Trustworthy Systems

UNSW Sydney
 
 
 
Our Partners Intel

User-level Device Drivers

The reliability of device drivers is of critical importance to the overall stability of computer systems. Our approach to improving reliability of device drivers is to run them as unprivileged user processes, rather than in the kernel.

Running device drivers external to the kernel provides a number of advantages:

Robustness
A faulty driver in this situation will not cause the kernel to crash. A simple example of this is that a driver which does a NULL pointer dereference can be detected by the operating system and restarted.
Security
Running drivers external to the kernel provides the opportunity to significantly reduce the trusted computing base. Although running drivers at user-level can trap inadvertent bugs, they do not, on their own, stop potentially malicious drivers from corrupting the system when using direct memory access (DMA). Our approach uses the I/O MMU hardware technology available in newer chipsets to also control the DMA transactions that can be performed by the user-level drivers. This provides the foundation for making device drivers completely untrusted.
Ease of development and debugging
It is generally much easier for both users and developers to manage code that runs at user-level. This means that you do not need special tools to start device drivers, but rather they can just be started as you would start a regular program. For the developer this means standard debuggers and development tools can be used, and also allows for a shorter development cycle as new versions of the driver can be tested without a whole system reboot.
Enabling more interesting virtual machine technology
Hosted (type II) virtual machines usually use emulated hardware. By allowing user-level drivers, a guest can use its standard device drivers to control real hardware devices.

Much of the results of our user-level driver research are now forming part of the OKL4 product of Open Kernel Labs. Present ERTOS research is focussing on the use of IOMMUs for making device drivers untrusted, and the evaluation of the performance impact of IOMMUs.

Performance

The main perceived drawback of running device drivers at user-level is that it has a dramatic impact on performance. Previous work on user-level device drivers typically reported a 50% performance degradation over in-kernel device drivers, manifested as either a reduction in throughput or increase in CPU utilisation. Our current experiments suggests that this need not be the case.

Our experience with user-level drivers for storage devices shows that performance is similar to in-kernel drivers. This is not surprising, as disk latencies are high anyway, and file systems are optimised for hiding this latency.

More critical are high-bandwidth network devices, which are characterised by small (compared to disks) packet sizes and high interrupt rates. Our benchmarks (see detailed performance) indicate that even there the performance degradation can be kept reasonably low (less than 10% increase in CPU utilisation).

Further Information

People

Past

Publications

Abstract PDF Joshua LeVasseur
Device-driver reuse via virtual machines
PhD Thesis, UNSW, Sydney, Australia, May, 2009
Abstract PDF Myrto Zehnder and Peter Chubb
Virtualising PCI
Gelato ICE, Singapore, October, 2006
Abstract PDF Ben Leslie, Peter Chubb, Nicholas FitzRoy-Dale, Stefan Götz, Charles Gray, Luke Macpherson, Daniel Potts, Yueting (Rita) Shen, Kevin Elphinstone and Gernot Heiser
User-level device drivers: Achieved performance
Journal of Computer Science and Technology, Volume 20, Number 5, pp. 654–664, September, 2005
Abstract PDF Ben Leslie, Peter Chubb, Nicholas FitzRoy-Dale, Stefan Götz, Charles Gray, Luke Macpherson, Daniel Potts, Yueting (Rita) Shen, Kevin Elphinstone and Gernot Heiser
User-level device drivers: Achieved performance
Technical Report PA005043, NICTA, July, 2005
Abstract PDF Peter Chubb
Get more device drivers out of the kernel!
Ottawa Linux Symposium, Ottawa, Canada, July, 2004
Abstract PDF Peter Chubb
Linux kernel infrastructure for user-level device drivers
Linux.conf.au, Adelaide, Australia, January, 2004
Abstract PDF Ben Leslie, Nicholas FitzRoy-Dale and Gernot Heiser
Encapsulated user-level device drivers in the Mungi operating system
Workshop on Object Systems and Software Architectures , Victor Harbor, South Australia, Australia, January, 2004
Abstract PDF Ben Leslie and Gernot Heiser
Towards untrusted device drivers
Technical Report UNSW-CSE-TR-0303, School of Computer Science and Engineering, March, 2003