DOCSLIB.ORG

Device Driver Safety Through a Reference Validation Mechanism ∗

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Device Driver Safety Through a Reference Validation Mechanism ∗ Device Driver Safety Through a Reference Validation Mechanism ∗ Dan Williams, Patrick Reynolds, Kevin Walsh, Emin Gun¨ Sirer, Fred B. Schneider Cornell University Abstract to isolate the operating system from accidental driver Device drivers typically execute in supervisor mode and faults, but these drivers retain sufficient I/O privileges thus must be fully trusted. This paper describes how to that they must still be trusted. move them out of the trusted computing base, by running This paper introduces a practical mechanism for exe- them without supervisor privileges and constraining their cuting device drivers in user space and without privilege. interactions with hardware devices. An implementation Specifically, device drivers are isolated using hardware of this approach in the Nexus operating system executes protection boundaries. Each device driver is given ac- drivers in user space, leveraging hardware isolation and cess only to the minimum resources and operations nec- checking their behavior against a safety specification. essary to support the devices it controls (least privilege), 1 These Nexus drivers have performance comparable to in- thereby shrinking the TCB. A system in which device kernel, trusted drivers, with a level of CPU overhead ac- drivers have minimal privileges is easier to audit and less ceptable for most applications. For example, the moni- susceptible to Trojans in third-party device drivers. tored driver for an Intel e1000 Ethernet card has through- Even in user space, device drivers execute hardware put comparable to a trusted driver for the same hardware I/O operations and handle interrupts. These operations under Linux. And a monitored driver for the Intel i810 can cause device behavior that compromises the integrity sound card provides continuous playback. Drivers for a or availability of the kernel or other programs. There- disk and a USB mouse have also been moved success- fore, our driver architecture introduces a global, trusted fully to operate in user space with safety specifications. reference validation mechanism (RVM) [3] that mediates all interaction between device drivers and devices. The RVM invokes a device-specific reference monitor to val- 1 Introduction idate interactions between a driver and its associated de- vice, thereby ensuring the driver conforms to a device Device drivers constitute over half of the source code of safety specification (DSS), which defines allowed and, many operating system kernels, with a bug rate up to by extension, prohibited behaviors. seven times higher than other kernel code [10]. They The DSS is expressed in a domain-specific language are often written by outside developers, and they are less and defines a state machine that accepts permissible tran- rigorously examined and tested than the rest of the kernel sitions by a monitored device driver. We provide a com- code. Yet device drivers are part of the trusted computing piler to translate a DSS into a reference monitor that im- base (TCB) of every application, because the monolithic plements the state machine. Every operation by the de- architecture of mainstream operating systems forces de- vice driver is vetted by the reference monitor, and oper- vice drivers to be executed inside the kernel, with high ations that would cause an illegal transition are blocked. privilege. Some microkernels and other research operat- The entire architecture is depicted in Figure 1. ing systems [2, 9, 21, 24] run device drivers in user space The RVM protects the integrity, confidentiality, and ∗Supported by NICECAP cooperative agreement FA8750-07- availability of the system, by preventing: 2-0037 administered by AFRL, AFOSR grant F49620-03-1-0156, Illegal reads and writes: Drivers cannot read or National Science Foundation Grants 0430161 and CCF-0424422 • (TRUST), ONR Grant N00014-01-1-0968, and Microsoft Corporation. modify memory they do not own. USENIX Association 8th USENIX Symposium on Operating Systems Design and Implementation 241 Unprivileged totype implementation demonstrates that this approach can defend against malicious drivers and that the perfor- Device drivers mance costs of this enhanced security are not prohibitive. User space 2 Device I/O Model Reference DSSes RVM Monitors Trusted Device drivers send commands to devices, check de- Compiler Kernel vice status using registers, receive notification of status Interrupts I/O changes through interrupts, and initiate bulk data trans- fers using direct memory access (DMA). How they do so Device constitutes a platform’s I/O model. Our work is targeted Device to the x86 architecture and PCI buses; what follows is a Figure 1: Safe user-space device driver architecture. brief overview of the I/O model on that platform. Similar features are found on other processors and buses. Modern buses implement device enumeration and Priority escalation: Drivers cannot escalate their • endpoint identification. Each device on a PCI bus is iden- scheduling priority. tified by a 16-bit vendor identifier and a 16-bit model