[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: ACPI interpreter security
Le 16/10/12 05:26, Thor Lancelot Simon a écrit :
I've been looking recently at a variety of firmware rootkit sample code,
and discussions of how to mitigate it.
I am particuarly intrigued by the occasional mention I see that some
operating systems "sandbox" the ACPI AML interpreter, executing it with
most of the kernel memory unmapped.
How hard would it be to do this in NetBSD?
I guess this would not be overly difficult: build a custom pmap and load
it for a given CPU, then let the AML interpreter run. Switch back to
kernel pmap once done. IIRC the vm86 code did that for the 8086
emulation that had to map memory at 0x0 (BTW, my thanks to dsl@ for
getting rid of it).
I am not really knowledgeable with AML interpreter and its capabilities,
so just thinking out loud.
The sandbox is the real challenge; having most of the kernel unmapped
avoids patching the IDT or syscall table through their VA, but I bet you
could do it by using their physical address. Given that the kernel is
loaded at predetermined addresses during boot, only the offset would be
required to patch the tables (offset you can get from the kernel file
Granted, it is better than nothing though.
Main Index |
Thread Index |