Overview
Explore a critical x86 design flaw allowing universal privilege escalation in this 47-minute Black Hat conference talk by Christopher Domas. Delve into the complex world of x86 architecture, uncovering a 20-year-old vulnerability that enables malicious code to bypass ring 0 and access ultra-privileged processor modes. Learn about the intricate layers of protection in x86, the forgotten backdoors into privileged realms, and the exploitation of an architectural 0-day built into the silicon. Discover the APIC Remap Attack, the Memory Sinkhole, and their implications for system security. Examine the firmware ecosystem, SMM rootkits, and potential mitigations. Gain insights into this unique and complex vulnerability, its impact on every system, and the future of x86 security.
Syllabus
Intro
Overview
demonstration
The Negative Rings...
SMM ... pandora's box
SMM Security
20 years ago...
The APIC Remap Attack
Attack Strategy
Attack Attempt 1: Fails
Attack Attempt 2
The APIC Payload
Attack Attempt 3
The Memory Sinkhole
The Firmware Ecosystem
The template SMM entry
A new class of exploits
SMM Rootkit
Impact
Mitigations
Looking Forward
Conclusion
Taught by
Black Hat