Processor starvation: Drivers cannot hold the • number; the resulting 32-bit device identifier identifies CPU for more than a pre-specified number of time the device.2 Some devices with different model num- slices. bers may nonetheless be similar enough to share a single Device-specific attacks: Drivers cannot exhaust • driver and a single DSS. Device enumeration is a pro- device resources or cause physical damage to de- cess for identifying all devices attached to a bus; end- vices. point identification is the process of querying a device In addition, given a suitable DSS, an RVM can enforce for its type, capabilities, and resource requirements. site-specific policies to govern how devices are used. For Device enumeration and endpoint identification typi- example, administrators at confidentiality-sensitive or- cally occur at boot time. Interrupt lines and I/O regis- ganizations might wish to disallow the use of attached ters are assigned, according to device requests, to all de- microphones or cameras; or administrators of trusted vices discovered. Device identifiers govern which device networks might wish to disallow promiscuous (sniffing) drivers to load. Unrecognized devices, for which no DSS mode on network cards. is available, are ignored and are not available to drivers. One alternative to our approach for monitoring and Devices have registers, which are read and written by constraining device driver behavior is to use hardware drivers to get status, send commands, and transfer data. capable of blocking illegal operations. Hardware-based The registers comprise I/O ports (accessed using instruc- approaches, however, are necessarily limited to policies tions like inb and outb), memory-mapped I/O, and expressed in terms of hardware events and abstractions. PCI-configuration registers. Each register is identified An IOMMU [1, 4, 14, 23], for example, can limit the by a type and an address. Contiguous sets of registers ability of devices to perform DMA transfers to or from constitute a range, identified by type, base address, and physical addresses the associated drivers cannot read or limit (the number of addresses in the range). For all reg- write directly. IOMMUs, however, do not mediate as- ister types, accesses are parameterized by an address, a pects of driver and system safety that go beyond the size, and, for writes, a value of the given size. Write memory access interface [7]; for example, an IOMMU operations elicit no response; read operations produce a cannot prevent interrupt livelock, limit excessively long value of the given size as a response. Both operations interrupt processing, protect devices from physical harm can cause side effects on a device. by drivers, or enforce site-specific policies. As IOMMUs Devices that transfer large amounts of data typically become prevalent, our approach could leverage them as employ DMA rather than requiring a device driver to hardware accelerators for memory protection. transfer each word of data individually through device In sum, this paper shows how to augment common registers. Before initiating a DMA transfer, the device memory protection techniques with device-specific ref- driver typically sets a control register on the device to erence monitors to execute drivers with limited privilege point to a buffer in memory. Some devices can perform and in user space. The requisite infrastructure is small, DMA to or from multiple memory locations; in this case, easy to audit, and shared across all devices. Our pro- a control register might contain a pointer to a list, ring, 242 8th USENIX Symposium on Operating Systems Design and Implementation USENIX Association or tree structure with pointers to many buffers. Device performs low-level I/O operations, handles interrupts, or drivers using DMA transfers must first obtain from the initiates DMA transfers, and drivers for peripherals com- kernel one or more memory regions with known, fixed, municate with their devices through the controller driver. physical addresses. Hence, all communication is visible to a single reference Devices can be synchronous or asynchronous. Drivers monitor, which suffices to validate the operations of all must poll synchronous devices for completed operations drivers in the hierarchy. or changes in status. In contrast, when a driver submits Some devices, particularly high-performance network an operation to an asynchronous device, the driver yields cards and 3-D graphics cards, support loading and exe- the CPU until the device later signals its response (or cuting programs (e.g., for TCP offload or vertex shad- other status change) by interrupting the processor. When ing) on a processor on the device. Other devices may that interrupt occurs, the operating system invokes code support loading firmware, either ephemerally or perma- specified by the driver. In most cases, an interrupt must nently. Such programs and firmware change the way the be acknowledged by a driver, or the device will continue device behaves; thus, they must be trustworthy. Pro- to send the same interrupt. Interrupts can be prioritized grams and firmware are loaded through I/O operations relative to each other, but they generally occur with a or DMA, both of which can be monitored.
