SMEP / SMAP
What is SMEP / SMAP?
SMEP / SMAPSMEP and SMAP are CPU features that prevent the kernel from executing or accessing user-space pages, blocking common local privilege-escalation techniques.
Supervisor Mode Execution Prevention (SMEP) and Supervisor Mode Access Prevention (SMAP) are x86_64 features introduced by Intel in Ivy Bridge (SMEP, 2012) and Broadwell (SMAP, 2014); ARM has equivalents called PXN and PAN. SMEP causes the CPU to fault if the kernel tries to fetch instructions from a user-mapped page, defeating ret2usr attacks. SMAP faults on any kernel read or write to user pages unless code temporarily sets EFLAGS.AC via stac/clac (Linux: copy_from_user wrappers). Together they remove a large class of kernel exploits that previously pivoted into shellcode or data placed in user memory. They complement KASLR, kCFI, KPTI and CET.
● Examples
- 01
A kernel exploit triggering #PF when it jumps to a user-space shellcode page on a SMEP CPU.
- 02
Linux copy_from_user using stac/clac to access user buffers under SMAP.
● Frequently asked questions
What is SMEP / SMAP?
SMEP and SMAP are CPU features that prevent the kernel from executing or accessing user-space pages, blocking common local privilege-escalation techniques. It belongs to the Application Security category of cybersecurity.
What does SMEP / SMAP mean?
SMEP and SMAP are CPU features that prevent the kernel from executing or accessing user-space pages, blocking common local privilege-escalation techniques.
How does SMEP / SMAP work?
Supervisor Mode Execution Prevention (SMEP) and Supervisor Mode Access Prevention (SMAP) are x86_64 features introduced by Intel in Ivy Bridge (SMEP, 2012) and Broadwell (SMAP, 2014); ARM has equivalents called PXN and PAN. SMEP causes the CPU to fault if the kernel tries to fetch instructions from a user-mapped page, defeating ret2usr attacks. SMAP faults on any kernel read or write to user pages unless code temporarily sets EFLAGS.AC via stac/clac (Linux: copy_from_user wrappers). Together they remove a large class of kernel exploits that previously pivoted into shellcode or data placed in user memory. They complement KASLR, kCFI, KPTI and CET.
How do you defend against SMEP / SMAP?
Defences for SMEP / SMAP typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SMEP / SMAP?
Common alternative names include: SMEP, SMAP, PXN, PAN.
● Related terms
- appsec№ 581
KASLR
Kernel Address Space Layout Randomization (KASLR) randomizes the kernel base and module load addresses each boot so attackers cannot hardcode kernel symbols for local privilege escalation.
- appsec№ 217
Control-Flow Integrity
Control-Flow Integrity (CFI) constrains a program's indirect calls and returns to a precomputed set of legitimate targets, blocking ROP and JOP exploits that hijack control flow.
- appsec№ 545
Intel CET
Intel CET (Control-flow Enforcement Technology) is a CPU feature combining a hardware shadow stack and Indirect Branch Tracking (IBT) to block ROP, JOP and COP exploits.
- appsec№ 670
Memory Safety
Memory safety is the property that a program never reads, writes, or executes memory it has not legitimately allocated, preventing entire classes of vulnerabilities.
- appsec№ 303
DEP
Data Execution Prevention (also called NX or W^X) marks memory pages as non-executable so attackers cannot run shellcode injected into the stack or heap.
- appsec№ 925
Return-Oriented Programming
Return-Oriented Programming (ROP) is a code-reuse exploit technique that chains short instruction sequences ending in RET to execute arbitrary computation without injecting new code.