Le 16/10/12 05:26, Thor Lancelot Simon a écrit :
I've been looking recently at a variety of firmware rootkit sample code, and discussions of how to mitigate it. I am particuarly intrigued by the occasional mention I see that some operating systems "sandbox" the ACPI AML interpreter, executing it with most of the kernel memory unmapped. How hard would it be to do this in NetBSD?
I guess this would not be overly difficult: build a custom pmap and load it for a given CPU, then let the AML interpreter run. Switch back to kernel pmap once done. IIRC the vm86 code did that for the 8086 emulation that had to map memory at 0x0 (BTW, my thanks to dsl@ for getting rid of it).
I am not really knowledgeable with AML interpreter and its capabilities, so just thinking out loud.
The sandbox is the real challenge; having most of the kernel unmapped avoids patching the IDT or syscall table through their VA, but I bet you could do it by using their physical address. Given that the kernel is loaded at predetermined addresses during boot, only the offset would be required to patch the tables (offset you can get from the kernel file directly).
Granted, it is better than nothing though. -- Jean-Yves Migeon jeanyves.migeon%free.fr@localhost