11.0.0-33: Difference between revisions
No edit summary |
|||
Line 33: | Line 33: | ||
3 new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[Memory_Management#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[3DS_System_Flaws|gspwn]]). | 3 new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[Memory_Management#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[3DS_System_Flaws|gspwn]]). | ||
The MAC itself is custom based on xor-rot-sub-mul, and is calculated as follows (pseudo-code): | The MAC itself is custom based on xor-rot-sub-mul, and is calculated as follows (pseudo-code): | ||
Line 58: | Line 56: | ||
if(data_ptr[5] != (r0 ^ r1)) { | if(data_ptr[5] != (r0 ^ r1)) { | ||
kernel_panic() | kernel_panic() | ||
} | |||
The function which initializes a memalloc heap had a major update (used for FCRAM memregions and the SlabHeap container). It generates a random MAC key based on svcGetSystemTick, like this: | |||
crypto_state[16/4] = 0 | |||
crypto_state[20/4] = 0 | |||
crypto_state[24/4] = 0 | |||
crypto_state[28/4] = 0 | |||
u32* key = &crypto_state[16/4]; | |||
for(size_t i=0; i<0x40; i++) { | |||
for(size_t j=0; j<4; j++) { | |||
r0 = key[j] - GetSystemTick() | |||
key[j] = r0 ^ ((r0 >>> 7) - (key[(i+j) % 4] >>> 17)) | |||
} | |||
} | } | ||