Static Detection Of Unsafe DMA Accesses In Device Drivers

7m ago
13 Views
1 Downloads
4.94 MB
18 Pages
Last View : 8d ago
Last Download : 3m ago
Upload by : Elise Ammons
Transcription

Static Detection of Unsafe DMA Accesses inDevice DriversJia-Ju Bai and Tuo Li, Tsinghua University; Kangjie Lu, University of Minnesota;Shi-Min Hu, Tsinghua security21/presentation/baiThis paper is included in the Proceedings of the30th USENIX Security Symposium.August 11–13, 2021978-1-939133-24-3Open access to the Proceedings of the30th USENIX Security Symposiumis sponsored by USENIX.

Static Detection of Unsafe DMA Accesses in Device DriversJia-Ju BaiTsinghua UniversityTuo LiTsinghua UniversityAbstractDirect Memory Access (DMA) is a popular mechanismfor improving hardware I/O performance, and it has beenwidely used by many existing device drivers. However, DMAaccesses can be unsafe, from two aspects. First, without propersynchronization of DMA buffers with hardware registers andCPU cache, the buffer data stored in CPU cache and hardwareregisters can be inconsistent, which can cause unexpectedhardware behaviors. Second, a malfunctioning or untrustedhardware device can write bad data into system memory,which can trigger security bugs (such as buffer overflow andinvalid-pointer access), if the driver uses the data withoutcorrect validation. To detect unsafe DMA accesses, somekey challenges need to be solved. For example, because eachDMA access is implemented as a regular variable access inthe driver code, identifying DMA accesses is difficult.In this paper, we propose a static-analysis approach namedSADA, to automatically and accurately detect unsafe DMAaccesses in device drivers. SADA consists of three basicsteps. First, SADA uses a field-based alias analysis to identifyDMA accesses, according to the information of DMA-buffercreation. Second, SADA uses a flow-sensitive and patternbased analysis to check the safety of each DMA access, todetect possible unsafe DMA accesses. Finally, SADA usesan SMT solver to validate the code-path condition of eachpossible unsafe DMA access, to drop false positives. We haveevaluated SADA on the driver code of Linux 5.6, and found284 real unsafe DMA accesses. Among them, we highlightthat 121 can trigger buffer-overflow bugs and 36 can triggerinvalid-pointer accesses causing arbitrary read or write. Wehave reported these unsafe DMA accesses to Linux driverdevelopers, and 105 of them have been confirmed.1IntroductionA modern operating system (OS) controls different kinds ofperipheral hardware devices, including Ethernet controllers,sound cards, storage adapters and so on. To improve the performance of data communication between the OS and hardwareUSENIX AssociationKangjie LuUniversity of MinnesotaShi-Min HuTsinghua Universitydevices, Direct Memory Access (DMA) is designed to reduceCPU involvement for hardware I/O. The OS enables DMAby mapping hardware registers to an area of system memory,which is called DMA buffer, and then the OS can directlyaccess the hardware registers by accessing the DMA buffer.Many existing device drivers have used DMA to improveperformance, but DMA accesses can be unsafe, even thoughIOMMU has been used to guarantee their accessed memoryaddresses are valid. First, the driver should access the DMAbuffer only when the buffer has been properly synchronizedwith hardware registers and CPU cache. Otherwise, the accessed data stored in hardware registers and CPU cache canbe inconsistent, which can cause unexpected behaviors of thehardware device. For short, we call such a problem as inconsistent DMA access. Second, considering that a hardware devicecan be malfunctioning [27, 55] or untrusted [28, 53, 65], it canwrite bad data into DMA buffers, and thus the driver shouldperform correct validation of the data from DMA buffersbefore using it. Otherwise, security bugs (such as buffer overflow and invalid-pointer access) can be triggered at runtime.For short, we call such a problem as unchecked DMA access.To mitigate the security risks from DMA accesses, severalrecent works [45, 51, 52] perform driver fuzzing and havefound some security bugs caused by the bad data from DMAbuffers. Specifically, they create a simulated device to generate and mutate hardware inputs (including the data from DMAbuffers), and test whether the driver can correctly handle theseinputs. But they still have some limitations in detecting unsafeDMA accesses. First, they require associated simulated devices to actually run the tested drivers, and implementing suchsimulated devices often requires much manual work. Second,their code coverage is limited to generated test cases, causingthat many real unsafe DMA accesses are missed. Finally, theycannot detect inconsistent DMA accesses, because they donot consider the synchronization of DMA buffers.Static analysis is effective in achieving high code coverage and reducing false negatives. But using static analysisto detect unsafe DMA accesses in the Linux driver code isstill challenging. First, as each DMA access is implemented30th USENIX Security Symposium1629

