Hello,
did anyone of you ever set up a Cuckoo Sandbox running Linux and used it
to test how the execution of the ACPI code affects the system?
A few years ago malwr.com was hosting a Cuckoo Sandbox running Windows
where you could upload any executable, let it run and then get a very
detailled overview how running the executable affected the virtual
Windows system, e. g. what changed were made in the registry, deployment
of files and internet connections.
I think it should be possible to set up a Cuckoo Sandbox which uses QEMU
to run Linux and to provide specific ACPI tables when doing so. I just
don't know how well it works, so I was curious if anyone of you has
experiences with this.
This won't apply to any of you developers of course, but it is just a
fact that any hacker could use modified ACPI as a means to compromise a
system, if he manages it to write the modified code to the tables. And
the execution of ACPI code during a Linux boot can't be avoided, so
basically this is a quite important issue/aspect, which shouldn't be
simply disregarded. E. g. an attacker needs only be able to hide the
calling of malicious code which is located at another memory area, and
then you're doomed, considering the privileges which the ACPI code has
while it is executed in kernel space.
Kind regards and thanks in advance
David
