SMEP / SMAP
What is SMEP / SMAP?
SMEP / SMAPSMEP and SMAP are CPU features that prevent the kernel from executing or accessing user-space pages, blocking common local privilege-escalation techniques.
Supervisor Mode Execution Prevention (SMEP) and Supervisor Mode Access Prevention (SMAP) are x86_64 features introduced by Intel in Ivy Bridge (SMEP, 2012) and Broadwell (SMAP, 2014); ARM has equivalents called PXN and PAN. SMEP causes the CPU to fault if the kernel tries to fetch instructions from a user-mapped page, defeating ret2usr attacks. SMAP faults on any kernel read or write to user pages unless code temporarily sets EFLAGS.AC via stac/clac (Linux: copy_from_user wrappers). Together they remove a large class of kernel exploits that previously pivoted into shellcode or data placed in user memory. They complement KASLR, kCFI, KPTI and CET.
● Examples
- 01
A kernel exploit triggering #PF when it jumps to a user-space shellcode page on a SMEP CPU.
- 02
Linux copy_from_user using stac/clac to access user buffers under SMAP.
● Frequently asked questions
What is SMEP / SMAP?
SMEP and SMAP are CPU features that prevent the kernel from executing or accessing user-space pages, blocking common local privilege-escalation techniques. It belongs to the Application Security category of cybersecurity.
What does SMEP / SMAP mean?
SMEP and SMAP are CPU features that prevent the kernel from executing or accessing user-space pages, blocking common local privilege-escalation techniques.
How do you defend against SMEP / SMAP?
Defences for SMEP / SMAP typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SMEP / SMAP?
Common alternative names include: SMEP, SMAP, PXN, PAN.