as a regular variable access in the driver code, it is difficultto statically identify DMA accesses. Second, as the Linuxkernel code base is very large and complex, performing staticanalysis of it is also difficult. Third, static analysis can reportmany false positives due to lacking exact runtime informationof the driver. To our knowledge, there is no systematic staticapproach of detecting unsafe DMA accesses at present.In this paper, we propose a static-analysis approach namedSADA (Static Analysis of DMA Accesses), to automaticallyand accurately detect unsafe DMA accesses in device drivers.Overall, SADA consists of three basic steps. First, considering that DMA accesses and DMA mapping creation may beperformed in different driver functions, SADA uses a fieldbased alias analysis to identify DMA accesses according tothe information of DMA mapping creation, because our studyof the Linux driver code finds that about 87% of created DMAbuffers are stored in data structure fields in the driver code.Second, SADA uses a flow-sensitive and pattern-based analysis to check the safety of each DMA access, to detect possibleunsafe DMA accesses. Specifically, to detect inconsistentDMA accesses, SADA checks whether each DMA accessis performed with proper synchronization of DMA buffersby analyzing code context. To detect unchecked DMA access, SADA uses a static taint analysis to check whether theaccessed data from DMA buffers can cause possible insecure influence on data flow or control flow. For example, ifa variable stored in a DMA buffer is used as an array indexwithout any check, a buffer-overflow bug can occur. Finally,SADA uses an SMT solver Z3 [66] to validate the code-pathfeasibility of each possible unsafe DMA access, to drop falseones. In this way, the overhead introduced by the SMT solvercan be reduced compared to the traditional way of validatingcode-path condition while analyzing the whole driver code.We have implemented SADA with LLVM [33].Overall, we make the following technical contributions: By studying DMA in device drivers, we reveal the security risks of DMA accesses from two aspects: 1) theycan cause unexpected hardware behaviors; and 2) theycan trigger security bugs (such as buffer overflow andinvalid-pointer access) caused by the bad data from malfunctioning or untrusted hardware devices. We propose a practical static-analysis approach namedSADA, to effectively detect unsafe DMA accesses indevice drivers. SADA incorporates multiple techniquesto ensure the precision and effectiveness of the detection.To our knowledge, SADA is the first systematic staticapproach to detect unsafe DMA accesses. We evaluate SADA on Linux 5.6, and find 284 realunsafe DMA accesses. Among them, we highlight that121 can trigger buffer-overflow bugs and 36 can triggerinvalid-pointer accesses causing arbitrary read or write.We have reported these unsafe DMA accesses to Linuxdriver developers, and 105 of them have been confirmed.163030th USENIX Security SymposiumThe rest of this paper is organized as follows. Section 2introduces the background and our study of DMA. Section 3analyzes the challenges of static detection of unsafe DMAaccesses. Section 4 introduces our solution techniques. Section 5 presents SADA in detail. Section 6 shows our evaluation. Section 7 makes a discussion about SADA and unsafeDMA accesses. Section 8 introduces related work, and Section 9 concludes this paper.2Background and Study of DMAIn this section, we introduce DMA and its problems in existingresearch, then reveal the security risks of DMA accesses, andfinally study DMA in Linux device drivers.2.1DMA ArchitectureDirect Memory Access (DMA) is a popular mechanism thatallows peripheral hardware devices to communicate data withsystem memory without CPU involvement. Without DMA,when the data is transfered between a hardware device andsystem memory, a CPU is typically fully occupied for theentire duration of the data transfer, and thus this CPU is unavailable to perform other tasks. With DMA, a CPU justinitiates the data transfer and then hands over the actual datatransfers to the DMA controller (DMAC) , so the CPU canfocus on other tasks. Once the data transfer finishes, the CPUwill receive an interrupt from the DMA controller to wrap upthe data transfer. In this way, the CPU performs only the minimum jobs, namely initialization and finalization of the datatransfers, which thus improves hardware I/O performance.CPUCacheData SynchronizationSystem MemoryDevice 1Device 2 Device NDMA BufferDMA TransferDMA ControllerHardware I/OFigure 1: The DMA architecture.Figure 1 shows the architecture of DMA in modern computer systems. To enable DMA, a DMA buffer is allocatedand mapped to system memory and hardware registers. Whenthe CPU wants to read hardware registers, it directly readsthe DMA buffer in system memory and synchronizes the datainto the CPU cache. Similarly, when the CPU wants to writehardware registers, it directly writes to the DMA buffer insystem memory and synchronizes the data into hardware registers. To reduce programming complexity, each DMA accessis implemented as a regular variable access in the driver code,such as data dma buf- data (reading a DMA buffer)and dma buf- data data (writing a DMA buffer).USENIX Association

