Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For...
-
Upload
sylvia-owens -
Category
Documents
-
view
215 -
download
1
Transcript of Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For...
![Page 1: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/1.jpg)
![Page 2: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/2.jpg)
Best PracticesSteve MailletChief Software ArchitectEmbeddedFusion
ECE401Best Practices For Driver Development
![Page 3: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/3.jpg)
Overview
Why Does Any of this Matter?System ArchitectureAccessing HardwareHandling InterruptsExchanging Data with ApplicationsSecurityPortabilityUser Mode Drivers
Differences between Windows CE 5.0 and Windows Embedded CE 6.0
…besides the name change Page 3
![Page 4: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/4.jpg)
Why Does Any of this Matter?
Security and system stabilityData integrity and system security are significant issues
Maximize re-usability of a driverDecrease development time for next useIncrease sales opportunities
Page 4
![Page 5: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/5.jpg)
System Architecture (Windows CE 5.0)
Application(s)
COREDLL
NK.EXE
OAL
GWES.EXE FILESYS.EXE
Object Store
Touch Display Keyboard ROM FSStorage Manager
DEVICE.EXE
SERVICES.EXE
FTP HTTPD TELNETD
RAM ROM/
FLASH
Timer INTC
CPU
HARDWARE
SerialUSB
(Function)PCCard ...
DevMgr.Dll
Block Device
Serial Custom
Page 5
![Page 6: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/6.jpg)
System Architecture (CE 6.0)
OAL.EXE
Application(s)
GWES.DLL FileSys.Dll
Object Store
ROM FSStorage Manager
Device.Dll
HARDWARE
COREDLL
NK.DLL
RAM ROM/
FLASH
Timer INTC
CPU
KITL.DLL
Touch Display KeyboardBlock
DeviceSerial Custom
Page 6
![Page 7: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/7.jpg)
Accessing Hardware
Mapping memory and I/O windows
BusTransBusAddressToVirtualConverts a bus-relative address to a virtual address accessible by the calling process
BusTransBusAddressToStaticConverts a bus-relative address to a virtual address
Page 7
![Page 8: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/8.jpg)
Accessing Hardware
Read memory and I/O Windows from registryUse DDKReg_GetWindowInfo
Account for memory or I/O window stride8-bit devices are often mapped to 32-bit buses by offsetting each register in the address spaceIf your driver hard-codes assuming an 8-bit bus, then it’s useless in a system with a 16- or 32-bit busSeparate pointer for each register, don’t use a “C” struct
Page 8
![Page 9: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/9.jpg)
Handling Interrupts
Read Interrupt info from registryUse DDKReg_GetIsrInfo()
Use I/O Resource ManagerUse ResourceRquestEx/ResourceReleaseRequest access to the IRQ
Request/Release SYSINTR if not provided by bus driverIOCTL_HAL_REQUEST_SYSINTR/IOCTL_HAL_RELEASE_SYSINTR
Load IISR if providedDon’t assume only IISR is GIISR!GIISR is generic for PCI buses but not always suitable for many SoC systems
Page 9
![Page 10: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/10.jpg)
Exchanging Data with ApplicationsPerforming security checks
Pointer mapping
Embedded pointers
Thread permissions/marshalling
Page 10
![Page 11: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/11.jpg)
Performing Security Checks
Pointer mapping
Access checking
Thread permissions
Caller trust
Page 11
![Page 12: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/12.jpg)
Pointer Mapping
Application provides pointers to data to the driver
Driver runs in separate context from applications
Kernel in Windows CE 6.0
Device.exe/Gwes.exe in CE 5.0
Kernel automatically maps application pointers passed directly as parameters into space available to the driver
Driver must handle pointers embedded in data passed to the driver
Page 12
![Page 13: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/13.jpg)
Access Checking
Malicious apps can pass a buffer to the driver that contains an embedded pointer to kernel space and ask driver to access it—thereby modifying the kernel!
Proper access checking in driver will prevent this dangerous scenario.
Page 13
![Page 14: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/14.jpg)
Embedded Pointers
Kernel performs basic access checks and mapping on all pointer parameters to driver entry points.
Embedded pointers require special care as the OS cannot perform any checks as it has no way to know what to check.
