From: Greg Green (ggreen_at_cs.washington.edu)
Date: Tue Jan 20 2004 - 21:57:30 PST
This paper describes a subsytem in the linux kernel that sits between
the kernel and drivers in kernel-mode. The subsystem is designed to
prevent bugs in the drivers from crashing the kernel. It does this by
only allowing access to the minimum set of kernel memory pages and
blocking access to other kernel pages. It also copies any kernel data
structures the driver is attempting to modify. It verifies that it
modifies the structures correctly and then copies the structures back
to the kernel, or disallows the change. As well as protecting the
kernel from bad drivers, it attempts to recover from the errors. This
is done by unloading the driver, releasing all resources owned by the
driver, removing and reloading and restarting the driver.
Nooks, the subsystem name, consists of wrappers to all kernel calls
made by the drivers and by the kernel into the drivers. It also has an
object manager to keep track of all objects owned by drivers. It
protects memory by extension procedure call. This is similar to a
context switch between the kernel and userland, in that the kernel
page tables are swapped between the kernel and driver. This allows
kernel pages to be protected from the drivers.
I liked this idea. It seems to be a valuable guard that seems to be a
good tradeoff between protection and performance or complexity. Since
this is a very recent paper, time will tell if the idea is taken up by
unix or windows kernel developers.
I found the section on injecting errors interesting. Instead of
finding bad drivers and testing them, inserting normal types of errors
programmatically is an neat concept.
-- Greg Green
This archive was generated by hypermail 2.1.6 : Tue Jan 20 2004 - 21:57:34 PST