AllocateReleaseMapUnmapSynchronizeCoherent DMAdma alloc coherent, pci alloc consistent, dma pool alloc, .dma free coherent, pci free consistent, dma pool free, .Streaming DMAdma map single, dma map page, pci map single, .dma unmap single, dma unmap page, pci unmap single, .dma sync single for cpu, pci dma sync single for device, .Table 1: Typical DMA interfaces in the Linux kernel.DMA type. According to the synchronization way with thehardware registers and CPU cache, there are two types ofDMA buffers used in device drivers:Coherent DMA buffer. A coherent DMA buffer is simultaneously available to both the CPU and hardware device, andit often exists for the lifetime of the driver (it is allocated indriver initialization and released in driver removal). To makethe data stored in hardware registers and CPU cache alwayscoherent, this DMA buffer must live in cache-coherent memory, which is often expensive to set up and use. In this way,the driver does not need to explicitly synchronize the databetween hardware registers and CPU cache.Streaming DMA buffer. A streaming DMA buffer is asynchronously available to both the CPU and hardware device,and it is often dynamically mapped and unmapped to a specific memory area when the driver runs. Because the datastored in hardware registers and CPU cache can be inconsistent, the driver needs to explicitly synchronize the databetween them at proper time. However, because streamingDMA buffer does not live in cache-coherent memory, it ischeaper than coherent DMA buffer to set up and use.DMA interface. The Linux kernel provides specific kernelinterfaces for drivers to perform DMA operations. Table 1 listssome commonly-used interfaces for coherent and streamingDMA buffers. Note that a coherent DMA buffer is in cachecoherent memory, and thus it does not require interfaces forsynchronization between hardware registers and CPU cache.2.2DMA Problems in Existing ResearchThough DMA can improve hardware I/O performance, it alsointroduces security risks. In the past few years, many securityproblems of DMA have been found and extensively fixed, andwe list representative ones as follows:DMA attack. Through DMA, a malicious DMA-enabledhardware device can gain direct access to part or all of thesystem memory [21]. In this way, the attacker can steal confidential data or take control of the OS. To defend againstDMA attack, many existing approaches [40–42, 44, 58] useInput-Output Memory Management Unit (IOMMU) to limitthe area of system memory that a DMA-enabled hardwaredevice can access.Invalid mapping. A DMA buffer should be mapped to aphysical memory area of contiguous addresses. For this reason, a DMA buffer cannot be mapped to stack memory, be-USENIX Associationcause its physical memory addresses can be non-contiguous.Otherwise, unexpected stack overflow may occur at runtime.Recently, such problems are highlighted by Linux driver developers [23], because some Linux kernel commits (such as6c2794a2984f [6] and 3840c5b78803 [7]) have been applied to fix such problems.Improper checking of buffer creation. Once a DMA interface is called by the driver to create a DMA buffer, its returnvalue should be properly checked in the driver code, becausethe creation can fail. Otherwise, null-pointer dereferences orinvalid DMA accesses may occur. In 2013, Linux driver developers used a simple static analysis [22] to detect many suchproblems in the Linux kernel, and some of them have beenfixed by past kernel commits (such as cf3c4c03060b [8] andc9bfbb31af7c [9]).Buffer-destroy omission. The driver should destroy the created DMA buffer before removal; otherwise memory leakswill occur. Several existing approaches of resource-leak detection (such as Hector [48] and PR-Miner [32]) have found somesuch problems, and they have been fixed by past kernel commits (such as 37c85c3498c5 [10] and 7ca2cd291fd8 [11]).Summary. Most of the above DMA problems are related toDMA creation and destroy, which are performed by callingspecific DMA interfaces. Thus, most existing approachescheck the rules of these DMA interfaces to detect DMA problems. In fact, besides calling these DMA interfaces, performing DMA accesses can also have security risks, which havenot been fully realized by existing research. Thus, in thispaper, we instead focus on detecting unsafe DMA accesseswhich are introduced in Section 2.3.2.3Security Risks of DMA AccessesAccording to the type of DMA buffer introduced in Section 2.1, a DMA access can be a streaming DMA accessor a coherent DMA access, which has different security risks:Streaming DMA access. Once a streaming DMA buffer ismapped, it belongs to the hardware device instead of the CPU.Until the buffer has been unmapped, the driver should not access the content of the streaming DMA buffer; one exceptionis that the driver is allowed to access buffer content duringsynchronization with hardware registers and CPU cache [17].Otherwise, accessing the content of the streaming DMA buffercan introduce data inconsistency between hardware registersand CPU cache, causing unexpected hardware behaviors. Forshort, we call such a problem as inconsistent DMA access.Figure 2 presents a real inconsistent DMA access in thertl8192ce wireless device driver in Linux 5.6. In the functionrtl92ce tx fill cmddesc, pci map single is called tomap skb- data to a streaming DMA buffer on line 531.Then, the local variable hdr points to skb- data on line 535.After that, on line 536, hdr- frame control is read and assigned to fc, namely a streaming DMA access is performed30th USENIX Security Symposium1631

