SoK: Understanding the Attack Surface in Device Driver Isolation Frameworks

Device driver isolation is a promising approach for protecting the kernel from faulty or malicious drivers, but the actual security provided by such frameworks is often not well understood. Recent research has identified Compartment Interface Vulnerabilities (CIVs) in userspace compartmentalized applications, yet their impact on driver isolation frameworks remains poorly understood. This paper provides a comprehensive survey of the design and security guarantees of existing driver isolation frameworks and systemizes existing CIV classifications, evaluating them under driver isolation. The analysis shows that different classes of CIVs are prevalent across the studied drivers under a baseline threat model, with large drivers having more than 100 instances of different CIVs and an average of 33 instances across the studied drivers. Enforcing extra security properties, such as CFI, can reduce the number of CIVs to around 28 instances on average. This study provides insights for understanding existing driver isolation security and the prevalence of CIVs in the driver isolation context, and extracts useful insights that can provide security guidance for future driver isolation systems.