Security Mitigations: Difference between revisions

(5 intermediate revisions by 2 users not shown)

Line 8:

= PAC =

[S1] Software PAC was implemented for [[Internet_Browser|web-applets]] in [[11.0.0]], later updated with [[12.1.0]].

[S2] [[Switch_2:_Tegra_T239|PAC]] is used for retaddrs on stack.

= XOM (eXecute-Only-Memory) =

Support for --X was initially added with [19.0.0+], however it's only used on S2~~. It's unknown when S2 enabled using this~~.

Support for --X was initially added with [19.0.0+], however it's only used on S2.

~~Sysmodules~~ have --X .text, ~~at least as of system-version 20~~.x.

S2 sysmodules have --X .text, starting with [[Switch_2:_19.0.0|19.0.0]].

= CFI (Control-Flow-Integrity) =

~~Besides the CFI used by [[Internet_Browser|web-applets]],~~ S2 sysmodules use ~~a version of~~ CFI which validate vtable-ptrs (the address of the ptr, without accessing the data located there). PAC is not used with this. An undefined-instruction exception is triggered on CFI failure.

S2 sysmodules use CFI which validate vtable-ptrs (the address of the ptr, without accessing the data located there). PAC is not used with this. An undefined-instruction exception is triggered on CFI failure. NOTE: Unknown for funcptrs.

== nncfi ==

CFI was implemented for [[Internet_Browser|web-applets]] in [[11.0.0]].

The S2 version of nncfi was improved. Now the validation checks for "bti c" or "bti j" (jump-tables/switch-statements) at branch_addr+0, jumping to undefined instruction 0x000080C0+{reg} on failure. This essentially implements software BTI.

The S1 version didn't have validation for jump-tables.

Since indirect branches (funcptr/vfunc) now require "bti c", this therefore blocks calling any funcs starting with "bti".

~~This is present with sysmodules on system-version 20~~.x, ~~it's unknown whether 19~~.~~0.0 has this~~.

Since nncfi reads from .text, this can only be used when .text is R-X.

@@ Line 8: / Line 8: @@
 = PAC =
+[S1] Software PAC was implemented for [[Internet_Browser|web-applets]] in [[11.0.0]], later updated with [[12.1.0]].
 [S2] [[Switch_2:_Tegra_T239|PAC]] is used for retaddrs on stack.
 = XOM (eXecute-Only-Memory) =
-Support for --X was initially added with [19.0.0+], however it's only used on S2. It's unknown when S2 enabled using this.
+Support for --X was initially added with [19.0.0+], however it's only used on S2.
-Sysmodules have --X .text, at least as of system-version 20.x.
+S2 sysmodules have --X .text, starting with [[Switch_2:_19.0.0|19.0.0]].
 = CFI (Control-Flow-Integrity) =
-Besides the CFI used by [[Internet_Browser|web-applets]], S2 sysmodules use a version of CFI which validate vtable-ptrs (the address of the ptr, without accessing the data located there). PAC is not used with this. An undefined-instruction exception is triggered on CFI failure.
+S2 sysmodules use CFI which validate vtable-ptrs (the address of the ptr, without accessing the data located there). PAC is not used with this. An undefined-instruction exception is triggered on CFI failure. NOTE: Unknown for funcptrs.
+== nncfi ==
+CFI was implemented for [[Internet_Browser|web-applets]] in [[11.0.0]].
+The S2 version of nncfi was improved. Now the validation checks for "bti c" or "bti j" (jump-tables/switch-statements) at branch_addr+0, jumping to undefined instruction 0x000080C0+{reg} on failure. This essentially implements software BTI.
+The S1 version didn't have validation for jump-tables.
+Since indirect branches (funcptr/vfunc) now require "bti c", this therefore blocks calling any funcs starting with "bti".
-This is present with sysmodules on system-version 20.x, it's unknown whether 19.0.0 has this.
+Since nncfi reads from .text, this can only be used when .text is R-X.