SMAP, SMEP and their friends
PaX’ UDEREF feature was released in August
2006,
with the goal of preventing the kernel from ever accessing userland memory.
Somewhere in 2009, spender wrote PAX_USERCOPY
, to add bound-checking on
kernel objects, when copying into and out of them to userland.
It served as an inspiration for the HARDENED_USERCOPY
feature that was
upstreamed in mainline Linux 4.8 in
2016
Before SMAP/SMEP support, OpenBSD didn’t have similar features.
In 2012, Intel’s Broadwell CPU
came with a new interesting feature:
Supervisor Mode Access Prevention (SMAP),
to optionally generate a trap when accessing userland memory from supervisor
mode. It’s complementary to the
SMEP
feature, that prevents execution. These additions are an easy replacement for
UDEREF
on supported hardware.
Linux added support for SMAP in September 2012, and the first release supporting it was Linux 3.7 in December 2012.
OpenBSD added support for SMEP and SMAP in October 2012 thanks to Jonathan Gray, and the first release supporting it was OpenBSD 5.3 in May 2013. SMAP is also supported in OpenBSD’s small kernel since 2017.
It’s worth noticing that OpenBSD’s SMAP usage had a trivial bypass until August 2017, reported by Maxime Villard.
In 2020, OpenBSD 6.8 added support for arm’s PAN, let’s hope that they didn’t repeat mistakes from others ;)
This is a nice and cheap (since it’s implemented in hardware) mitigation forcing attacker to put their payload into kernel-land, instead of simply being able to jump to user-land.