Load more

Recommended publications
  • The Linux Kernel Module Programming Guide
    The Linux Kernel Module Programming Guide Peter Jay Salzman Michael Burian Ori Pomerantz Copyright © 2001 Peter Jay Salzman 2007−05−18 ver 2.6.4 The Linux Kernel Module Programming Guide is a free book; you may reproduce and/or modify it under the terms of the Open Software License, version 1.1. You can obtain a copy of this license at http://opensource.org/licenses/osl.php. This book is distributed in the hope it will be useful, but without any warranty, without even the implied warranty of merchantability or fitness for a particular purpose. The author encourages wide distribution of this book for personal or commercial use, provided the above copyright notice remains intact and the method adheres to the provisions of the Open Software License. In summary, you may copy and distribute this book free of charge or for a profit. No explicit permission is required from the author for reproduction of this book in any medium, physical or electronic. Derivative works and translations of this document must be placed under the Open Software License, and the original copyright notice must remain intact. If you have contributed new material to this book, you must make the material and source code available for your revisions. Please make revisions and updates available directly to the document maintainer, Peter Jay Salzman <[email protected]>. This will allow for the merging of updates and provide consistent revisions to the Linux community. If you publish or distribute this book commercially, donations, royalties, and/or printed copies are greatly appreciated by the author and the Linux Documentation Project (LDP).
    [Show full text]
  • Introduction to Linux Kernel Driver Programming
    IntroductionIntroduction toto LinuxLinux kernelkernel driverdriver programmingprogramming Introduction to Linux kernel driver programming The Linux kernel device model Authors and license ● Authors – Michael Opdenacker ([email protected]) Founder of Bootlin, kernel and embedded Linux engineering company https://bootlin.com/company/staff/michael-opdenacker ● License – Creative Commons Attribution – Share Alike 4.0 https://creativecommons.org/licenses/by-sa/4.0/ – Document sources: https://github.com/e-ale/Slides Need for a device model ● For the same device, need to use the same device driver on multiple CPU architectures (x86, ARM…), even though the hardware controllers are different. ● Need for a single driver to support multiple devices of the same kind. ● This requires a clean organization of the code, with the device drivers separated from the controller drivers, the hardware description separated from the drivers themselves, etc. Driver: between bus infrastructure and framework In Linux, a driver is always interfacing with: ● a framework that allows the driver to expose the hardware features in a generic way. ● a bus infrastructure, part of the device model, to detect/communicate with the hardware. Let’s focus on the bus infrastructure for now Device model data structures The device model is organized around three main data structures: ● The struct bus_type structure, which represent one type of bus (USB, PCI, I2C, etc.) ● The struct device_driver structure, which represents one driver capable of handling certain devices on a certain bus. ● The struct device structure, which represents one device connected to a bus The kernel uses inheritance to create more specialized versions of struct device_driver and struct device for each bus subsystem.
    [Show full text]
  • The Linux Device File-System
    The Linux Device File-System Richard Gooch EMC Corporation [email protected] Abstract 1 Introduction All Unix systems provide access to hardware via de- vice drivers. These drivers need to provide entry points for user-space applications and system tools to access the hardware. Following the \everything is a file” philosophy of Unix, these entry points are ex- posed in the file name-space, and are called \device The Device File-System (devfs) provides a power- special files” or \device nodes". ful new device management mechanism for Linux. Unlike other existing and proposed device manage- This paper discusses how these device nodes are cre- ment schemes, it is powerful, flexible, scalable and ated and managed in conventional Unix systems and efficient. the limitations this scheme imposes. An alternative mechanism is then presented. It is an alternative to conventional disc-based char- acter and block special devices. Kernel device drivers can register devices by name rather than de- vice numbers, and these device entries will appear in the file-system automatically. 1.1 Device numbers Devfs provides an immediate benefit to system ad- ministrators, as it implements a device naming scheme which is more convenient for large systems Conventional Unix systems have the concept of a (providing a topology-based name-space) and small \device number". Each instance of a driver and systems (via a device-class based name-space) alike. hardware component is assigned a unique device number. Within the kernel, this device number is Device driver authors can benefit from devfs by used to refer to the hardware and driver instance.
