CAPIO: Safe Kernel-Bypass of Commodity Devices using Capabilities

TL;DR

CAPIO introduces a hardware capability-based architecture that enables fine-grained, sub-page access control for device memory, allowing safe kernel-bypass I/O with low latency and strict security guarantees.

Contribution

It is the first architecture to use hardware capabilities for sub-page device resource protection, enabling secure kernel-bypass with fine-grained access control.

Findings

Achieves low-latency kernel-bypass I/O with fine-grained control.

Demonstrates secure access to a commodity network card.

Enforces byte-level access control of privileged resources.

Abstract

Securing low-latency I/O in commodity systems forces a fundamental trade-off: rely on the kernel's high overhead mediated interface, or bypass it entirely, exposing sensitive hardware resources to userspace and creating new vulnerabilities. This dilemma stems from a hardware granularity mismatch: standard MMUs operate at page boundaries, making it impossible to selectively expose safe device registers without also exposing the sensitive control registers colocated on the same page. Existing solutions to driver isolation enforce an isolation model that cannot protect sub-page device resources. This paper presents CAPIO, the first architecture to leverage hardware capabilities to enforce fine-grained access control on memory-mapped I/O. Unlike prior page-based protections, CAPIO utilizes unforgeable capabilities to create precise, sub-page "slices" of device memory. This mechanism enables the kernel to delegate latency-critical hardware access to userspace applications while strictly preventing interaction with co-located privileged registers. We implement CAPIO based on CHERI on the ARM Morello platform and demonstrate a proof-of-concept safe-access driver for a commodity network card which was not originally designed for kernel bypass. We demonstrate that CAPIO achieves the latency improvements of kernel bypass while enforcing byte-level access control of privileged resources.