MID-006: Driver Memory Isolation
Mitigation Tier: Leading
Description
Driver memory isolation separates a given driver from other drivers and OS/Kernel functionality wherever possible. Examples include microkernel architectures and schemes that split some or all of a driver to run in user space vs within a monolithic kernel.
Deploying drivers in a memory isolated context is an effective way of reducing the attack surface of an OS/Kernel because drivers are frequently handling I/O operations and external data, making them readily targetable. When drivers are not memory isolated, a vulnerability in one driver may enable a threat actor to move laterally to other drivers or OS/Kernel components, potentially giving them more access on a device. Memory isolation makes lateral movement more difficult.
Limitations: Memory can likely never be fully separated due to a need for driver information to be handled by the system or applications running on the device. For this reason, the attack surface will never be entirely eliminated, and other protections, such as the usage of memory safe programming languages, could be put in place to further decrease the threat actor’s attack surface.
IEC 62443 4-2 Mappings
- SAR / EDR / HDR / NDR 3.2 – Protection from malicious code
References
[1] Y. Huang, V. Narayanan, D. Detweiler, K. Huang, G. Tan, T. Jaeger, A. Burtsev. (Jul. 2022). KSplit: Automating Device Driver Isolation. Presented at Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation. [Online.] Available: https://www.usenix.org/system/files/osdi22-huang-yongzhe.pdf
[2] J. van Woudenberg. “Top 10 Secure Boot mistakes.” Presented at hardware.io Hardware Security Conference and Training, Santa Clara, CA, USA, 2019. [Online]. Available: https://hardwear.io/usa-2019/presentations/Top-10-Secure-Boot-Mistakes-v1.1-hardwear-io-usa-2019-jasper-van-woudenberg.pdf