Breaking Bits
  • What this gitbook is
  • Vulnerability Discovery
    • Reverse Engineering
      • Modern Vulnerability Research Techniques on Embedded Systems
      • Remote Dynamic Blackbox Java App Analysis
    • Emulation
      • QEMU Usermode Tracing
      • Building QEMU on Ubuntu
    • Fuzzing with AFL
    • Automated Vulnerability Discovery
      • Buffer Overflows
      • Analyzing Functions
    • Automatic Exploit Generation
      • Automatic Rop Chain Generation
  • CTF
  • Battelle Shmoocon 2024
    • Time Jump Planner
  • Spaceheros CTF 2022
    • RE: Shai-Hulud
  • UMDCTF 2020
    • UMDCTF 2020: Evil Santa's Mysterious Box of Treats
  • UMDCTF 2022
    • Tracestory
  • Spaceheroes CTF 2023
    • Everything-is-wrong
  • US CyberGames RE-Cruise 4
  • Firmware Emulator
  • Interactive Firmware Emulator Usage
  • Recreating CVE-2015-1187 in the DIR-820L
  • Exploit Development
    • Linux kernel exploit development
      • Setup
      • Interacting with Kernel Modules
      • Kernel stack cookies
      • Kernel Address Space Layout Randomization (KALSR)
      • Supervisor mode execution protection (SMEP)
      • Kernel page table isolation (KPTI)
      • Supervisor Mode Access Prevention (SMAP)
Powered by GitBook
On this page

Was this helpful?

  1. Exploit Development
  2. Linux kernel exploit development

Supervisor Mode Access Prevention (SMAP)

PreviousKernel page table isolation (KPTI)

Last updated 3 years ago

Was this helpful?

Supervisor Mode Access Prevention is a mitigation to prevent the CPU executing in kernel mode from executing usermode instructions.

There is a SMAP bit in the CR4 control register that dictates whether user-space memory is allowed to be accessed while in a privileged mode. If the bit is set and the processor attempts to access a userspace region of memory, then a page fault will trigger a SMAP violation and result in OOPS.

This means that a ROPChain can't be stored in userspace, or else a SMAP violation will occur. Throughout this exploit series, the chain has been stored in kernel space, so the existing exploit will still work when adding the SMAP protection.

introduced by intel