Untrusted Hardware Causes Double-fetch Problems in the I/O Memory

The double fetch problem occurs when the data is maliciously changed between two kernel reads of supposedly the same data, which can cause serious security problems in the kernel. Previous research focused on the double fetches between the kernel and user applications. In this paper, we present the first dedicated study of the double fetch problem between the kernel and peripheral devices (aka. The Hardware Double Fetch). Operating systems communicate with peripheral devices by reading from and writing to the device mapped I/O (Input and Output) memory, and due to the lack of effective validation of the attached hardware, compromised hardware could flip the data between two reads of the same I/O memory address, causing a double fetch problem. We proposed a static pattern-matching approach to identify the hardware double fetches from the Linux kernel. Our approach can analyze the entire kernel without relying on the corresponding hardware. The results were categorized and each category was analyzed using case studies to discuss the possibility of causing bugs. We also found 4 double-fetch vulnerabilities, which have been confirmed and fixed by the maintainers as a result of our report.