    [Show full text]
  • Topic 10: Device Driver
    Topic 10: Device Driver Tongping Liu University of Massachusetts Amherst 1 Administration • Today it is the deadline of Project3 • Homework5 is posted, due on 05/03 • Bonus points: ECE570 – 3 points, ECE670-5 points – Design exam questions – Process&threads, scheduling, synchronization, IPC, memory management, device driver/virtualization – Due: 05/01 • Survey project (ECE570/ECE670): 05/12 University of Massachusetts Amherst 2 Objectives • Understanding concepts of device driver, e.g., device number, device file • Understand the difference of kernel modules and device drivers • Learn how to implement a simple kernel module • Learn how to implement a simple device driver University of Massachusetts Amherst 3 Outline • Basic concepts • Kernel module • Writing device driver University of Massachusetts Amherst 4 Device Driver • A special kind of computer program that operates or controls a particular type of device that is attached to a computer University of Massachusetts Amherst 5 Device Driver • A special kind of computer program that operates or controls a particular type of device that is attached to a computer – Needs to execute privileged instructions – Must be integrated into the OS kernel, with a specific format – Interfaces both to kernel and to hardware University of Massachusetts Amherst 6 Whole System Stack Note: This picture is excerpted from Write a Linux Hardware Device Driver, Andrew O’Shauqhnessy, Unix world University of Massachusetts Amherst 7 Another View from OS University of Massachusetts Amherst 8 Type of Devices • Character device – Read or write one byte at a time as a stream of sequential data – Examples: serial ports, parallel ports, sound cards, keyboard • Block device – Randomly access fixed-sized chunks of data (block) – Examples: hard disks, USB cameras University of Massachusetts Amherst 9 Linux Device Driver • Manage data flow between user programs and device • Typically a self-contained kernel module – Add and remove dynamically • Device is a special file in /dev that user can access, e.g.
    [Show full text]
  • Analyst® Device Driver 1.3 Release Notes 2 / 16 RUO-IDV-03-1997-E Contents
    Analyst® Device Driver 1.3 Release Notes RUO-IDV-03-1997-E May 2018 This document is provided to customers who have purchased SCIEX equipment to use in the operation of such SCIEX equipment. This document is copyright protected and any reproduction of this document or any part of this document is strictly prohibited, except as SCIEX may authorize in writing. Software that may be described in this document is furnished under a license agreement. It is against the law to copy, modify, or distribute the software on any medium, except as specifically allowed in the license agreement. Furthermore, the license agreement may prohibit the software from being disassembled, reverse engineered, or decompiled for any purpose. Warranties are as stated therein. Portions of this document may make reference to other manufacturers and/or their products, which may contain parts whose names are registered as trademarks and/or function as trademarks of their respective owners. Any such use is intended only to designate those manufacturers' products as supplied by SCIEX for incorporation into its equipment and does not imply any right and/or license to use or permit others to use such manufacturers' and/or their product names as trademarks. SCIEX warranties are limited to those express warranties provided at the time of sale or license of its products and are SCIEX’s sole and exclusive representations, warranties, and obligations. SCIEX makes no other warranty of any kind whatsoever, expressed or implied, including without limitation, warranties of merchantability or fitness for a particular purpose, whether arising from a statute or otherwise in law or from a course of dealing or usage of trade, all of which are expressly disclaimed, and assumes no responsibility or contingent liability, including indirect or consequential damages, for any use by the purchaser or for any adverse circumstances arising therefrom.
    [Show full text]
  • Reactos-Devtutorial.Pdf
    Developer Tutorials Developer Tutorials Next Developer Tutorials Table of Contents I. Newbie Developer 1. Introduction to ReactOS development 2. Where to get the latest ReactOS source, compilation tools and how to compile the source 3. Testing your compiled ReactOS code 4. Where to go from here (newbie developer) II. Centralized Source Code Repository 5. Introducing CVS 6. Downloading and configuring your CVS client 7. Checking out a new tree 8. Updating your tree with the latest code 9. Applying for write access 10. Submitting your code with CVS 11. Submitting a patch to the project III. Advanced Developer 12. CD Packaging Guide 13. ReactOS Architecture Whitepaper 14. ReactOS WINE Developer Guide IV. Bochs testing 15. Introducing Bochs 16. Downloading and Using Bochs with ReactOS 17. The compile, test and debug cycle under Bochs V. VMware Testing 18. Introducing VMware List of Tables 7.1. Modules http://reactos.com/rosdocs/tutorials/bk02.html (1 of 2) [3/18/2003 12:16:53 PM] Developer Tutorials Prev Up Next Chapter 8. Where to go from here Home Part I. Newbie Developer (newbie user) http://reactos.com/rosdocs/tutorials/bk02.html (2 of 2) [3/18/2003 12:16:53 PM] Part I. Newbie Developer Part I. Newbie Developer Prev Developer Tutorials Next Newbie Developer Table of Contents 1. Introduction to ReactOS development 2. Where to get the latest ReactOS source, compilation tools and how to compile the source 3. Testing your compiled ReactOS code 4. Where to go from here (newbie developer) Prev Up Next Developer Tutorials Home Chapter 1. Introduction to ReactOS development http://reactos.com/rosdocs/tutorials/bk02pt01.html [3/18/2003 12:16:54 PM] Chapter 1.
