As a general rule, drivers should avoid
mapping device memory and registers into user space. Instead, drivers should
share memory with user-mode components only through mapped buffers (typically passed
in IOCTLs), as shown in the METHOD_NEITHER I/O example earlier in this paper.
Exposing hardware to user-mode control is
risky and poses potential threats to system security. Doing so requires
significantly more code than would be required if access were strictly limited
to kernel mode, and it requires additional attention to security issues. If your
reason for such a design is to improve performance, consider this decision
carefully. The transition to kernel mode does not require much overhead when
compared to the additional coding, debugging, and testing that are involved
with user-mode access. User-mode processes cannot be trusted.
The additional code is required for the
following reasons:
·
The hardware register
interfaces must be completely secure before they are exposed in user mode. You
must carefully analyze the hardware to determine how a user-mode application
might use the exposed interfaces. Remember to consider every possible
option—including both incorrect and intentionally malicious misuse. Then you
must ensure that you do not expose any paths through which a user-mode
application could cause the bus to hang, perform DMA into random areas of
memory, or crash the system for any other reason.
·
A user-mode process might
duplicate the handle to the allocated memory into another process, which can
then issue I/O requests. To protect against malicious user applications, the
driver must check every I/O request to ensure that it came from the process
into which the memory was originally mapped. In addition, the driver must take additional
steps to ensure that it is notified when the original process ends, even if another
process still has an open handle to the mapped memory.
·
The driver must unmap the
memory when the user-mode process exits, and it must synchronize the unmapping
operation with other I/O operations on the handle.
·
Hibernation and stop-device
requests require additional handling so that the driver can unmap the memory if
the user-mode application has not closed its handle.
0 komentar:
Posting Komentar