FILE: 8192ce/trx.c522. void rtl92ce tx fill cmddesc(.) {.// Streaming DMA mapping531. dma addr t mapping pci map single(., skb- data, .);.535. struct ieee80211 hdr *hdr (struct ieee80211 hdr *)(skb- data);536 fc hdr- frame control; // Inconsistent DMA access!.584. }FILE: linux-5.6/drivers/net/vmxnet3/vmxnet3 drv.c3240. static int vmxnet3 probe device(.) {.// Coherent DMA allocation3373. adapter- rss conf dma alloc coherent(.);.3531. }FILE: linux-5.6/drivers/net/vmxnet3/vmxnet3 ethtool.c693. static int vmxnet3 get rss(.) {.696. struct UPT1 RSSConf *rssConf adapter- rss conf;697. unsigned int n rssConf- indTableSize;.704. while (n--)705.p[n] rssConf- indTable[n]; // Possible buffer overflow706. return 0;707. }FILE: linux-5.6/drivers/net/vmxnet3/upt1 defs.h80. struct UPT1 RSSConf {81.u16 hashType;.86.u8 indTable[UPT1 RSS MAX IND TABLE SIZE]; // Bound is 12887. }Figure 2: Example inconsistent DMA access.without synchronization, causing an inconsistent DMA access. The driver developers admit that this problem can causeunexpected hardware behaviors, which can make the drivercrash. This problem was introduced in Linux 4.4 (releasedin Jan. 2016) and was fixed 4.5 years later (Oct. 2020) by us,based on a bug report of our approach SADA. We fixed thisproblem by accessing hdr- frame control before callingpci map single.Coherent DMA access. Different from streaming DMAbuffers, coherent DMA buffers do not require explicit synchronization with hardware registers and CPU cache. But onone hand, because a hardware device can be malfunctioningor untrusted, it can write bad data into coherent DMA buffers;on the other hand, as the hardware device and driver can bothmodify the data in coherent DMA buffers, the driver may getdifferent data when reading the same coherent DMA buffer,causing double-fetch cases. For the two reasons, the drivershould perform correct validation of the data from DMAbuffers before using it. Otherwise, security bugs (such asbuffer overflow and invalid-pointer access) can be triggered.For short, we call such a problem as unchecked DMA access.Figure 3 presents a confirmed unchecked DMA accessin the vmxnet3 network device driver in Linux 5.6. In thefunction vmxnet3 probe device, dma alloc coherent iscalled to allocate a coherent DMA buffer assigned toadapter- rss conf. In the function vmxnet3 get rss,adapter- rss conf is assigned to a local variable rssConf,and then rssConf- indTableSize is assigned to a local variable n. Thus, n stores the data in the coherent DMA buffer ofadapter- rss conf, and it can be modified to a bad valueby the malfunctioning or untrusted device. In this case, n canbe larger than the bound of rssConf- indTable, causing abuffer-overflow bug when rssConf- indTable[n] is read.This problem was introduced in Linux 3.16 (released in Aug.2014) and was fixed nearly 6 years later (Jun. 2020) by us,based on a bug report of our approach SADA. We fixed it byadding a check of n with the bound of rssConf- indTablebefore rssConf- indTable[n] is read.Rules of DMA accesses. For better understanding, we illustrate the rules of streaming and coherent DMA accesses withreal DMA interfaces of the Linux kernel in Figure 4. The codesegments shown in Figure 2 and Figure 3 obviously violatethe rules, and thus they have unsafe DMA accesses.163230th USENIX Security SymposiumFigure 3: Example unchecked DMA access.dma addr dma map single(buf)Accessing the content ofbuf is forbidden!dma sync single for cpu(dma addr)Accessing the content ofbuf is allowed!dma sync single for device(dma addr)Accessing the content ofbuf is forbidden!dma unmap single(dma addr)(a) Streaming DMA accessdma buf dma alloc coherent(.)Data in dma buf shouldbe correctly validated!Use data in dma buf(b) Coherent DMA accessFigure 4: Rules of DMA accesses with typical interfaces.2.4Threat ModelOur threat model consists of an adversary that attacks theOS through DMA accesses by leveraging software defects inbenign drivers to achieve malicious goals, such as denial ofservice and privilege escalation. In practice, a device driveris often provided by the OS kernel, and it is used to managemultiple third-party hardware devices and support specificworkloads at the user level. For example, the USB core driverprovided by the Linux kernel is used to control different kindsof USB devices and support user-level USB services. Thus,drivers are always considered to be benign, but hardware devices and user-level workloads can be untrusted. As a result,attacks can be launched in two ways. First, attackers canexecute specific workloads at the user level to trigger inconsistent DMA accesses, which can cause unexpected hardwarebehaviors or even crash the OS. Second, attackers can usean untrusted hardware device to provide malicious data tothe driver via DMA buffers, which can cause buffer overflow,invalid-pointer access, and other serious security issues.2.5State of the Art for DMA-Access CheckingRecently, several driver fuzzing approaches [45, 51, 52] havefound some unchecked DMA accesses, by generating andmutating hardware inputs from simulated devices. But theymay miss many real unchecked DMA accesses due to lim-USENIX Association

ited code coverage of runtime testing. Moreover, they do notconsider the synchronization of streaming DMA buffers, andthus cannot detect inconsistent DMA accesses. Besides, theyrequire associated simulated devices to run the tested drivers,but implementing such simulated devices often requires muchmanual work. To solve these limitations, we aim to design aneffective static-analysis approach to automatically and accurately detect unsafe DMA accesses as many as possible.2.6DMA buffer may be first stored in a local variable after creation (such as p dma alloc coherent(.)) and thenthis local variable is assigned to a data structure field (suchas dev- dma buf p), we also manually check the aliasrelationship between variables in the study.Driver TotalStudy of DMA in Linux Device DriversTo understand the importance of detecting unsafe DMA accesses, we need to know how many existing device drivershave DMA operations. To find the answer, we manually studythe driver source code in the Linux kernel, to calculate the proportion of device drivers that have DMA operations. Due tothe large number of Linux device drivers and time constraints,we select all the drivers of 8 common classes in Linux 5.6 andmanually read their source code, to identify the drivers thatcall DMA interfaces defined in the Linux kernel. Consideringthat a driver may be generated from multiple source files, weidentify the number of drivers by manually checking theirMakefiles in the Linux kernel.Table 2 shows the results of our study. About 46% of studied drivers explicitly call DMA interfaces, indicating thatDMA operations are common in existing device drivers. Forthis reason, it is important to check the safety of DMA accesses in device drivers.Driver TotalSource file (.c)110282720924591194143085015939Driver number3191437518095153262971288Call DMA interface168 (53%)46 (32%)51 (68%)57 (32%)43 (45%)87 (57%)24 (92%)114 (38%)590 (46%)Table 2: Study results of DMA in Linux device drivers.From Figure 2 and Figure 3, we find an interesting characteristic of DMA-buffer creation, namely when DMA buffersare created, they are often stored in data structure fields inthe driver code. The data structure fields skb- data in Figure 2 and adapter- rss conf in Figure 3 are both suchexamples. This characteristic is understandable, because topass key information (including DMA buffers) between different functions, device drivers often wrap such informationin specific data structures and share them via function arguments. To clearly know whether this characteristic is commonin existing drivers, we manually study the source code of1288 drivers in Table 2 again. Specifically, we first identifythe function calls to streaming DMA mapping and coherentDMA allocation, and then check whether the created DMAbuffers are stored in data structure fields. Considering that aUSENIX AssociationStruct / Streaming490 / 563 (87%)101 / 119 (85%)264 / 280 (94%)41 / 49 (84%)44 / 44 (100%)86 / 105 (82%)43 / 60 (72%)23 / 27 (85%)1092 / 1247 (88%)Struct / Coherent443 / 493 (90%)90 / 103 (87%)90 / 93 (97%)48 / 52 (92%)13 / 13 (100%)382 / 487 (78%)91 / 95 (96%)74 / 85 (87%)1231 / 1421 (87%)Struct / Both933 / 1056 (88%)191 / 222 (86%)354 / 373 (95%)89 / 101 (88%)57 / 57 (100%)468 / 592 (79%)134 / 155 (86%)97 / 112 (87%)2323 / 2668 (87%)Table 3: Study results of data structure fields for DMA.Table 3 shows the results of our study. About 87% of created DMA buffers are stored in data structure fields, whichindicates that this characteristic is common in exsiting drivers.Inspired by this, we can first select data structure fields ofDMA buffers and then use them to identify DMA accesses.3ChallengesTo effectively detect unsafe DMA accesses via static analysis,we need to solve three main challenges:C1: Identifying DMA accesses. In the driver code, eachDMA access is implemented as a regular variable access, asshown in Figure 2 and Figure 3. Thus, compared to non-DMAhardware accesses calling specific kernel interfaces (such asioread8), identifying DMA accesses is more difficult.Figure 2 shows that the DMA-buffer creation and access arein the same function, namely in an explicit control flow. Thus,an intuitive solution is to first identify each DMA-buffer creation and then perform a flow-sensitive analysis starting fromthis creation to identify DMA accesses. But this solution islimited, as in many cases, the DMA-buffer creation and accessare in two different functions without explicit execution orderfrom static code observation, namely in a broken control flow.The code in Figure 3 is such an example. The coherent DMAbuffer is allocated in the function vmxnet3 probe device,and the buffer is accessed in vmxnet3 get rss, but the twofunctions do not have explicit execution order from static codeobservation. Thus, identifying DMA accesses in the case ofbroken control flow is challenging.C2: Checking the safety of DMA accesses. Given a DMAaccess, we need to check whether it is safe, according tothe rules shown in Figure 4. Specifically, for a streamingDMA access, we need to check whether it occurs during thesynchronization with hardware registers and CPU cache; for acoherent DMA access, we need to check whether it can causepossible insecure influence in driver code. To accurately andcompletely check the safety of these DMA accesses, we need30th USENIX Security Symposium1633

