

The Memory Sinkhole [pdf] - MrBuddyCasino
https://www.blackhat.com/docs/us-15/materials/us-15-Domas-The-Memory-Sinkhole-Unleashing-An-x86-Design-Flaw-Allowing-Universal-Privilege-Escalation-wp.pdf

======
based2
[https://github.com/xoreaxeaxeax/sinkhole](https://github.com/xoreaxeaxeax/sinkhole)

[https://www.reddit.com/r/netsec/comments/3fz6z6/blackhat_usa...](https://www.reddit.com/r/netsec/comments/3fz6z6/blackhat_usa_2015_presentation_slideswhite_papers/)

[https://news.ycombinator.com/item?id=10024324](https://news.ycombinator.com/item?id=10024324)

[https://news.ycombinator.com/item?id=10020134](https://news.ycombinator.com/item?id=10020134)

[https://news.ycombinator.com/item?id=9663249](https://news.ycombinator.com/item?id=9663249)

~~~
MrBuddyCasino
Thanks. The bug has been fixed from Sandy Bridge onward, it seems.

------
Qantourisc
I must be missing something: but why did they keep reimplementing this in
modern CPU's ? (Or did they remove it from modern CPU's?)

~~~
mschuster91
Intel did remove it in the modern CPUs after the author alerted them.

As for why it stuck around until now: backwards compatibility + that CPUs are
rather rarely constructed from scratch, rather evolved upon.

~~~
TazeTSchnitzel
> Intel did remove it in the modern CPUs after the author alerted them.

No, they just added security checks.

------
MrBuddyCasino
tl;dr: x86 processors have an ancient feature (unused by now) that allows to
move the memory window of the APIC registers to an arbitrary address. By
moving this window, it is possible to circumvent built-in hardware security
checks and access the highly privileged System Management Mode (Ring -2) from
Ring 0 Code.

~~~
ckv428
thanks

