This paper presents SUD, a system for running existingLinux device drivers as untrusted user-space processes.Even if the device driver is controlled by a maliciousadversary, it cannot compromise the rest of the system.One significant challenge of fully isolating a driver is toconfine the actions of its hardware device. SUD relies onIOMMU hardware, PCI express bridges, and message-signaledinterrupts to confine hardware devices. SUDruns unmodified Linux device drivers, by emulating aLinux kernel environment in user-space. A prototype ofSUD runs drivers for Gigabit Ethernet, 802.11 wireless,sound cards, USB host controllers, and USB devices, andit is easy to add a new device class. SUD achieves thesame performance as an in-kernel driver on networkingbenchmarks, and can saturate a Gigabit Ethernet link.SUD incurs a CPU overhead comparable to existing runtimedriver isolation techniques, while providing muchstronger isolation guarantees for untrusted drivers. Finally,SUD requires minimal changes to the kernel—just twokernel modules comprising 4,000 lines of code—whichmay at last allow the adoption of these ideas in practice.
展开▼
