True IOMMU protection from DMA attacks: When copy is faster than zero copy

Alex Markuze, Adam Morrison, Dan Tsafrir

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Malicious I/O devices might compromise the OS using DMAs. The OS therefore utilizes the IOMMU to map and unmap every target buffer right before and after its DMA is processed, thereby restricting DMAs to their designated locations. This usage model, however, is not truly secure for two reasons: (1) it provides protection at page granularity only, whereas DMA buffers can reside on the same page as other data; and (2) it delays DMA buffer unmaps due to performance considerations, creating a vulnerability window in which devices can access in-use memory. We propose that OSes utilize the IOMMU differently, in a manner that eliminates these two flaws. Our new usage model restricts device access to a set of shadow DMA buffers that are never unmapped, and it copies DMAed data to/from these buffers, thus providing sub-page protection while eliminating the aforementioned vulnerability window. Our key insight is that the cost of interacting with, and synchronizing access to the slow IOMMU hardware-required for zero-copy protection against devices-make copying preferable to zero-copying. We implement our model in Linux and evaluate it with standard networking benchmarks utilizing a 40 Gb/s NIC. We demonstrate that despite being more secure than the safest preexisting usage model, our approach provides up to 5× higher throughput. Additionally, whereas it is inherently less scalable than an IOMMU-less (unprotected) system, our approach incurs only 0%-25% performance degradation in comparison.

Original languageEnglish
Title of host publicationASPLOS 2016 - 21st International Conference on Architectural Support for Programming Languages and Operating Systems
Pages249-262
Number of pages14
ISBN (Electronic)9781450340915
DOIs
StatePublished - 25 Mar 2016
Event21st International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2016 - Atlanta, United States
Duration: 2 Apr 20166 Apr 2016

Publication series

NameInternational Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS
Volume02-06-April-2016

Conference

Conference21st International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2016
Country/TerritoryUnited States
CityAtlanta
Period2/04/166/04/16

Keywords

  • DMA attacks
  • IOMMU

All Science Journal Classification (ASJC) codes

  • Software
  • Information Systems
  • Hardware and Architecture

Fingerprint

Dive into the research topics of 'True IOMMU protection from DMA attacks: When copy is faster than zero copy'. Together they form a unique fingerprint.

Cite this