Security Mitigations: Difference between revisions
No edit summary |
No edit summary |
||
| (5 intermediate revisions by 2 users not shown) | |||
| Line 8: | Line 8: | ||
= PAC = | = PAC = | ||
[S1] Software PAC was implemented for [[Internet_Browser|web-applets]] in [[11.0.0]], later updated with [[12.1.0]]. | |||
[S2] [[Switch_2:_Tegra_T239|PAC]] is used for retaddrs on stack. | [S2] [[Switch_2:_Tegra_T239|PAC]] is used for retaddrs on stack. | ||
= XOM (eXecute-Only-Memory) = | = XOM (eXecute-Only-Memory) = | ||
Support for --X was initially added with [19.0.0+], however it's only used on S2 | Support for --X was initially added with [19.0.0+], however it's only used on S2. | ||
S2 sysmodules have --X .text, starting with [[Switch_2:_19.0.0|19.0.0]]. | |||
= CFI (Control-Flow-Integrity) = | = CFI (Control-Flow-Integrity) = | ||
S2 sysmodules use CFI which validate vtable-ptrs (the address of the ptr, without accessing the data located there). PAC is not used with this. An undefined-instruction exception is triggered on CFI failure. NOTE: Unknown for funcptrs. | |||
== nncfi == | |||
CFI was implemented for [[Internet_Browser|web-applets]] in [[11.0.0]]. | |||
The S2 version of nncfi was improved. Now the validation checks for "bti c" or "bti j" (jump-tables/switch-statements) at branch_addr+0, jumping to undefined instruction 0x000080C0+{reg} on failure. This essentially implements software BTI. | |||
The S1 version didn't have validation for jump-tables. | |||
Since indirect branches (funcptr/vfunc) now require "bti c", this therefore blocks calling any funcs starting with "bti". | |||
Since nncfi reads from .text, this can only be used when .text is R-X. | |||
Latest revision as of 06:25, 10 February 2026
ASLR (Address Space Layout Randomization)
ASLR for userspace is supported.
KASLR (kernel) was added with 5.0.0. PASLR (physical) was added with 10.0.0.
RelRo
Support for RelRo (read-only-relocations) was added with 17.0.0, binaries built for [17.0.0+] use this.
PAC
[S1] Software PAC was implemented for web-applets in 11.0.0, later updated with 12.1.0.
[S2] PAC is used for retaddrs on stack.
XOM (eXecute-Only-Memory)
Support for --X was initially added with [19.0.0+], however it's only used on S2.
S2 sysmodules have --X .text, starting with 19.0.0.
CFI (Control-Flow-Integrity)
S2 sysmodules use CFI which validate vtable-ptrs (the address of the ptr, without accessing the data located there). PAC is not used with this. An undefined-instruction exception is triggered on CFI failure. NOTE: Unknown for funcptrs.
nncfi
CFI was implemented for web-applets in 11.0.0.
The S2 version of nncfi was improved. Now the validation checks for "bti c" or "bti j" (jump-tables/switch-statements) at branch_addr+0, jumping to undefined instruction 0x000080C0+{reg} on failure. This essentially implements software BTI.
The S1 version didn't have validation for jump-tables.
Since indirect branches (funcptr/vfunc) now require "bti c", this therefore blocks calling any funcs starting with "bti".
Since nncfi reads from .text, this can only be used when .text is R-X.