The Intel x86 architecture supports a feature known as Supervisor Mode Execution Protection (SMEP). Each virtual address entry of a page table may indicate whether SMEP is enabled for that virtual address. When SMEP is enabled for a virtual address, if code stored at that virtual address is executed within a higher priority mode (or “Ring” as it is known in the technical parlance) than the priority associated with the code and data stored at the virtual address, then a fault is generated.
For example, the highest priority mode is commonly referred to as Ring 0. Ring 0 may also be referred to as kernel mode or supervisor mode. A lower priority mode is Ring 3, which is also known as user mode. When a user stores code or data in memory, the stored code or data is designated Ring 3. When the CPU is in the highest priority mode (and therefore has privilege to update any data on the machine), the CPU should not be executing the code or data stored by the user, since the user could have stored anything at that location, including malicious code. Therefore, the SMEP feature is designed to protect the computer system by throwing an exception if code or data designated at a lower priority (for example, Ring 3) is executed within a higher priority mode (for example, Ring 0). The exception thrown may be processed by the operating system, and will typically result in the operating system crashing, since there is no good reason for the operating system to be executing code or data designated as accessible in Ring 3 while in Ring 0.
Operating systems which execute on the x86 architecture may, but need not, support SMEP. For example, currently Microsoft Windows 8 provides support for SMEP whereas Microsoft Windows 7 does not.