Supervisor mode access prevention
Supervisor mode access prevention
Posted Oct 4, 2012 8:43 UTC (Thu) by PaXTeam (guest, #24616)In reply to: Supervisor mode access prevention by kevinm
Parent article: Supervisor mode access prevention
> But that protection was only for those running 32 bit x86 PaX kernels, right?
> The vestigial segmentation support in x86-64 isn't sufficient for that method to work.
> The vestigial segmentation support in x86-64 isn't sufficient for that method to work.
i implemented UDEREF on amd64 as well some years ago, but it's a lot less efficient.
> This new hardware feature will work in x86-64 kernels (as you'd expect).
and unfortunately it'll still provide less security than the by then 7-year-old UDEREF/i386 feature in PaX. so SMAP is a step in the right direction, but Intel could have done better, it'd have cost them nothing to make this feature really powerful for certain kernel self-protection purposes. there's some hope that they'll make it better in the next iteration.