Saved in:
Bibliographic Details
Main Authors: Doku, Friedrich, Laughton, Jonathan, Wanninger, Nick, Dinda, Peter
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2512.16957
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917156351901696
author Doku, Friedrich
Laughton, Jonathan
Wanninger, Nick
Dinda, Peter
author_facet Doku, Friedrich
Laughton, Jonathan
Wanninger, Nick
Dinda, Peter
contents Securing low-latency I/O in commodity systems forces a fundamental trade-off: rely on the kernel's high overhead mediated interface, or bypass it entirely, exposing sensitive hardware resources to userspace and creating new vulnerabilities. This dilemma stems from a hardware granularity mismatch: standard MMUs operate at page boundaries, making it impossible to selectively expose safe device registers without also exposing the sensitive control registers colocated on the same page. Existing solutions to driver isolation enforce an isolation model that cannot protect sub-page device resources. This paper presents CAPIO, the first architecture to leverage hardware capabilities to enforce fine-grained access control on memory-mapped I/O. Unlike prior page-based protections, CAPIO utilizes unforgeable capabilities to create precise, sub-page "slices" of device memory. This mechanism enables the kernel to delegate latency-critical hardware access to userspace applications while strictly preventing interaction with co-located privileged registers. We implement CAPIO based on CHERI on the ARM Morello platform and demonstrate a proof-of-concept safe-access driver for a commodity network card which was not originally designed for kernel bypass. We demonstrate that CAPIO achieves the latency improvements of kernel bypass while enforcing byte-level access control of privileged resources.
format Preprint
id arxiv_https___arxiv_org_abs_2512_16957
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle CAPIO: Safe Kernel-Bypass of Commodity Devices using Capabilities
Doku, Friedrich
Laughton, Jonathan
Wanninger, Nick
Dinda, Peter
Cryptography and Security
Securing low-latency I/O in commodity systems forces a fundamental trade-off: rely on the kernel's high overhead mediated interface, or bypass it entirely, exposing sensitive hardware resources to userspace and creating new vulnerabilities. This dilemma stems from a hardware granularity mismatch: standard MMUs operate at page boundaries, making it impossible to selectively expose safe device registers without also exposing the sensitive control registers colocated on the same page. Existing solutions to driver isolation enforce an isolation model that cannot protect sub-page device resources. This paper presents CAPIO, the first architecture to leverage hardware capabilities to enforce fine-grained access control on memory-mapped I/O. Unlike prior page-based protections, CAPIO utilizes unforgeable capabilities to create precise, sub-page "slices" of device memory. This mechanism enables the kernel to delegate latency-critical hardware access to userspace applications while strictly preventing interaction with co-located privileged registers. We implement CAPIO based on CHERI on the ARM Morello platform and demonstrate a proof-of-concept safe-access driver for a commodity network card which was not originally designed for kernel bypass. We demonstrate that CAPIO achieves the latency improvements of kernel bypass while enforcing byte-level access control of privileged resources.
title CAPIO: Safe Kernel-Bypass of Commodity Devices using Capabilities
topic Cryptography and Security
url https://arxiv.org/abs/2512.16957