Page 14
![Page 15: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/15.jpg)
Example Embedded Pointer
Application writes text to specified location of simple text-based display
Pointer to TextData passed to driver
OS checks access to the buffer (TextData)
Driver MUST check access to embedded pText member using Length member as the size
struct TextData
{ int row; int Col; const TCHAR* pText; size_t Len;}
Page 15
![Page 16: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/16.jpg)
Access Checks and Pointer MappingCE 5.0
MapCallerPointerPerforms address space mapping and access rights checking
CE 6.0CeOpenCallerBuffer / CeCloseCallerBuffer
Portability tipIn CE 5.0, create lib with CeOpenCallerBuffer that calls MapCallerPointer()Or hide pointer mapping in a custom portability lib
Page 16
![Page 17: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/17.jpg)
Data Buffers and Threads
Secondary worker threads need special access to buffers
CE 5.0: use Get/SetProcPermissionsGetPermissions in the calling thread and SetProcPermissions on the secondary thread
CE 6.0: use CeAllocAsynchronousBuffer/CeFreeAsynchronousBuffer
Page 17
![Page 18: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/18.jpg)
Security
Caller Buffer data integrity
Driver’s don’t know if caller is buggy or malicious
Protection is the same for both
Page 18
![Page 19: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/19.jpg)
Invalid Pointers
Can cause serious crashes
Exceptions can cause hard to track memory leaks if not handled correctly
Invalid data lengths are related to invalid pointers
e.g., Caller says buffer is 1 MB but it’s really only 1 K
Page 19
![Page 20: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/20.jpg)
Exception Handling
__try/__except
Surround all buffer accesses with exception handling
Protects against invalid pointers and lengths
Allows clean up of resources in __except
Page 20
![Page 21: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/21.jpg)
Malicious Callers
Never implicitly trust the caller!
Caller can modify the buffer while driver is still using it!
Secondary application thread that manipulates the buffer while another thread is in a driver call
Cause crashesGet access to memory it shouldn’t by manipulating embedded pointers
Just because you can access a buffer doesn’t mean it is always safe to do so.
Page 21
![Page 22: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/22.jpg)
Embedded Pointers Revisited!
Row
Col
S1Len
S1Offset
S2Len
S2Offset
S1
S2
InBufSize
pInBuf
Avoid them if you can!
Avoid embedded pointers
Use offsets and Lengths or variable length structures
Security issues
Works in User Mode drivers
Page 22
![Page 23: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/23.jpg)
Embedded Pointers Revisited
Always copy embedded pointers to a local variable
Easily accomplished as part of mapping and access checks
Never store the mapped/checked pointer back to the buffer
Never use the pointer in the buffer directly after it’s mapped and checked
Always use Driver’s local checked and mapped copy so you know the pointer is valid.
Page 23
![Page 24: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/24.jpg)
Embedded Lengths Revisited
Same basic issues as pointers
Always copy the length from the buffer before performing access checks and mapping
Never use the length directly in the buffer after copying it
Caller can still alter the data and cause problems from overruns if length is altered “on the fly”
Page 24
![Page 25: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/25.jpg)
Portability
Data access and mapping
Biggest difference for drivers in CE 6.0 is in how drivers access embedded pointers
Simple library can hide the differences between the 2 operating systems
Page 25
![Page 26: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/26.jpg)
User Mode Drivers
In CE 5.0 drivers were always “user mode”
Major difference from “kernel mode” is permissions to access memory above 0x7FFFFFFF
In CE 6.0 drivers are in Kernel mode by default
Kernel mode drivers run in the kernel address space.
For security and stability reasons CE 6.0 adds user mode drivers
Goal is 100% compatibility between kernel mode driver and user mode driver
Switch from one to the other at build time
Embedded pointers prevent 100% compatibility
Page 26
![Page 27: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/27.jpg)
User Mode Driver Model
Cor
eDll.
dll
CE
DD
K.d
ll
Driver.DLLDevmgr.dll
UDEVICE.EXER
edire
ctor
OAL.EXE
Page 27
![Page 28: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/28.jpg)
Installable ISRs for User Mode DriversInstallable ISRs are loaded into kernel address
space
Security risk for User Mode Dlls
Only GIISRDLL is allowed as that is a known item that doesn’t pose a risk
If your system needs an IISR and can’t use GIISR then the driver must run kernel mode
Page 28
![Page 29: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/29.jpg)
Summary
Drivers can leverage common patterns to simplify development and make drivers more robust
Driver developers must consider security implications of every call into the driver
With a little care and discipline drivers can operate on multiple platforms and bus configurations
Page 29
![Page 30: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/30.jpg)
While You're Here
Fill out your session evaluationEnter to win a Windows Mobile® phone or Zune™
The Battle BeginsStay tuned for the Sumo Robotics competition
at the Tao attendee party
Meet the geeksThe Expert Cabana is packed with MEDC speakers and MVPs
![Page 31: Best Practices Steve Maillet Chief Software Architect EmbeddedFusion ECE401 Best Practices For Driver Development.](https://reader034.fdocuments.in/reader034/viewer/2022051621/5697bfcf1a28abf838ca9d50/html5/thumbnails/31.jpg)
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date
of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.