Security Mitigations: Difference between revisions
Created page with "= ASLR (Address Space Layout Randomization) = ASLR for userspace is supported. KASLR (kernel) was added with 5.0.0. PASLR (physical) was added with 10.0.0. = RelRo = Support for RelRo (read-only-relocations) was added with 17.0.0, binaries built for [17.0.0+] use this. = PAC = [S2] PAC is used for retaddrs on stack. = XOM (eXecute-Only-Memory) = Support for --X was initially added with [19.0.0+], however it's onl..." |
No edit summary |
||
| Line 16: | Line 16: | ||
= CFI (Control-Flow-Integrity) = | = CFI (Control-Flow-Integrity) = | ||
Besides the CFI used by [[Internet_Browser|web-applets]], S2 sysmodules | Besides the CFI used by [[Internet_Browser|web-applets]], S2 sysmodules use a version of CFI which validate vtable-ptrs (the address of the ptr, without accessing the data located there). PAC is not used with this. An undefined-instruction exception is triggered on CFI failure. | ||
This is present with sysmodules on system-version 20.x, it's unknown whether 19.0.0 has this. | |||
Latest revision as of 18:28, 7 November 2025
ASLR (Address Space Layout Randomization)
ASLR for userspace is supported.
KASLR (kernel) was added with 5.0.0. PASLR (physical) was added with 10.0.0.
RelRo
Support for RelRo (read-only-relocations) was added with 17.0.0, binaries built for [17.0.0+] use this.
PAC
[S2] PAC is used for retaddrs on stack.
XOM (eXecute-Only-Memory)
Support for --X was initially added with [19.0.0+], however it's only used on S2. It's unknown when S2 enabled using this.
Sysmodules have --X .text, at least as of system-version 20.x.
CFI (Control-Flow-Integrity)
Besides the CFI used by web-applets, S2 sysmodules use a version of CFI which validate vtable-ptrs (the address of the ptr, without accessing the data located there). PAC is not used with this. An undefined-instruction exception is triggered on CFI failure.
This is present with sysmodules on system-version 20.x, it's unknown whether 19.0.0 has this.