[Info-vax] Malware in kernel mode, was: Re: Android development Was Re: OT: Larry Ellison takes retirement as CEO of Oracle

[Simon Clubley]

On 2014-09-26, John Reagan <xyzzy1959 at gmail.com> wrote:
> On Thursday, September 25, 2014 4:15:53 PM UTC-4, Simon Clubley wrote:
>  
>> BTW, even if the OS hadn't mapped in the full hardware address space,
>> it would be trivial for the malware to create it's own page tables
>> (and reload the page table base address register) to gain that access
>> for itself.
>> 
>
> Now you are talking malware that is VMS-specific, not
> general-purpose x86 malware (which isn't very common).
>

Once your malware is running in kernel context, it can reload CR3 by
itself without needing to involve VMS. However, this is a bit academic
for VMS as since it's a monolithic kernel the peripheral address
space is already likely to be available to anything running in kernel
context.

Note that here I am talking about what is physically available at
hardware level, not what is available when you go via the VMS
kernel level abstraction layer to that hardware.

> What privs does Apache normally have on VMS?  (I've never looked)
>

The areas I am talking about are not process context vulnerabilities
but kernel context vulnerabilities.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world