perform a flow-sensitive and inter-procedural analysis of theLinux kernel code. However, as the Linux kernel code baseis very large (amounting to over 18M lines of code countedby CLOC [16] in Linux 5.6) and complex (involving lots offunction calls), performing such analysis can be difficult.C3: Dropping false positives. Without validating code-pathfeasibility, static analysis can report many false positives.Thus, many previous approaches [13, 14, 39, 47, 50] use SMTsolvers to validate all encountered code paths during analysis.However, an SMT solver is often expensive and the Linuxkernel code base is very large and complex, so scaling thevalidation of code-path feasibility in this way is challenging.GetDmaInfo: Get data structure fields of DMA buffers created in the driver1: dma var set : ø; dma struct set : ø;2: foreach call in driver do3:if call is not used to create DMA buffers then4:continue;5:end if6:ret var : GetStoredReturnVal(call);7:var set : GetAliasVarSet (ret var); // Including ret var8:foreach var in var set do9:AddSet(var, dma var set);10:struct info : GetStructInfo(var); // Get structure type and field11:if struct info ! null then12:AddSet(struct info, dma struct set);13:end if14:end foreach15: end foreachFigure 5: Procedure of handling DMA-buffer creation.4Key TechniquesTo solve the above challenges, we propose three key techniques. For C1, we propose a field-based alias analysis toeffectively identify DMA accesses, according to the information of DMA mapping creation. For C2, we propose aflow-sensitive and pattern-based analysis to accurately andefficiently check the safety of DMA accesses. For C3, wepropose an efficient code-path validation method to drop falsepositives and reduce the overhead of using SMT solvers. Wewill introduce them as follows:4.1DMA-Access IdentificationAs we studied in Section 2.6, about 87% of created DMAbuffers are stored in data structure fields. Inspired by thisobservation, we propose a field-based alias analysis to identify DMA accesses in the cases of broken control flow, bymatching the data structure type and field of the created DMAbuffers and DMA accesses. This analysis has two steps:S1: Handling DMA-buffer creation. In this step, we identify each DMA-buffer creation and collect its data structurefield. Figure 5 shows the procedure of this step. The setdma var set stores the variables of created DMA buffers, andit is used to identify DMA accesses in the cases of explicitcontrol flow; the set dma struct set stores the informationabout data structure fields of created DMA buffers (includingdata structure type and field), and it is used to identify DMAaccesses in the cases of broken control flow.This step first initializes dma var set and dma struct setto empty, and then analyzes each function call in the drivercode. This step checks whether the function call is used to create a DMA buffer, according to the name of its called function.If not, this call is neglected. Then, this step gets the variableret var to which the function call’s return value is stored.Because ret var may be aliased with other variables, this stepperforms an intra-procedural, flow-insensitive and Andersenstyle alias analysis [1] to identify all variables aliased withret var (including ret var). This step stores ret var and itsaliased variables in a set var set. For each variable var

