Wednesday, September 19, 2007

Trust at the foundational levels: IOMMU & DMA

IOMMU, or Input Output Memory Management Unit, will likely play a large role in the security of future operating systems. If IOMMU does not play a large role, it will hopefully be because there is something better (that is to say, hopefully IOMMU is not neglected from future computer architectures). In a nutshell, IOMMU is like a mini-firewall for RAM (yes, there are problems with this over-simplification, but bear with me), controlling hardware's access to critical memory locations to prevent ignorance or malice from, say, using a DMA-connected device to patch a kernel at runtime.

DMA, or Direct Memory Access, was designed to rid computer architectures of the performance problems associated with sending all memory IO requests through the CPU. It's yet another instance of the convenience versus security trade-off.

Most OSes in use today are monolithic kernels, which when juxtaposed to their evolved cousins, microkernels, it becomes apparent the differences of trust models used within each. Monolithic kernels are like DMA, they make a convenience over security trade-off; system drivers and services run in kernel mode for convenient access to each other's data (which is scary if one of those is corrupted and taken over by an adversary, or adversary's malicious code). Microkernels, on the other hand, do not make that trade-off; all IPC (inter process communication) is routed the long way around while all drivers and services run in userland-- not privileged memory space. One example is MINIX, an academic OS with a microkernel design.

Microkernels and IOMMU go hand in hand, as both are attempting to address trust at the foundational levels, IOMMU at the hardware layer and Microkernels at the OS (control/allocation of hardware) layer.

Joanna Rutkowska is a security researcher who focuses on security issues closer to the hardware than most attacks, such as kernel fundamentals that may or may not lead to rootkits. What Joanna has pointed out, is not unpredictable to Operating System researchers. From Joanna's Blog:
I must say really like the design of MINIX3, which keeps all the drivers (and other system components) in usermode, in separated address spaces. This is, however, still problematic today, as without IOMMU we can’t really fully protect kernel from usermode drivers, because of the potential DMA attacks – i.e. a driver can setup a DMA write-transaction to overwrite some part of the micro kernel memory, thus owning the system completely. But I guess we will all have processors supporting IOMMU within the next 1-2 years.
The important thing to note here, is not necessarily that the OS an enterprise chooses for critical computing should change to MINIX3 (although maybe it should), but rather: until there are proficient controls to ensure the trustworthiness of the foundational levels of computing, worrying about the trustworthiness of everything that runs on top of the foundation is pointless. To quote Schneier: "security is a chain; it's only as strong as its weakest link."

No comments: