[amluto]

CR3 is the x86 register that points to the root page table. When an OS switches between processes, it generally changes CR3. On the other hand, when an OS switches from user mode to kernel mode, it usually leaves CR3 alone.

I know essentially nothing about Darwin, but "no shared CR3" presumably means that the kernel will switch CR3 to make user memory inaccessible when running in kernel mode. This is approximately what grsecurity's UDEREF feature does.

On Linux, on Broadwell or newer, there's a similar HW mitigation called SMAP. Darwin might use it, too.

Linux also doesn't allow unprivileged programs to map very low addresses, making NULL pointer dereferences much harder to exploit.