Direct Memory Access (DMA) is a popular mechanism for improving hardware I/O performance, and it has been widely used by many existing device drivers. However, DMA accesses can be unsafe,from two aspects. First,withoutproper synchronization of DMA buffers with hardware registers and CPU cache, the buffer data stored in CPU cache and hardware

Related Documents:

PG 3 DMA-011 DMA-043 DMA-096 DMA-053 DMA-056 DMA-064 DMA-063 DMA-066 DMA-066B DMA-067 DMA-068 DMA-079 DMA-084 DMA-087 DMA-088

Different DMA for each surface type. Slide courtesy of Santa Barbara County and Dan Cloak. 1225 SF Existing Impervious Area. DMA-1. 3200 DMA-2. 3200 DMA-3: 3700 DMA-4. 12400 DMA-5: 500 DMA-6. 8500 DMA-7: 4200 Total 35700 1225 SF Existing Impervious Area. Slide courtesy of Santa Barbara County and Dan Cloak. Sizing - Treatment Only. DMA Name .

This DMA General Certification Overview course is the first of five mandatory courses required for DMA certification: 1. DMA General Certification Overview 2. DMA Military Sexual Trauma (MST) and the Disability Examination Process 3. DMA Medical Opinions 4. DMA Aggravation Opinions 5. DMA Gulf War General Medical Examination

DMA interrupt handler are implemented in emlib, but callbacks can be registered by application emlib DMA config includes DMA interrupt handler Callback functions registered during DMA config 17. Hands-on task 1 - Basic Mode 1. Open an\fae_training\iar\dma.eww and got to adc_basic project 2. Run code and check that DMA- CHREQSTATUS[0] is set to 1

Linux - DMA buf Application Coprocessor libmetal Allocator (ION ) Remoteproc ioctl to import DMA buf Linux Kernel metal_shm_open() metal_shm_attach() metal_shm_sync DMA buf DMA buf fd DMA buf fd va, dev_addr DMA buf fd dev addr, size Sync_r/Sync_w, Ack RPMsg dev_addr, size Sync_r/Sync_w, Shm size Ack

CLASSIFIED ADVERTISING 400 East 11th Street Chattanooga, Tennessee 37403 (423) 757-6252 FAX (423) 757-6337 Market & Retail Trading Zones Adults in Percent TFP TFP Reach Weekly Times Free Press Readers Chatt. DMA of DMA Readers % in DMA DMA Chattanooga DMA 744,860 100.0% 312

The DMA-1240 (DMA-1275) is a 12-channel, multi-use, multi-zone power amplifier that is flexible and powerful enough to amplify every speaker in your whole-house audio system and/or home theater system. This amplifier delivers exceptionally

Copyright National Literacy Trust (Alex Rider Secret Mission teaching ideas) Trademarks Alex Rider ; Boy with Torch Logo 2010 Stormbreaker Productions Ltd .