Kernel

The PS Vita has a purely modular kernel. It is divided in a Secure Kernel and a Non-secure Kernel. All modules of the kernel are Kernel PRX files. They are listed in Modules. Most Non-secure Kernel modules are stored in the  partition whilst Secure Kernel modules are stored in the SLB2 partition. Most Non-secure Kernel modules are encrypted and signed as .skprx files, but some are packed as plain Kernel PRX in bootimage.skprx. Secure Kernel modules are in kernel_boot_loader.self and sometimes are LZRA-encoded.

Temp
TODO: move these to an appropriate place.

UID Attr
Mask  Description 0x70000 |  vis_level 0x300000 |  act entry

GUID
Global UID.

0  0   00 0000 0000 0001   0000 0000 0000 000   1

Error bit. should be 0.

PUID bit. should be 0.

Sub UID. 14-bits wide. Has no effect directly for core uid. Somewhat random values are used for security (With increase method).

eindex. Aka Core UID. 15-bits wide. Value to identify the object.

UID bit. should be 1.

The Core UID is 15-bits so in theory the system can create to 0x8000 (32768) objects

Example : 0x10005, 0x10007, 0x10547, 0x2DF84A9

PUID
Process UID.

0  1   00 0000 0000 0001   0000 0000 0000 000   1

Error bit. should be 0.

PUID bit. should be 1.

Unknown. maybe sub UID. 14-bits wide.

eindex. Aka Core UID. 15-bits wide.

UID bit. should be 1.

Example : 0x40010001

KASLR
Since PS Vita FW 1.80 or so, the kernel implements kernel address space layout randomization to discourage ROP attacks.

Canaries
Since PS Vita FW 1.80 or so, the kernel makes use of stack canaries to detect stack buffer overflows and halts the system when an overflow is detected.

Memory Domains
Memory domains is a feature in ARM MMU that provides an easy way of showing and hiding groups of addresses as well as their permissions. When a system call is done, the handler disables all access to memory domains for usermode memory so kernel code cannot directly access usermode memory. This means that if a usermode pointer is passed in and if the kernel forgets to check it and dereferences it directly, it will abort with an exception. See SceExcpmgr. In order to access usermode memory, special functions are used that temporarily enable all domains. The access is implemented with the ARM unprivileged access instructions  and   to make sure that the access functions cannot read or write in kernel memory space. As long as the domain disabling code in the syscall hander is secure and as long as the usermode memory access functions are secure, there is no need for additional checks implemented per function. A similar security on Linux is "SMAP" that crashes the kernel when kernel stack pointer points to usermode memory. Additionally all non-code pages are marked as "execute never" (XN) in both kernel and usermode.

Syscall Randomization
The numbers assigned to syscalls change on each boot but the delta between the same functions exported by the same module will stay consistent.

NID Poisoning
Since PS Vita FW 2.10, SceKernelModulemgr replaces the function/variable NIDs entries in the module import tables with junk data. This means that an attacker can no longer map syscall numbers to function NIDs.

Usermode stack pivot protection
Since unknown PS Vita System Software version (seen on 3.18) the kernel terminates an application if it notices that its stack pointer register (SP) is not pointing into the stack memory.

Usermode and kernel heaps overflow protection
dlmalloc, used for heap allocations, is compiled with -DFOOTERS=1 to enable more heap overflow checks. Additionally, a custom SceNetPs malloc implementation also does some heap overflow checks on its own.