Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SoK: Understanding the Attack Surface in Device Driver Isolation Frameworks

Yongzhe Huang, Kaiming Huang, Matthew Ennis, Vikram Narayanan, Anton Burtsev, Trent Jaeger, Gang Tan

TL;DR

This work systematically analyzes driver isolation frameworks, introducing a Compartment Interface Vulnerability (CIV) taxonomy for kernel-driver interfaces and evaluating CIV prevalence under a baseline threat model. It combines static analysis with taint tracking and manual validation to quantify how shared data, concurrency, and control-transfer vulnerabilities manifest across representative drivers. Enforcing additional security properties such as control-flow integrity (CFI) and memory safety significantly reduces CIV counts, especially for control-transfer vulnerabilities, and highlights the value of selective data sharing and language-based hardening. The findings offer practical guidance for designing more secure driver isolation systems and underscore the importance of explicit threat modeling in assessing kernel isolation guarantees.

Abstract

Device driver isolation is a promising approach for protecting the kernel from faulty or malicious drivers, but the actual security provided by such frameworks is often not well understood. Recent research has identified Compartment Interface Vulnerabilities (CIVs) in userspace compartmentalized applications, yet their impact on driver isolation frameworks remains poorly understood. This paper provides a comprehensive survey of the design and security guarantees of existing driver isolation frameworks and systemizes existing CIV classifications, evaluating them under driver isolation. The analysis shows that different classes of CIVs are prevalent across the studied drivers under a baseline threat model, with large drivers having more than 100 instances of different CIVs and an average of 33 instances across the studied drivers. Enforcing extra security properties, such as CFI, can reduce the number of CIVs to around 28 instances on average. This study provides insights for understanding existing driver isolation security and the prevalence of CIVs in the driver isolation context, and extracts useful insights that can provide security guidance for future driver isolation systems.

SoK: Understanding the Attack Surface in Device Driver Isolation Frameworks

TL;DR

This work systematically analyzes driver isolation frameworks, introducing a Compartment Interface Vulnerability (CIV) taxonomy for kernel-driver interfaces and evaluating CIV prevalence under a baseline threat model. It combines static analysis with taint tracking and manual validation to quantify how shared data, concurrency, and control-transfer vulnerabilities manifest across representative drivers. Enforcing additional security properties such as control-flow integrity (CFI) and memory safety significantly reduces CIV counts, especially for control-transfer vulnerabilities, and highlights the value of selective data sharing and language-based hardening. The findings offer practical guidance for designing more secure driver isolation systems and underscore the importance of explicit threat modeling in assessing kernel isolation guarantees.

Abstract

Device driver isolation is a promising approach for protecting the kernel from faulty or malicious drivers, but the actual security provided by such frameworks is often not well understood. Recent research has identified Compartment Interface Vulnerabilities (CIVs) in userspace compartmentalized applications, yet their impact on driver isolation frameworks remains poorly understood. This paper provides a comprehensive survey of the design and security guarantees of existing driver isolation frameworks and systemizes existing CIV classifications, evaluating them under driver isolation. The analysis shows that different classes of CIVs are prevalent across the studied drivers under a baseline threat model, with large drivers having more than 100 instances of different CIVs and an average of 33 instances across the studied drivers. Enforcing extra security properties, such as CFI, can reduce the number of CIVs to around 28 instances on average. This study provides insights for understanding existing driver isolation security and the prevalence of CIVs in the driver isolation context, and extracts useful insights that can provide security guidance for future driver isolation systems.

Paper Structure

This paper contains 39 sections, 14 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Systemization
  3. Driver Isolation Overview
  4. Sandbox architecture
  5. Driver threat models
  6. Driver isolation boundaries
  7. Interface data
  8. Driver isolation security properties
  9. Driver Isolation Frameworks
  10. Software-based Fault Isolation (SFI)
  11. Language-based driver isolation
  12. User-mode drivers
  13. Page table switching
  14. Virtualization
  15. Memory tagging
  16. ...and 24 more sections