SMEP - Supervisor Mode Execution Protection

Theory
Supervisor Mode Execution Prevention (SMEP) can be used to prevent the supervisor mode from unintentionally executing user space code. for example kernel pointers (symbols) found in /proc/kallsyms can not be used without bypass.
Smep activation
By default in a linux system the cpu protection is activated via the control register the smep protection is activated via the CR4
By setting the 20th bit to 1 in the CR4 register smep is enabled. On linux a function implemented in the kernel has the role to assign the right value to the CR4 register according to the activated protection
View if smep is activated
grep "smep" /proc/cpuinfo | head -1
Disable smep
kernel boot parameter to disable smep with flag nosmep
Refererences
EN
​https://defaultsec.eu/articles/kernel-exploit/world-of-kernel-in-pwn​
​https://lkmidas.github.io/posts/20210128-linux-kernel-pwn-part-2/#adding-smep​
​https://en.wikipedia.org/wiki/Supervisor_Mode_Access_Prevention​

SMAP - Supervisor Mode Access Prevention

mmap_min_addr

Last modified 1yr ago