SMAP, SMEP and their friends
PaX’ UDEREF feature was released in August
with the goal of preventing the kernel from ever accessing userland memory.
Somewhere in 2009, spender wrote
PAX_USERCOPY, to add bound-checking on
kernel objects, when copying into and out of them to userland.
It served as an inspiration for the
HARDENED_USERCOPY feature that was
upstreamed in mainline Linux 4.8 in
Before SMAP/SMEP support, OpenBSD didn’t have similar features.
In 2012, Intel’s Broadwell CPU
came with a new interesting feature:
Supervisor Mode Access Prevention (SMAP),
to optionally generate a trap when accessing userland memory from supervisor
mode. It’s complementary to the
feature, that prevents execution. These additions are an easy replacement for
UDEREF on supported hardware.
OpenBSD added support for SMEP and SMAP in October 2012 thanks to Jonathan Gray, and the first release supporting it was OpenBSD 5.3 in May 2013. SMAP is also supported in OpenBSD’s small kernel since 2017.
This is a nice and cheap (since it’s implemented in hardware) mitigation forcing attacker to put their payload into kernel-land, instead of simply being able to jump to user-land.