Switch System Flaws: Difference between revisions

Line 70:

| [[3.0.0]]

| ~~late~~ summer/early fall 2017

| Late summer/early fall 2017

| December 31, 2017

| SciresM, ~~Motezazer~~

| [[User:SciresM|SciresM]], [[User:motezazer|motezazer]]

|-

|}

Line 98:

| December 2017 (Probably earlier by others)

| January 18, 2018

| SciresM, probably others.

| [[User:SciresM|SciresM]], probably others.

|-

| jamais vu (non-secure world access to PMC MMIO and pre-deep sleep firmware)

| On [[1.0.0]], one could map in the PMC registers in userland. In addition, [[am~~|AM Services~~]] ran a little-kernel based firmware on the BPMP at runtime. With code execution under am, one could modify the BPMP's little-kernel firmware to hook deep sleep entry, and modify TrustZone/Security engine state.

| On [[1.0.0]], one could map in the PMC registers in userland. In addition, [[AM_services|am]] ran a little-kernel based firmware on the BPMP at runtime. With code execution under am, one could modify the BPMP's little-kernel firmware to hook deep sleep entry, and modify TrustZone/Security engine state.

This was fixed in [[2.0.0]] by making the PMC secure-world only, blacklisting the BPMP's exception vectors from being mapped, and thoroughly checking for malicious behavior on deep sleep entry.

Line 108:

| [[2.0.0]]

| December, 2017

| January 20, ~~2017~~

| January 20, 2018

| [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]]

|-

Line 171:

| January 2018

| SciresM, yellows8

| [[User:SciresM|SciresM]], [[User:Yellows8|yellows8]]

|-

|}

Line 241:

| August 4, 2017

| August 6, 2017

| [[User: shinyquagsire23|Shiny Quagsire]], [[User:Yellows8|~~Yellows8~~]] (independently)

| [[User: shinyquagsire23|Shiny Quagsire]], [[User:Yellows8|yellows8]] (independently)

|-

| OOB Read in NS system module (pl:utoohax, pl:utonium, maybe other names)

@@ Line 70: / Line 70: @@
 |  [[3.0.0]]
 |  [[3.0.0]]
-|  late summer/early fall 2017
+|  Late summer/early fall 2017
 |  December 31, 2017
-|  SciresM, Motezazer
+|  [[User:SciresM|SciresM]], [[User:motezazer|motezazer]]
 |-
 |}
@@ Line 98: / Line 98: @@
 | December 2017 (Probably earlier by others)
 | January 18, 2018
-| SciresM, probably others.
+| [[User:SciresM|SciresM]], probably others.
 |-
 | jamais vu (non-secure world access to PMC MMIO and pre-deep sleep firmware)
-|  On [[1.0.0]], one could map in the PMC registers in userland. In addition, [[am|AM Services]] ran a little-kernel based firmware on the BPMP at runtime. With code execution under am, one could modify the BPMP's little-kernel firmware to hook deep sleep entry, and modify TrustZone/Security engine state.
+|  On [[1.0.0]], one could map in the PMC registers in userland. In addition, [[AM_services|am]] ran a little-kernel based firmware on the BPMP at runtime. With code execution under am, one could modify the BPMP's little-kernel firmware to hook deep sleep entry, and modify TrustZone/Security engine state.
 This was fixed in [[2.0.0]] by making the PMC secure-world only, blacklisting the BPMP's exception vectors from being mapped, and thoroughly checking for malicious behavior on deep sleep entry.
@@ Line 108: / Line 108: @@
 |  [[2.0.0]]
 |  December, 2017
-|  January 20, 2017
+|  January 20, 2018
 |  [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]]
 |-
@@ Line 171: / Line 171: @@
 | January 2018
 | January 2018
-| SciresM, yellows8
+| [[User:SciresM|SciresM]], [[User:Yellows8|yellows8]]
 |-
 |}
@@ Line 241: / Line 241: @@
 | August 4, 2017
 | August 6, 2017
-| [[User: shinyquagsire23|Shiny Quagsire]], [[User:Yellows8|Yellows8]] (independently)
+| [[User: shinyquagsire23|Shiny Quagsire]], [[User:Yellows8|yellows8]] (independently)
 |-
 |  OOB Read in NS system module (pl:utoohax, pl:utonium, maybe other names)