upvote
There are people working on this problem honestly. The general solution 10 years ago was a micro kernel. Today, I’m not sure. The linux model is starting to look dated, with similar problems elsewhere. Modern hardware design looks less and less like classic textbook design, with all kinds of random chips having direct memory access to memory the cpu uses on some shared bus. Where even things like on board blue tooth chips can become attack vectors on the system.

There was a good keynote on the topic 5 years ago By Timothy Roscoe

https://www.usenix.org/conference/osdi21/presentation/fri-ke...

reply
Agree with all of those points and there are some partial solutions (IOMMU, userspace drivers, virtualization,...), but we're still quite far from being able to safely connect untrusted hardware and load its driver without effectively giving it privileged access.
reply
The User-Mode Driver Framework is a thing. Most plug-in devices do not need (or have) a kernel-mode driver.
reply
Yes, but unless all 3rd party drivers can run in userspace (which is not really feasible), Microsoft needs to give vendors the option to install a kernel driver, at which point a vendor can always decide to ship a kernel driver and bypass any restrictions.

Imo, the only thing Microsoft can meaningfully do here from their side is threaten LG with pulling all their drivers if they keep doing this.

reply
Drivers still need to pass certification & get signed. Microsoft does get to reject them.

I can't imagine the group doing this validation is sufficiently manned/funded; it's a cost centre, and the effects of cutting it don't show up for years.

reply
I expect that process to be mostly automated, I wouldn't expect the MS folks at the testing lab to do much (if any) manual testing, especially for a new version of a previously approved driver.

I'm not surprised that the driver got approved, especially if the previous versions already had some user UI and this update "just" added the ads. What I would hope now is for MS to either pull the updated driver or ask LG to roll the change back themselves, possibly under the thread of pulling their drivers altogether (iirc they done that with other companies in the past).

reply
Microsoft has a program to do static and dynamic analysis of drivers... not a sandbox, but better than nothing. Of course, wonky drivers plus wonky hardware can still do bad things (io-mmu can help, a bit).

The problems tend to be in the userspace software that's also installed with the driver. Sometimes there's also some pretty derpy stuff where the driver wants to talk to the userspace software but there's no validation/verification and that opens up a big hole.

reply
First of all, drivers don't have to run in kernel space. Do you know that? I'm guessing no, based on your comment.

Second, we're not talking about the drivers per se, as those aren't what shows you ads, it's the configuration software and accompanying crapware. Did you get that? I'm guessing no, based on your comment.

Third, there are capability-based kernels, microkernels, drivers that are allowed into as restricted bytecode, IOMMU, and several other layers of security. Do you know that? I'm guessing no, based on your comment.

reply
You don't have to counterbalance every useful sentence with a toxic message.
reply
You do, when you're responding to "Do you even know how drivers work? (I'm guessing no, based on this comment)". I'm merely giving them back their toxic comment right back.
reply
I'm not sure how I missed they did it first, but doing it more isn't really helping. Oh well, I shouldn't have said anything, it's not great but it's not worth fussing about.

Though there is a limit to how much you can effectively sandbox a driver for most devices. They do have a point even if they made it badly. I know you listed some methods but they don't generalize to arbitrary devices very well.

reply
You're right regarding the tone, it just rubbed me off the wrong way. Especially since I (originally) made a neutral comment and didn't insult anybody.

>Though there is a limit to how much you can effectively sandbox a driver for most devices. They do have a point even if they made it badly. I know you listed some methods but they don't generalize to arbitrary devices very well.

Likely not, but the rarer cases could always be exceptions.

Most devices, screens, printers, mice, audiocards, etc should not have to go through this, at least not for basic functioning.

Which is why I like e.g. "class compliant" devices for example, whereas the configurations can be managed directly from the OS with no third party driver loaded. Some of those do come with the custom proprietary driver, but for most I don't even bother installing it.

reply
Read sibling comments to get answers to all your (non)questions.
reply
Strange how you didn't read them then, based on your rude and false response to my comment.
reply