Linux Kernel To Better Fend Off Exploits That Disable SMAP / SMEP / UMIP Protections

Written by Michael Larabel in Linux Kernel on 23 February 2019 at 07:47 AM EST. Add A Comment
LINUX KERNEL
A change made courtesy of Google engineers to the Linux kernel will make it so exploits on Linux have a tougher time trying to disable SMAP and SMEP protections as part of their exploit path.

Supervisor Mode Execution Protection (SMEP) and Supervisor Mode Access Prevention (SMAP) are security features of recent generations of Intel CPUs to prevent the kernel from accessing unintended user-space memory and in turn helping fend off various exploits. But some exploits have been calling the Linux kernel's native_write_cr4 function to disable SMEP/SMAP, since the status of these security options are controlled through bits in the CR4 control register.

With a new patch now pending in the tip tree ahead of the Linux 5.1 kernel cycle, the bits for SMEP and SMAP as well as UMIP are pinned so they can no longer be easily altered. UMIP meanwhile is the User-Mode Instruction Prevention feature to prevent execution of certain instructions in higher privilege levels and its behavior too is controlled via a CR4 bit.

Google's Project Zero previously demonstrated an exploit path via using this CR4 kernel function to disable SMAP/SMEP protection before proceeding on to its nefarious activities. Now thanks to Google engineers, these SMAP/SMEP/UMIP bits are pinned within the native_write_cr4 function so they can't be trivially disabled from that call on supported CPUs.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week