SoK: Understanding the Attack Surface in Device Driver Isolation Frameworks

TL;DR

This paper surveys existing device driver isolation frameworks, classifies and evaluates their vulnerabilities, revealing that many drivers contain numerous CIVs, which can be mitigated with additional security measures like CFI.

Contribution

It systematically analyzes the security guarantees of driver isolation frameworks and classifies CIVs, providing insights and guidance for improving driver isolation security.

Findings

Large drivers have over 100 CIVs instances

Enforcing CFI reduces CIVs to around 28

CIV prevalence varies across driver classes

Abstract

Device driver isolation is a promising approach for protecting the kernel from faulty or malicious drivers, but the actual security provided by such frameworks is often not well understood. Recent research has identified Compartment Interface Vulnerabilities (CIVs) in userspace compartmentalized applications, yet their impact on driver isolation frameworks remains poorly understood. This paper provides a comprehensive survey of the design and security guarantees of existing driver isolation frameworks and systemizes existing CIV classifications, evaluating them under driver isolation. The analysis shows that different classes of CIVs are prevalent across the studied drivers under a baseline threat model, with large drivers having more than 100 instances of different CIVs and an average of 33 instances across the studied drivers. Enforcing extra security properties, such as CFI, can reduce the number of CIVs to around 28 instances on average. This study provides insights for understanding existing driver isolation security and the prevalence of CIVs in the driver isolation context, and extracts useful insights that can provide security guidance for future driver isolation systems.