The concept of SMEP and bypassing it
As the technology evolves and becomes powerful to make our life easier, it also becomes a complex mechanism, which gets too complicated for developers to control every aspect of that technology. Thus, fully maintaining complex technology is almost impossible and there always appear vulnerabilities or bugs, which can become an opportunity for hackers to exploit them and gain profits from them. The same thing applies to the “Kernel”, which is the fundamental system in any computer for managing the communication between hardware and software in computers (despite the fact that it is very old designed system). As Kernel was evolving, Kernel engineers tried to secure it by applying very different features and one of those approaches is securing by SMEP, which was first introduced in 2010. SMEP is described by a one-bit variable in the Kernel, which basically shows if it is enabled or disabled. In this post, I will explain the simple idea behind SMEP and describe different ways it can be exploited in Windows and Linux.
So, SMEP `Supervisor Mode Execution Prevention`, as the name states, helps Kernel to prevent the execution of non-privileged code or command in Kernel space. Let’s see in details, how it works.
The memory, where all processes (note: Kernel itself is also a kind of a process) are being stored and executed is divided into two spaces, first is Kernel space (which is about ~800MB in Linux x86 OS) and second is the user space, where all user-defined commands and codes are stored. It was designed in this way to isolate the Kernel for security reasons. The difference between user space and kernel space is that the Kernel space is more privileged, it is able to directly communicate with CORE and execute powerful commands. Basically, if you are able to execute commands in Kernel space, you able to get any data stored on a computer or crash the whole system. Thus, SMEP always detects and prevents the execution of the code which was defined by the regular user and then returns PAGE FAULTS. PAGE FAULTS is not really important for this post, but you can imagine that it simply tells to the OS that some error happened within the Kernel. Every OS handles the PAGE FAULTS in its own way, for example, Windows shows the blue error screen when it encounters the PAGE_FAULT, which must be very familiar to many of you.
Before SMEP was introduced, there were many ways to exploit the Kernel with different ways, but mostly using well-known exploit called Stack Buffer Overflow. Unfortunately, there are still some tricky ways to disable the SMEP or execute the attacker’s code within the Kernel space itself. I will introduce them via using two different OSs, Windows 10 64-bit and Linux x86.
SMEP bypass in Windows 10
