Security Mitigations: Difference between revisions

← Older edit Newer edit →

@@ Line 16: / Line 16: @@
 = CFI (Control-Flow-Integrity) =
-Besides the CFI used by [[Internet_Browser|web-applets]], S2 sysmodules use a version of CFI which validate vtable-ptrs (the address of the ptr, without accessing the data located there). PAC is not used with this. An undefined-instruction exception is triggered on CFI failure.
+S2 sysmodules use CFI which validate vtable-ptrs (the address of the ptr, without accessing the data located there). PAC is not used with this. An undefined-instruction exception is triggered on CFI failure. NOTE: Unknown for funcptrs.
+== nncfi ==
+CFI was implemented for [[Internet_Browser|web-applets]] in [[11.0.0]].
+The S2 version of nncfi was improved. Now the validation checks for "bti c" or "bti j" (jump-tables/switch-statements) at branch_addr+0, jumping to undefined instruction 0x000080C0+{reg} on failure. This essentially implements software BTI.
+The S1 version didn't have validation for jump-tables.
+Since indirect branches (funcptr/vfunc) now require "bti c", this therefore blocks calling any funcs starting with "bti".
+Since nncfi reads from .text, this can only be used when .text is R-X.