Researcher Demonstrates Exploiting Machine Check Exceptions for Privilege Escalation

🎬 Christopher Domas presents research on machine check exceptions (MCEs), a hardware-level interrupt triggered by catastrophic CPU failures like memory corruption or thermal damage. He demonstrates generating MCEs on-demand by manipulating the Northbridge on x86 systems, specifically by flipping three configuration bits to convert benign PCIe master aborts into unmaskable MCEs. The attack exploits System Management Mode (SMM), a privileged CPU state invisible to the OS, by leveraging an unmodified IDTR register on AMD processors, which allows hijacking interrupt handlers during SMM transitions. Domas developed MC Hammer, a tool that delivers cross-core MCEs with precise timing (within a 100-cycle window) to escalate privileges, demonstrated by dumping SMM’s hidden memory (SM RAM) containing firmware secrets, USB drivers, and PSP interactions. The research highlights vulnerabilities in SMM’s interrupt handling, particularly on AMD CPUs, and proposes mitigations like patching EDK2 firmware to reload the IDT earlier. While MCEs are rare, the technique reveals new attack surfaces in hardware exception handling.