From owner-freebsd-hackers@FreeBSD.ORG  Fri Mar 27 14:41:39 2009
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3119A106567B
	for <freebsd-hackers@freebsd.org>; Fri, 27 Mar 2009 14:41:39 +0000 (UTC)
	(envelope-from avg@icyb.net.ua)
Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140])
	by mx1.freebsd.org (Postfix) with ESMTP id 7004A8FC25
	for <freebsd-hackers@freebsd.org>; Fri, 27 Mar 2009 14:41:38 +0000 (UTC)
	(envelope-from avg@icyb.net.ua)
Received: from odyssey.starpoint.kiev.ua (alpha-e.starpoint.kiev.ua
	[212.40.38.101])
	by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id QAA26659;
	Fri, 27 Mar 2009 16:41:35 +0200 (EET) (envelope-from avg@icyb.net.ua)
Message-ID: <49CCE59E.6020606@icyb.net.ua>
Date: Fri, 27 Mar 2009 16:41:34 +0200
From: Andriy Gapon <avg@icyb.net.ua>
User-Agent: Thunderbird 2.0.0.21 (X11/20090323)
MIME-Version: 1.0
To: Won De Erick <won.derick@yahoo.com>
References: <492862.81876.qm@web45808.mail.sp1.yahoo.com>
In-Reply-To: <492862.81876.qm@web45808.mail.sp1.yahoo.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-hackers@freebsd.org
Subject: Re: Switching to SMM with FreeBSD 6.2 onwards
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2009 14:41:39 -0000

on 27/03/2009 15:47 Won De Erick said the following:
> --- On Fri, 3/27/09, Andriy Gapon <avg@icyb.net.ua> wrote:
>> on 27/03/2009 12:35 Ivan Voras said the following:
>>> One thing that comes to my mind is this: 
>>> http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf
> 
> I will add that to the ff:
> 
> http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot-paper.pdf
> 
> 
> I've made the Exploit code found at the appendix runnable on FreeBSD 7.1
> replacing some of the unsupported functions, but I'm still finding ways how to
> verify whether I've written successfully a data to the intended address or not.
> I've replaced '/dev/xf86 with '/dev/mem'. Then opened 'dev/io' instead of using
> 'i386_get_ioperm()'. Am I on the right track?

I believe yes. I made identical changes to Joanna/Rafal's code that gets a glimpse
of what SMI handler does via CPU cache. Interesting read :)

-- 
Andriy Gapon