systems
Gnu linux for safety related systemsGnu linux for safety related systems
Gnu linux for safety related systemsDTQ4
 

What's hot (20)

Implement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVMImplement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVM
 
Android Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and OrganizationAndroid Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and Organization
 
L4 Microkernel :: Design Overview
L4 Microkernel :: Design OverviewL4 Microkernel :: Design Overview
L4 Microkernel :: Design Overview
 
Embedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesEmbedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile Devices
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
 
μ-Kernel Evolution
μ-Kernel Evolutionμ-Kernel Evolution
μ-Kernel Evolution
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
 
Microkernel-based operating system development
Microkernel-based operating system developmentMicrokernel-based operating system development
Microkernel-based operating system development
 
Introduction to Microkernels
Introduction to MicrokernelsIntroduction to Microkernels
Introduction to Microkernels
 
A tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorA tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisor
 
Xvisor: embedded and lightweight hypervisor
Xvisor: embedded and lightweight hypervisorXvisor: embedded and lightweight hypervisor
Xvisor: embedded and lightweight hypervisor
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android Internals
 
Priority Inversion on Mars
Priority Inversion on MarsPriority Inversion on Mars
Priority Inversion on Mars
 
Microkernel design
Microkernel designMicrokernel design
Microkernel design
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDB
 
Understanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineUnderstanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual Machine
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and Reality
 
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesQi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
 
Gnu linux for safety related systems
Gnu linux for safety related systemsGnu linux for safety related systems
Gnu linux for safety related systems
 

Viewers also liked

進階嵌入式系統開發與實作 (2013 秋季班 ) 課程說明
進階嵌入式系統開發與實作 (2013 秋季班 ) 課程說明進階嵌入式系統開發與實作 (2013 秋季班 ) 課程說明
進階嵌入式系統開發與實作 (2013 秋季班 ) 課程說明National Cheng Kung University
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsNational Cheng Kung University
 
Lecture notice about Embedded Operating System Design and Implementation
Lecture notice about Embedded Operating System Design and ImplementationLecture notice about Embedded Operating System Design and Implementation
Lecture notice about Embedded Operating System Design and ImplementationNational Cheng Kung University
 
Develop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsDevelop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsNational Cheng Kung University
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例National Cheng Kung University
 
進階嵌入式作業系統設計與實做 (2015 年秋季 ) 課程說明
進階嵌入式作業系統設計與實做 (2015 年秋季 ) 課程說明進階嵌入式作業系統設計與實做 (2015 年秋季 ) 課程說明
進階嵌入式作業系統設計與實做 (2015 年秋季 ) 課程說明National Cheng Kung University
 
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明National Cheng Kung University
 

Viewers also liked (18)

進階嵌入式系統開發與實作 (2013 秋季班 ) 課程說明
進階嵌入式系統開發與實作 (2013 秋季班 ) 課程說明進階嵌入式系統開發與實作 (2013 秋季班 ) 課程說明
進階嵌入式系統開發與實作 (2013 秋季班 ) 課程說明
 
Open Source from Legend, Business, to Ecosystem
Open Source from Legend, Business, to EcosystemOpen Source from Legend, Business, to Ecosystem
Open Source from Legend, Business, to Ecosystem
 
Develop Your Own Operating System
Develop Your Own Operating SystemDevelop Your Own Operating System
Develop Your Own Operating System
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation Systems
 
Lecture notice about Embedded Operating System Design and Implementation
Lecture notice about Embedded Operating System Design and ImplementationLecture notice about Embedded Operating System Design and Implementation
Lecture notice about Embedded Operating System Design and Implementation
 
Develop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsDevelop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM Boards
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
 
The Internals of "Hello World" Program
The Internals of "Hello World" ProgramThe Internals of "Hello World" Program
The Internals of "Hello World" Program
 
Hardware Accelerated 2D Rendering for Android
Hardware Accelerated 2D Rendering for AndroidHardware Accelerated 2D Rendering for Android
Hardware Accelerated 2D Rendering for Android
 
進階嵌入式作業系統設計與實做 (2015 年秋季 ) 課程說明
進階嵌入式作業系統設計與實做 (2015 年秋季 ) 課程說明進階嵌入式作業系統設計與實做 (2015 年秋季 ) 課程說明
進階嵌入式作業系統設計與實做 (2015 年秋季 ) 課程說明
 
