This endpoint is intended for working with I/O ports, MMIO, DMA, and interrupts.
Information about methods of the endpoint is provided in the table below.
Method
|
Method purpose and parameters
|
Potential danger of the method
|
RegisterPort
|
Purpose
Registers I/O ports.
Parameters
- [in]
base – base address of the I/O ports. - [in]
size – width of the address range for I/O ports. - [out]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the I/O ports. - [out]
rc – return code.
|
Allows the following:
- Hijack I/O ports (it is recommended to monitor the base address and width of the address range for I/O ports).
- Exhaust the kernel memory by creating a multitude of objects within it.
|
RegisterMmio
|
Purpose
Registers an MMIO memory region.
Parameters
- [in]
base – base address of the MMIO memory region. - [in]
size – size of the MMIO memory region in bytes. - [out]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the MMIO memory region. - [out]
rc – return code.
|
Allows the kernel memory to be used up by creating a multitude of objects within it.
|
RegisterDma
|
Purpose
Creates an DMA buffer.
Parameters
- [in]
size – size of the DMA buffer in bytes. - [in]
flags – flags defining the DMA parameters. - [in]
order – parameter defining the minimum number of memory pages (2^order) in a block. - [out]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the DMA buffer. - [out]
rc – return code.
|
Allows the following:
- Exhaust the kernel memory by creating a multitude of objects within it.
- Exhaust the RAM.
|
RegisterIrq
|
Purpose
Registers an interrupt.
Parameters
- [in]
irq – interrupt number. - [out]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the interrupt. - [out]
rc – return code.
|
Allows the kernel memory to be used up by creating a multitude of objects within it.
|
MapMem
|
Purpose
Maps an MMIO memory region to a virtual memory region.
Parameters
- [in]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the MMIO memory region. - [in]
prot – flags defining the access rights to the virtual memory region. - [in]
attr – flags defining the parameters of the virtual memory region (for example, use of caching). - [out]
address – base address of the virtual memory region. - [out]
mapping – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the virtual memory region. - [out]
rc – return code.
|
Allows the following:
- Take control of a device when mapping an MMIO memory region to a virtual memory region (it is recommended to monitor the base address and size of the MMIO memory region when the
RegisterMmio method is called). - Create shared memory for interprocess communication concealed from the security module if multiple processes own the handles of one MMIO memory region (the handle permissions masks must allow mapping of the MMIO memory region).
- Exhaust the kernel memory by creating a multitude of objects within it.
|
PermitPort
|
Purpose
Opens access to I/O ports.
Parameters
- [in]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the I/O ports. - [out]
access – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle is used to access I/O ports. - [out]
rc – return code.
|
Allows the following:
- Take control of a device (it is recommended to monitor the base address and width of the address range for I/O ports when the
RegisterPort method is called). - Exhaust the kernel memory by creating a multitude of objects within it.
|
AttachIrq
|
Purpose
Attaches an interrupt to the handle used by the interrupt handler.
Parameters
- [in]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the interrupt. - [in]
flags – flags indicating characteristics of the interrupt. - [out]
delivery – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle is used by the interrupt handler. - [out]
rc – return code.
|
Allows the following:
- Take CPU time from all other threads, including from other processes (the thread that attached to the interrupt will become a real-time thread).
- Make it impossible to terminate a process from another process (the process whose thread was attached to the interrupt cannot be terminated from another process).
- Stop the operating system (if an unhandled exception occurs in the thread handling an interrupt, the operating system stops).
- Create malicious interrupt handling, such as incorrect handling or delayed handling (it is recommended to monitor the interrupt number when the
RegisterIrq method is called). - Attach to an interrupt that is already attached to the interrupt handler in another process for the purpose of blocking handling of this interrupt.
- Exhaust the kernel memory by creating a multitude of objects within it.
|
AttachIrqEx
|
Purpose
Attaches an interrupt to the handle used by the interrupt handler.
Parameters
- [in]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the interrupt. - [in]
flags – flags indicating characteristics of the interrupt. - [in]
futexPtr – pointer to futex. - [out]
delivery – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle is used by the interrupt handler. - [out]
rc – return code.
|
Allows the following:
- Take CPU time from all other threads, including from other processes (the thread that attached to the interrupt will become a real-time thread).
- Make it impossible to terminate a process from another process (the process whose thread was attached to the interrupt cannot be terminated from another process).
- Stop the operating system (if an unhandled exception occurs in the thread handling an interrupt, the operating system stops).
- Create malicious interrupt handling, such as incorrect handling or delayed handling (it is recommended to monitor the interrupt number when the
RegisterIrq method is called). - Attach to an interrupt that is already attached to the interrupt handler in another process for the purpose of blocking handling of this interrupt.
- Exhaust the kernel memory by creating a multitude of objects within it.
|
DetachIrq
|
Purpose
Detaches an interrupt from the handle used by the interrupt handler.
Parameters
- [in]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the interrupt. - [out]
rc – return code.
|
N/A
|
EnableIrq
|
Purpose
Resumes interrupt handling.
Parameters
- [in]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the interrupt. - [out]
rc – return code.
|
N/A
|
DisableIrq
|
Purpose
Blocks interrupt handling.
Parameters
- [in]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the interrupt. - [out]
rc – return code.
|
Lets you block interrupt handling in another process.
|
ModifyDma
|
Purpose
Modifies DMA parameters.
Parameters
- [in]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the DMA buffer. - [in]
flags – flags defining the DMA parameters. - [out]
rc – return code.
|
N/A
|
MapDma
|
Purpose
Maps an DMA buffer to a virtual memory region.
Parameters
- [in]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the DMA buffer. - [in]
offset – offset (in bytes) in the DMA buffer where mapping should start. - [in]
length – size (in bytes) of the part of the DMA buffer that needs to be mapped. - [in]
hint – preferred base address of the virtual memory region, or 0 for the base address to be selected automatically. - [in]
prot – flags defining the access rights to the virtual memory region. - [out]
address – base address of the virtual memory region. - [out]
mapping – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the virtual memory region. - [out]
rc – return code.
|
Allows the following:
- Create shared memory for interprocess communication concealed from the security module if multiple processes own the handles of one DMA buffer (the handle permissions masks must allow mapping of the DMA buffer).
- Exhaust the kernel memory by creating a multitude of objects within it.
|
DmaGetInfo
|
Purpose
Lets you get information about a DMA buffer.
Parameters
- [in]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the DMA buffer. - [out]
flags – flags indicating the DMA parameters. - [out]
order – parameter indicating the minimum number of memory pages (2^order) in a block. - [out]
size – size of the DMA buffer in bytes. - [out]
count – number of blocks. - [out]
frames – sequence containing information about blocks. - [out]
rc – return code.
|
N/A
|
DmaGetPhysInfo
|
Purpose
Lets you get information about the physical memory that was used to create a DMA buffer.
Parameters
- [in]
handle – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the DMA buffer. - [out]
count – number of continuous regions of physical memory. - [out]
frames – sequence containing information about continuous regions of physical memory. - [out]
rc – return code.
|
N/A
|
BeginDma
|
Purpose
Opens access to a DMA buffer for a device.
Parameters
- [in]
resource – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the DMA buffer. - [out]
iomapping – value whose binary representation consists of multiple fields, including a handle field and a handle permissions mask field. The handle identifies the kernel object that is used to map a DMA buffer to the range of IOMMU addresses used by a device. - [out]
rc – return code.
|
Allows the kernel memory to be used up by creating a multitude of objects within it.
|