ASLR (Address Space Layout Randomization)

ASLR for userspace is supported.

KASLR (kernel) was added with 5.0.0. PASLR (physical) was added with 10.0.0.

RelRo

Support for RelRo (read-only-relocations) was added with 17.0.0, binaries built for [17.0.0+] use this.

PAC

[S1] Software PAC was implemented for web-applets in 11.0.0, later updated with 12.1.0.

[S2] PAC is used for retaddrs on stack.

XOM (eXecute-Only-Memory)

Support for --X was initially added with [19.0.0+], however it's only used on S2.

S2 sysmodules have --X .text, starting with 19.0.0.

CFI (Control-Flow-Integrity)

S2 sysmodules use CFI which validate vtable-ptrs (the address of the ptr, without accessing the data located there). PAC is not used with this. An undefined-instruction exception is triggered on CFI failure. NOTE: Unknown for funcptrs.

nncfi

CFI was implemented for web-applets in 11.0.0.

The S2 version of nncfi was improved. Now the validation checks for "bti c" or "bti j" (jump-tables/switch-statements) at branch_addr+0, jumping to undefined instruction 0x000080C0+{reg} on failure. This essentially implements software BTI.

The S1 version didn't have validation for jump-tables.

Since indirect branches (funcptr/vfunc) now require "bti c", this therefore blocks calling any funcs starting with "bti".

Since nncfi reads from .text, this can only be used when .text is R-X.