PRACTICAL INTEL SMEP BYPASS TECHNIQUES ON LINUX presented at Ruxcon 2015

by Vitaly Nikolenko,

Summary : The Linux kernel has always been an appealing target for exploit developers due to the exploitation complexity associated with user space processes (ASLR, NX, Canaries, Fortify, RELRO, etc.). Common ret2usr (return-to-user) attacks typically redirect kernel control flow to data residing in user space: a corrupted function or data structure pointer that triggers a privilege escalation payload in user space. These attacks were successful until around 2013 before the introduction of 3rd generation Intel Core processors (Ivy Bridge) with SMEP support. SMEP (Supervisor Mode Execution Protection) is a hardware feature that prevents attempts to execute code (at CPL = 0) residing in user space pages. This kernel-hardening approach is now widely adopted and effectively mitigates common exploitation patterns of kernel vulnerabilities.
This presentation introduces practical Linux SMEP bypasses involving in-kernel ROP and spraying techniques. We will demonstrate how to convert an existing exploit code to a fully weaponised SMEP-aware exploit. This talk will concentrate on a specific kernel vulnerability and OS version to demonstrate the bypass but the exploitation techniques presented are generic and can be applied to other Operating Systems that employ explicit sharing of the virtual address space among user processes and the kernel.