Switch System Flaws: Difference between revisions
| Line 133: | Line 133: | ||
One can then use blind ROP against the TSEC secure bootrom (which is execute only, and cannot be dumped). | One can then use blind ROP against the TSEC secure bootrom (which is execute only, and cannot be dumped). | ||
With sufficient effort, an attacker can construct a ROP chain that leads to | With sufficient effort, an attacker can construct a ROP chain that leads to csigcmp being executed with fully controlled arguments. | ||
This allows for arbitrary heavy secure mode code execution with the current signature set to an arbitrary value. | This allows for arbitrary heavy secure mode code execution with the current signature set to an arbitrary value. | ||