Earlier today there was an excellent blog post about bypassing SMAP (or KERNEXEC, for the PaX implementation via the Grsecurity patch) in the Linux kernel using JIT spraying. SMAP is the latest mitigation technique implemented in hardware by intel’s Ivy Bridge processors. The goal of SMAP is to prevent “supervisory code” AKA the kernel from executing pages that exist in userland.
JIT’d code doesn’t have the same exploit mitigation techniques applied to it because of its nature – having to be executable, for example. It just so happens that there’s JIT’d code in the Linux kernel, the Berkley Packet Filter (used for Chrome’s seccomp sandbox) and that you can hack your way into the kernel through it.
It’s a great demonstration of JIT spraying to bypass modern mitigation techniques and even though a full PaX/Grsecurity enabled kernel almost certainly would have prevented it Brad Spengler decided to take it further – implementing a new mitigation to harden BPF against attack. Mind you he took about 30 minutes to do so.
This is why Grsecurity is at the forefront of security. The PaX team and Spender are consistently providing mitigation techniques that work to remove entire classes of vulnerabilities. Grsecurity/PaX has basically been ten steps ahead of every software security implementation, so watch that project if you want to know what defense is going to look like in a few years.
For what it’s worth there’s JIT’d code in the Windows kernel as well.