    [Show full text]
  • Detecting Exploit Code Execution in Loadable Kernel Modules
    Detecting Exploit Code Execution in Loadable Kernel Modules HaizhiXu WenliangDu SteveJ.Chapin Systems Assurance Institute Syracuse University 3-114 CST, 111 College Place, Syracuse, NY 13210, USA g fhxu02, wedu, chapin @syr.edu Abstract and pointer checks can lead to kernel-level exploits, which can jeopardize the integrity of the running kernel. Inside the In current extensible monolithic operating systems, load- kernel, exploitcode has the privilegeto interceptsystem ser- able kernel modules (LKM) have unrestricted access to vice routines, to modify interrupt handlers, and to overwrite all portions of kernel memory and I/O space. As a result, kernel data. In such cases, the behavior of the entire sys- kernel-module exploitation can jeopardize the integrity of tem may become suspect. the entire system. In this paper, we analyze the threat that Kernel-level protection is different from user space pro- comes from the implicit trust relationship between the oper- tection. Not every application-level protection mechanism ating system kernel and loadable kernel modules. We then can be applied directly to kernel code, because privileges present a specification-directed access monitoring tool— of the kernel environment is different from that of the user HECK, that detects kernel modules for malicious code ex- space. For example, non-executableuser page [21] and non- ecution. Inside the module, HECK prevents code execution executable user stack [29] use virtual memory mapping sup- on the kernel stack and the data sections; on the bound- port for pages and segments, but inside the kernel, a page ary, HECK restricts the module’s access to only those kernel or segment fault can lead to kernel panic.
    [Show full text]
  • Lab 1: Loadable Kernel Modules (Lkms)
    Lab 1: Loadable Kernel Modules (LKMs) Overview For this lab, we will be interfacing with an LCD screen using the Phytec board. This means we will be creating device drivers for our system to allow it to interact with our hardware. Since our board is running Linux­­ which is a pretty advanced operating system for most embedded devices­­ we will want to accomplish this by appending additional functionality to the working kernel. This is done using loadable kernel modules. Background Before we get too far, here is some important information we will need to know in order to interact with the Linux kernel and perform the functions we want. To write device drivers we must first understand what they are. There are three main types of device drivers; character, block, and network. In this class, we will be writing character device drivers. A character device driver is one that transfers data directly to and from a user process. This is the most common type of device driver. Character device drivers normally perform I/O in a byte stream. They can also provide additional interfaces not present in block drivers, such as I/O control commands, memory mapping, and device polling. Drivers that support a file system are known as block device drivers. Block ​ device drivers take a file system request, in the form of a buffer structure, and issue the ​ I/O operations to the disk to transfer the specified block. Block device drivers can also provide a character driver interface that allows utility programs to bypass the file system and access the device directly.
    [Show full text]
  • Lab 4: Linux Device Drivers and Opencv
    Lab 4: Linux Device Drivers and OpenCV This lab will teach you the basics of writing a device driver in Linux. By the end of the lab, you will be able to (1) build basic loadable kernel modules (2) implement a h-bridge device driver, (3) talk to device drivers using ioctl, and (4) communicate with your device driver using code from user space. The first bit of this lab is based on a fantastic device driver tutorial written by Xavier Calbet at Free Software Magazinei. We recommend taking a look at his article before starting the lab. The key idea is that it is desirable to have a standard interface to devices. In Linux (and most Unix variants) this interface is that of a file. All hardware devices look like regular files: they can be opened, closed, read and written using the same system calls that are used to manipulate files. Every device in the system is represented by a device special file, for example the first IDE disk in the system is represented by /dev/hda.ii Exactly what happens when you read or write from the device will vary by device, but in general you can get data from it by reading from the special file and you can change it by writing to it. (For example, doing “cat /dev/hda” will cause the raw contents of the disc to be printed.) The exact way devices have been managed on Linux has varied over time. In general devices all started out in the /dev directory, generally with one “special file” per device.
