Applications: Difference between revisions
CelesteBlue (talk | contribs) No edit summary |
CelesteBlue (talk | contribs) No edit summary |
||
Line 1: | Line 1: | ||
== Security == | == Security == | ||
=== Program Authority Id === | === Program Authority Id === | ||
Applications running on the | |||
Applications running on the PS Vita are subject to restrictions based off of their [[SELF#Authority_ID|Authority ID]]. Certain [[Syscalls|syscalls]] can only be called by applications that have permission to call it. For example, [[SceShell]] can make certain calls to install packages or mount file systems that games cannot. Therefore a usermode exploit is more valuable in a system application like [[ScePspEmu]], [[PSM]], [[CMA]] or even better [[SceShell]] because regular games and applications do not have access to many syscalls. | |||
=== File System Sandbox === | === File System Sandbox === | ||
Most applications do not have the special [[SELF#Authority_ID|Authority ID]] to access files outside of their own sandboxed directory. Applications access their own resources through <code>app0:</code>, which is mounted to point to their own directory and is also mounted as read only (applications cannot modify their own resources). Certain virtual partitions can be accessed on demand as specified by the [[SDK]]. Some examples include <code>photo0:</code> and <code>savedata0</code>. However, there is no way to mount actual partitions like <code>ux0</code> (memory card). | Most applications do not have the special [[SELF#Authority_ID|Authority ID]] to access files outside of their own sandboxed directory. Applications access their own resources through <code>app0:</code>, which is mounted to point to their own directory and is also mounted as read only (applications cannot modify their own resources). Certain virtual partitions can be accessed on demand as specified by the [[SDK]]. Some examples include <code>photo0:</code> and <code>savedata0</code>. However, there is no way to mount actual partitions like <code>ux0</code> (memory card). | ||
=== Shared Module ASLR === | === Shared Module ASLR === | ||
Since 2.06, user shared modules like [[SceLibKernel]] are loaded to randomized addresses. The randomization was later improved to be more random in 2.60. | |||
Since PS Vita 2.06, user shared modules like [[SceLibKernel]] are loaded to randomized addresses. The randomization was later improved to be more random in FW 2.60. | |||
=== Application ASLR === | === Application ASLR === | ||
Since 2.60, | |||
Since PS Vita FW 2.60, usermode applications (the main library) themselves can be compiled with ASLR support. Although not all games and applications choose to use this feature of the compiler, more and more are. | |||
=== NID Poisoning === | === NID Poisoning === | ||
Perhaps as a direct result of [[UVLoader]] being open source, in 2.11, Sony replaces all entries in the [[Modules#Imports|library import table]] with junk data. This prevents disclosure of [[Syscalls|syscalls]] based on their NIDs. | |||
Perhaps as a direct result of [[UVLoader]] being open source, in PS Vita 2.11, Sony replaces all entries in the [[Modules#Imports|library import table]] with junk data. This prevents disclosure of [[Syscalls|syscalls]] based on their NIDs. | |||
=== Syscall Randomization === | === Syscall Randomization === | ||
Syscall numbers are not statically assigned. On each boot, the same kernel module exports will have different syscall numbers. However, the delta between syscall exports from the same module are the same, so in theory if you can identify one syscall from a module, you can calculate all the other syscalls. | |||
Syscall numbers are not statically assigned. On each boot, the same kernel module exports will have different syscall numbers. However, the delta between syscall exports from the same module are the same, so in theory if you can identify one syscall from a module, you can calculate all the other syscalls of this module. | |||
== List of System Applications == | == List of System Applications == | ||
See [[Modules#System Applications|here]]. | See [[Modules#System Applications|here]]. | ||
[[Category:System]] | [[Category:System]] |
Revision as of 17:17, 6 November 2021
Security
Program Authority Id
Applications running on the PS Vita are subject to restrictions based off of their Authority ID. Certain syscalls can only be called by applications that have permission to call it. For example, SceShell can make certain calls to install packages or mount file systems that games cannot. Therefore a usermode exploit is more valuable in a system application like ScePspEmu, PSM, CMA or even better SceShell because regular games and applications do not have access to many syscalls.
File System Sandbox
Most applications do not have the special Authority ID to access files outside of their own sandboxed directory. Applications access their own resources through app0:
, which is mounted to point to their own directory and is also mounted as read only (applications cannot modify their own resources). Certain virtual partitions can be accessed on demand as specified by the SDK. Some examples include photo0:
and savedata0
. However, there is no way to mount actual partitions like ux0
(memory card).
Since PS Vita 2.06, user shared modules like SceLibKernel are loaded to randomized addresses. The randomization was later improved to be more random in FW 2.60.
Application ASLR
Since PS Vita FW 2.60, usermode applications (the main library) themselves can be compiled with ASLR support. Although not all games and applications choose to use this feature of the compiler, more and more are.
NID Poisoning
Perhaps as a direct result of UVLoader being open source, in PS Vita 2.11, Sony replaces all entries in the library import table with junk data. This prevents disclosure of syscalls based on their NIDs.
Syscall Randomization
Syscall numbers are not statically assigned. On each boot, the same kernel module exports will have different syscall numbers. However, the delta between syscall exports from the same module are the same, so in theory if you can identify one syscall from a module, you can calculate all the other syscalls of this module.
List of System Applications
See here.