What Is Mapping Device Memory and Registers into User Space?

As a general rule, drivers should avoid mapping device memory and registers into user space. Instead, drivers should share memory with user-mode components only through mapped buffers (typically passed in IOCTLs), as shown in the METHOD_NEITHER I/O example earlier in this paper.  

Exposing hardware to user-mode control is risky and poses potential threats to system security. Doing so requires significantly more code than would be required if access were strictly limited to kernel mode, and it requires additional attention to security issues. If your reason for such a design is to improve performance, consider this decision carefully. The transition to kernel mode does not require much overhead when compared to the additional coding, debugging, and testing that are involved with user-mode access. User-mode processes cannot be trusted.

The additional code is required for the following reasons:

·         The hardware register interfaces must be completely secure before they are exposed in user mode. You must carefully analyze the hardware to determine how a user-mode application might use the exposed interfaces. Remember to consider every possible option—including both incorrect and intentionally malicious misuse. Then you must ensure that you do not expose any paths through which a user-mode application could cause the bus to hang, perform DMA into random areas of memory, or crash the system for any other reason.

·         A user-mode process might duplicate the handle to the allocated memory into another process, which can then issue I/O requests. To protect against malicious user applications, the driver must check every I/O request to ensure that it came from the process into which the memory was originally mapped. In addition, the driver must take additional steps to ensure that it is notified when the original process ends, even if another process still has an open handle to the mapped memory.

·         The driver must unmap the memory when the user-mode process exits, and it must synchronize the unmapping operation with other I/O operations on the handle.

·         Hibernation and stop-device requests require additional handling so that the driver can unmap the memory if the user-mode application has not closed its handle.