Bypassing Intel SMEP on Windows 8 x64 Using Return-oriented Programming

Authors: Artem Shishkin, Ilya Smit (Positive Research)

This article presents a way to bypass Intel SMEP security feature on x64 version of Windows 8. It is performed by using return-oriented programming. A way to build a suitable ROP chain is demonstrated below.

SMEP feature doesn’t allow executing a code from a user-mode page in supervisor mode (CPL = 0). Any attempt of executing a code under these circumstances on Windows 8 ends up with a blue screen of death with a bugcheck code “ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY”. For more details on how SMEP is implemented in Windows 8 please refer to [1].

Intel SMEP overview and partial bypass on Windows 8

Author: Artem Shishkin

English whitepaper (PDF): here

Russian whitepaper (PDF): here

1.    Introduction

        With a new generation of Intel processors based on the Ivy Bridge architecture a new security feature has been introduced. It is called SMEP which stands for “Supervisor Mode Execution Prevention”. Basically it prevents execution of a code located on a user-mode page at a CPL = 0. From an attacker’s point of view this feature significantly complicates an exploitation of kernel-mode vulnerabilities because there’s just no place for a shellcode to be stored. Usually while exploiting some kernel-mode vulnerability an attacker would allocate a special user-mode buffer with a shellcode and then trigger vulnerability gaining control of the execution flow and overriding it to execute prepared buffer contents.

        So if an attacker is unable to execute his shellcode, the whole attack is meaningless. Of course, there are some other techniques like return-oriented programming available to exploit vulnerabilities with effective payload. But there are also certain cases when the execution environment allows bypassing the security features when it is not properly configured. Let’s take a closer look to this technology and its software support by Windows 8 operating system which introduces SMEP support.

Vulnerabilities in Android Devices Allowed Stealing Money and Passwords

Artem Chaykin, an expert at the Positive Research Center, has discovered two critical vulnerabilities in Chrome for Google Android. The vulnerabilities threatened the security of the majority of new smartphones and tablets, since Chrome is the main web browser of the system starting from Android 4.1 (Jelly Bean).

By exploiting the first of the said vulnerabilities, an attacker could get access to user data stored in Google Chrome, including clickstream, cookies, web cashe, etc.