With the new generation of Intel architecture-based Ivy Bridge was presented a new hardware-based security. It’s called Intel SMEP.
It adds a headache when exploiting vulnerabilities kernel mode, Like bit NX, prevents code execution on the memory page.
In turn, Microsoft has implemented support for SMEP in Windows 8, thereby making the OS more secure. However, the first implementation of the “head-on” support SMEP turned with a small defect, through which the attacker is still possible for a relatively painless operation vulnerabilities.
What is SMEP?
SMEP stands for “Supervisor Mode Execution Protection” – preventing the execution of code in the supervisor mode. Supervisor mode – is the preferred mode of operation of the processor, which executes the kernel of Windows 8. In terms of operating systems, this is called as kernel mode. Opposite to it is the user mode – In this mode execute user applications.
Protection OS is based on the fact that your applications can not perform privileged operations, such as access to input-output control registers of the processor, etc. In addition, the memory used by the kernel-mode protected against access from user mode. The user application can neither read nor modify or execute code in kernel memory directly. Interaction with the OS kernel is indirectly through the system call interface.
Privileged, in turn, has no restrictions, if not SMEP. If enabled, any attempt to execute code in the memory of the user application generates an error page (page fault). In particular, the page fault handler on Windows 8, this situation will bugcheck.
Simply put, if any driver or system kernel module will try to execute the code in-memory user application over all the blue screen of death with a sad smiley.
What’s the point?
Vulnerabilities in kernel mode – the most “delicious” to the attacker as a successful operation, he has full control over the target system. The point is that in use kernel-mode vulnerabilities an attacker typically allocates storage shell-code memory in user mode.
“But now in kernel mode can not execute code from the pages of user memory!
With the expectation of a similar train of thought, and the attacker was set up this technology. It is able to protect the end user from a whole class of attacks, if carried to its realization to the mind and to cover up “the rear” by other security mechanisms.