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明
 
Build Your Own Android Toolchain from scratch
Build Your Own Android Toolchain from scratchBuild Your Own Android Toolchain from scratch
Build Your Own Android Toolchain from scratch
 
Summer Project: Microkernel (2013)
Summer Project: Microkernel (2013)Summer Project: Microkernel (2013)
Summer Project: Microkernel (2013)
 
Virtual Machine Constructions for Dummies
Virtual Machine Constructions for DummiesVirtual Machine Constructions for Dummies
Virtual Machine Constructions for Dummies
 
2016 年春季嵌入式作業系統課程說明
2016 年春季嵌入式作業系統課程說明2016 年春季嵌入式作業系統課程說明
2016 年春季嵌入式作業系統課程說明
 
How A Compiler Works: GNU Toolchain
How A Compiler Works: GNU ToolchainHow A Compiler Works: GNU Toolchain
How A Compiler Works: GNU Toolchain
 
Interpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratchInterpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratch
 
從線上售票看作業系統設計議題
從線上售票看作業系統設計議題從線上售票看作業系統設計議題
從線上售票看作業系統設計議題
 

Similar to Faults inside System Software

Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
Understanding and Improving Device Access Complexity
Understanding and Improving Device Access ComplexityUnderstanding and Improving Device Access Complexity
Understanding and Improving Device Access Complexityasimkadav
 
Fine-grained fault tolerance using device checkpoints
Fine-grained fault tolerance using device checkpointsFine-grained fault tolerance using device checkpoints
Fine-grained fault tolerance using device checkpointsasimkadav
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitDimitry Snezhkov
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22MichaelM85042
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Chromium os architecture report
Chromium os architecture reportChromium os architecture report
Chromium os architecture reportAmr Abd El Latief
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSDEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSFelipe Prado
 
Reliability, Availability and Serviceability on Linux
Reliability, Availability and Serviceability on LinuxReliability, Availability and Serviceability on Linux
Reliability, Availability and Serviceability on LinuxSamsung Open Source Group
 
Droidcon 2013 France - Android Platform Anatomy
Droidcon 2013 France - Android Platform AnatomyDroidcon 2013 France - Android Platform Anatomy
Droidcon 2013 France - Android Platform AnatomyBenjamin Zores
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
 

Similar to Faults inside System Software (20)

IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Android architechture
Android architechtureAndroid architechture
Android architechture
 
Understanding and Improving Device Access Complexity
Understanding and Improving Device Access ComplexityUnderstanding and Improving Device Access Complexity
Understanding and Improving Device Access Complexity
 
Fine-grained fault tolerance using device checkpoints
Fine-grained fault tolerance using device checkpointsFine-grained fault tolerance using device checkpoints
Fine-grained fault tolerance using device checkpoints
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Chromium os architecture report
Chromium os architecture reportChromium os architecture report
Chromium os architecture report
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍
 
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSDEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
 
Reliability, Availability and Serviceability on Linux
Reliability, Availability and Serviceability on LinuxReliability, Availability and Serviceability on Linux
Reliability, Availability and Serviceability on Linux
 
Computer Fundamentals
Computer FundamentalsComputer Fundamentals
Computer Fundamentals
 
Computer fundamental
Computer fundamentalComputer fundamental
Computer fundamental
 
Droidcon 2013 France - Android Platform Anatomy
Droidcon 2013 France - Android Platform AnatomyDroidcon 2013 France - Android Platform Anatomy
Droidcon 2013 France - Android Platform Anatomy
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 

Recently uploaded

Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jNeo4j
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPTiSEO AI
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 

Recently uploaded (20)

Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 

Faults inside System Software

  • 1. Faults inside System Software Jim Huang ( 黃敬群 ) <jserv@0xlab.org> June 6, 2013 / NCU, Taiwan
  • 2. Rights to copy Attribution – ShareAlike 3.0 You are free to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. License text: http://creativecommons.org/licenses/by-sa/3.0/legalcode © Copyright 2013 0xlab http://0xlab.org/ Corrections, suggestions, contributions and translations are welcome! Latest update: June 8, 2013
  • 3.
  • 4. Goals of This Presentation • Analysis of Large-scale system software • Diagnose faults inside system software, especially for device drivers • Deal with faulty device driver implementation
  • 5. Agenda • General Analysis about Faulty system software • Approaches to Deal – Runtime Isolation – Static Analysis
  • 6. General Analysis about Faulty System Software
  • 7. Some statistics • Drivers cause 85% of Windows XP crashes. – Michael M. Swift, Brian N. Bershad, Henry M. Levy: “Improving the Reliability of Commodity Operating Systems”, SOSP 2003 • Error rate in Linux drivers is 3x (maximum: 10x) higher than for the rest of the kernel – Life expectancy of a bug in the Linux kernel (~2.4): 1.8 years – Andy Chou, Junfeng Yang, Benjamin Chelf, Seth Hallem, Dawson R. Engler: “An Empirical Study of Operating System Errors”, SOSP 2001
  • 8. • Causes for driver bugs – 23% programming error – 38% mismatch regarding device specification – 39% OS-driver-interface misconceptions – Leonid Ryzhyk, Peter Chubb, Ihor Kuz and Gernot Heiser: “Dingo: Taming device drivers”, EuroSys 2009 Some statistics
  • 9. • [Aug 8, 2008] Bug report: e1000 PCI-X network cards rendered broken by Linux 2.6.27-rc – overwritten NVRAM on card • [Oct 1, 2008] Intel releases quickfix – map NVRAM somewhere else • [Oct 15, 2008] Reason found: – dynamic ftrace framework tries to patch __init code, but .init sections are unmapped after running init code – NVRAM got mapped to same location – scary cmpxchg() behavior on I/O memory • [Nov 2, 2008] dynamic ftrace reworked for Linux 2.6.28-rc3 Anecdote: Linux e1000 NVRAM bug FTrace & NIC driver!
  • 10. Linux Device Driver bugs [Dingo: Taming device drivers, 2009]
  • 11. • consists of – 7702 features – 893 Kconfig files – 31281 source files – 88897 #ifdef blocks Linux version 3.0
  • 13.
  • 14. • Devices connected by buses (USB, PCI, PCIx) • Host chipset (DMA logic, IRQ controller) connects buses and CPU System Layout
  • 16. • Problem: more and more devices – need means of dynamic device discovery • Probing – try out every driver to see if it works • Plug-n-Play – first try of dynamic system description – device manufacturers provide unique IDs • PCI: dedicated config space • ACPI: system description without relying on underlying bus/chipset Bus & Devices
  • 17. • Intel, 1996 • Tree of devices – root = Host Controller (UHCI, OHCI, EHCI) – Device drivers use Host Controller (HC) to communicate with their device via USB Request Blocks (URBs) – USB is a serial bus • HC serializes URBs • Wide range of device classes (input, storage, peripherals, ...) – classes allow generic drivers Bus: USB
  • 18. • BlackHat 2013 – MACTANS: INJECTING MALWARE INTO IOS DEVICES VIA MALICIOUS CHARGERS – http://www.blackhat.com/us-13/briefings.html#Lau • "we demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger. We first examine Apple’s existing security mechanisms to protect against arbitrary software installation, then describe how USB capabilities can be leveraged to bypass these defense mechanisms." Attack iOS through USB charger!
  • 20. Bugs in Linux Device Driver
  • 21. Bugs in Linux Device Driver Device protocol violation examples: ✗ Issuing a command to uninitialized device ✗ Writing an invalid register value ✗ Incorrectly managing DMA descriptors
  • 22. Linux Device Driver Bug Portion
  • 23. Bugs in Linux Device Driver Mellanox Infinihost controller Driver if(cur_state==IB_RESET && new_state==IB_RESET){ return 0; }
  • 24. Linux Device Driver Bug Portion
  • 26. • Markus Peloquin, Lena Olson, Andrew Coonce, University of Wisconsin–Madison, “Simultaneity Safari: A Study of Concurrency Bugs in Device Drivers" (2009) • Types of Device Driver Bugs Further study about concurrency bugs
  • 27. Linux Device Driver Bug Portion
  • 31. SUD-UML [Tolerating Malicious Device Drivers in Linux, MIT CSAIL] • In user-space, there is an unmodified Ethernet device driver running on top of SUD -UML. • A separate driver process runs for each device driver. Shown in kernel-space are two SUD kernel modules, an Ethernet proxy driver (used by all Ethernet device drivers in SUD), and a safe PCI device access module (used by all PCI card drivers in SUD).