    [Show full text]
  • Dw1000 Device Driver Application Programming Interface (Api)
    DW1000 DEVICE DRIVER API GUIDE DW1000 DEVICE DRIVER APPLICATION PROGRAMMING INTERFACE (API) GUIDE USING API FUNCTIONS TO CONFIGURE AND PROGRAM THE DW1000 UWB TRANSCEIVER This document is subject to change without notice © Decawave Ltd 2016 Version 2.7 Page 1 of 101 DW1000 Device Driver API Guide DOCUMENT INFORMATION Disclaimer Decawave reserves the right to change product specifications without notice. As far as possible changes to functionality and specifications will be issued in product specific errata sheets or in new versions of this document. Customers are advised to check the Decawave website for the most recent updates on this product Copyright © 2015 Decawave Ltd LIFE SUPPORT POLICY Decawave products are not authorized for use in safety-critical applications (such as life support) where a failure of the Decawave product would reasonably be expected to cause severe personal injury or death. Decawave customers using or selling Decawave products in such a manner do so entirely at their own risk and agree to fully indemnify Decawave and its representatives against any damages arising out of the use of Decawave products in such safety-critical applications. Caution! ESD sensitive device. Precaution should be used when handling the device in order to prevent permanent damage © Decawave Ltd 2016 Version 2.7 Page 2 of 101 DW1000 Device Driver API Guide DISCLAIMER This Disclaimer applies to the DW1000 API source code (collectively “Decawave Software”) provided by Decawave Ltd. (“Decawave”). Downloading, accepting delivery of or using the Decawave Software indicates your agreement to the terms of this Disclaimer. If you do not agree with the terms of this Disclaimer do not download, accept delivery of or use the Decawave Software.
    [Show full text]
  • What Are Device Drivers?
    LESSON 1.1-1.21.1-1.2 98-365 Windows Server Administration Fundamentals UnderstandUnderstand DeviceDevice DriversDrivers andand ServicesServices LESSON 1.1-1.21.1-1.2 98-365 Windows Server Administration Fundamentals Lesson Overview How does the operating system communicate with hardware and services? In this lesson, you will learn: How operating system communicate with device drivers How to troubleshoot device driver errors Why drivers are digitally signed How Windows services control the operating system How to manage Windows services LESSON 1.1-1.21.1-1.2 98-365 Windows Server Administration Fundamentals Anticipatory Set On a sheet of paper, answer the following questions: 1. What is a device driver? 2. What application would be used to manage or troubleshoot a device? 3. What are the four startup types for Windows services? 4. A service has failed to start; what console would you first use to determine why the service failed to start? LESSON 1.1-1.21.1-1.2 98-365 Windows Server Administration Fundamentals What are device drivers? Software components that permit an operating system to communicate with a device The operating system typically require a driver to communicate with peripheral components. o The appropriate driver is required for a server to be able to send a print job to a locally attached printer. LESSON 1.1-1.21.1-1.2 98-365 Windows Server Administration Fundamentals Managing Device Drivers (options) 1. Install drivers 2. Update drivers 3. Rollback drivers 4. Disable devices All options can be done using Device Manager LESSON 1.1-1.21.1-1.2 98-365 Windows Server Administration Fundamentals LESSON 1.1-1.21.1-1.2 98-365 Windows Server Administration Fundamentals Driver signing Drivers that are used must be digitally signed.
    [Show full text]
  • Creating User-Mode Device Drivers with a Proxy Galen C
    Creating User-Mode Device Drivers with a Proxy Galen C. Hunt [email protected] Department of Computer Science University of Rochester Rochester, NY 14627-0226 Abstract Writing device drivers is complicated because drivers operate as kernel-mode programs. Device drivers have Writing Windows NT device drivers can be a daunting limited access to other OS services and must be task. Device drivers must be fully re-entrant, must use conscious of kernel paging demands. Debugging only limited resources and must be created with special kernel-mode device drivers normally requires two development environments. Executing device drivers machines: one for the driver and another for the in user-mode offers significant coding advantages. debugger. User-mode device drivers have access to all user-mode libraries and applications. They can be developed using Device drivers run in kernel mode to optimize system standard development tools and debugged on a single performance. Kernel-mode device drivers have full machine. Using the Proxy Driver to retrieve I/O access to hardware resources and the data of user-mode requests from the kernel, user-mode drivers can export programs. From kernel mode, device drivers can full device services to the kernel and applications. exploit operations such as DMA and page sharing to User-mode device drivers offer enormous flexibility for transfer data directly into application address spaces. emulating devices and experimenting with new file Device drivers are placed in the kernel to minimize the systems. Experimental results show that in many number of times the CPU must cross the user/kernel cases, the overhead of moving to user-mode for boundary.
    [Show full text]