  • 32. • Microkernel (MINIX/L4) / Hybrid kernel (XNU/DragonFly BSD) style • Isolate components – device drivers (disk, network, graphic, …) – stacks (TCP/IP, file systems, ...) • Separate address spaces each – More robust components • Problems – Overhead • hardware multiplexing • context switches – Need to handle I/O privileges User-level Drivers
  • 33. • LeVasseur et. al.: "Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines”, OSDI 2004 • provide a Linux environment to run drivers on L4 microkernel – Device Driver Environment (DDE) Device Driver OS: Virtualization technique
  • 35. • Coccinelle: Faults in Linux: Ten Years Later (ASPLOS 2011) • Dingo: Taming Device Drivers (EuroSys 2009) • KLEE: Automatic generation of high-coverage tests (EuroSys 2008) • RWset: Attacking path explosion (TACAS 2008) • EXE: Automatically generating inputs of death (CCS 2006) Static Analysis
  • 36. Static Analysis: Instrumentation C Program Translator Instrumented C Program Compile & Execute Halt: Memory Safety Violation Success • Facts – 50% of software errors are due to pointers – 50% of security errors due to buffer overruns • Run-time bookkeeping for memory safety – Array bounds information – Some run-time type information
  • 37. • C statement “p++”, infer p is not SAFE struct { int a; int b; } *p1, *p2; int *q = (int *)p1; // this cast is fine int **r = (int **)p2; // this one is not: // p2 and r must be DYN • DYNamic Pointer: Static Analysis: Instrumentation On use: - null check - bounds check - tag check/update Can do: - dereference - pointer arithmetic - arbitrary typecasts DYN DYN int home ptr DYN pointer len tags 1 1 0
  • 38. • “static”: no test runs • “C”: full ANSI C + (GNU C) • Examples int *c = (int *)malloc(sizeof(int)*10); c[i] = 1; c[i + f()] = 1; c[*k + (*g)()] = 1; x = c+5; x[1] = 1; z->a = c; (z->a)[i] = 1; foo(c+2); int foo(int *d) {… d[i] = 1; …} Static Analyzer for Detecting Buffer Overrun Errors in C
  • 39. Static Analyzer: Internals C files C’ files x1 = F1(x1,…,xN) x2 = F2(x1,…,xN) … xN = FN(x1,…,xN) equation solver bug identification
  • 40. Static Analyzer – Example: cdc_acm.c (Linux device driver)
  • 42. • Observations: – drivers fail to obey device spec – developers misunderstand OS interface – multi-threading is bad • Drivers run as part of the kernel – Need to deal with concurrent invocations – Shared state must be maintained • Synchronization is hard to get right – Race conditions and deadlocks – 20% of bugs in device drivers Securing Driver: Dingo [Dingo: Taming device drivers, 2009]
  • 43. • Tingu: state-chart-based specification of device protocols – Event-based state transition – Timeouts – Variables Securing Driver: Dingo
  • 44. • Device driver architecture • Single-threaded – Builtin atomicity – Not a performance problem for most drivers • Event-based – Developers implement a Tingu specification • Can use Tingu specs to generate runtime driver monitors Securing Driver: Dingo
  • 47. • DevIL (OSDI 2000): generate driver from an IDL spec of the device interface “...our vision is that Devil specifications either should be written by device vendors or should be widely available aspublic domain libraries...” • Termite (SOSP 2009): use device driver spec (VHDL) to generate – Lets vendors generate drivers on their own • RevNIC (EuroSys 2010): – Obtain I/O trace from existing driver (Windows) – Analyze driver binary – Generate Linux driver Insightful Researches
  • 48. Conclusion • Device drivers are hard than expected while quality and stability are considered. • Security risks exist inside every area of system software. Device driver is the major. • It is a common technique to introduce virtual buses for isolating device resources. • Performing static analysis as early as possible when you design the device driver model and adapt legacy implementations upon the revised frameworks.
  • 49. Reference • “Dingo: Taming Device Drivers”, Leonid Ryzhyk, Peter Chubb, Ihor Kuz, Gernot Heiser, UNSW/NICTA/Open Kernel Labs (2009) • "Hardware and Device Drivers", Björn Döbel, TU Dresden (2012) • "Configuration Coverage in the Analysis of Large-Scale System Software", Reinhard Tartler, Daniel Lohmann, Christian Dietrich, Christoph Egger, Julio Sincero, Friedrich-Alexander University (2011) • “AIRAC: A Static Analyzer for Detecting All Buffer Overrun Errors in C Programs", Kwangkeun Yi, Seoul National University (2005) • “CCured: Taming C Pointers”, George Necula, Scott McPeak, Wes Weimer, Berkeley (2002)