GrapheneOS [Unofficial]

Changes in version 121.0.6167.143.1:

• do not clear URL bar on focus by default for search intents

A full list of changes from the previous release (version 121.0.6167.143.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 121.0.6167.143.0:

• update to Chromium 121.0.6167.143

A full list of changes from the previous release (version 121.0.6167.101.3) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

https://grapheneos.social/@GrapheneOS/111847146949645864

Our previous Camera app release moved away from using deprecated Parcel APIs. These new APIs were introduced in Android 13, but some had a serious bug in Android 13 causing a null pointer exception. They fixed that in Android 14 where we do most testing.

They chose not to ship the fix in a monthly or quarterly release of Android 13 based on the reasoning that most non-Pixel OEMs don't ship monthly/quarterly updates (only partial security patch backports) and they didn't want fragmentation for this issue.

https://issuetracker.google.com/issues/240585930

That may be reasonable, but then they should have undone the deprecation until Android 14 and raised the minimum API level for these APIs to Android 14. The documentation doesn't mention this. Every developer is expected to hit it and then somehow notice IntentCompat in AndroidX.

Notable changes in version 66:

• work around an Android 13 OS bug not fixed until Android 14 which is causing crashes when resuming certain activities by using the AndroidX IntentCompat interface

A full list of changes from the previous release (version 66) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS app repository and on GitHub. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates.

Releases are initially pushed out through the Beta channel for both the Play Store and our app repository and then get moved to the Stable channel.

GrapheneOS users must obtain GrapheneOS app updates through our app repository since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 121.0.6167.101.3:

• revert minimum API level increase due to it potentially causing issues with resource loading for the browser app for certain users due to Chromium resource optimization quirks (the planned changes requiring this can be approached another way)

A full list of changes from the previous release (version 121.0.6167.101.3) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Notable changes in version 65:

• add lockscreen support to QR code scanner shortcut activity to support standard lockscreen shortcut for QR scanning
• improve ImageSaver error dialog (include OS version, include app package name and versionCode, use the standard stack trace format)
• in-app gallery: do not overwrite the original item after editing
• in-app gallery: specify Uri type in editIntent to support editing videos with Google Photos
• update Material Components library to 1.11.0
• update CameraX library to 1.4.0-alpha04
• update Gradle to 8.5
• update Android Gradle plugin to 8.2.1
• update Kotlin to 1.9.22
• replace deprecated APIs

A full list of changes from the previous release (version 64) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS app repository and on GitHub. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates.

Releases are initially pushed out through the Beta channel for both the Play Store and our app repository and then get moved to the Stable channel.

GrapheneOS users must obtain GrapheneOS app updates through our app repository since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 121.0.6167.101.2:

• rebuild to fix arm64 32-bit WebView support which was omitted in the last build and not noticed even days after making it to the stable channel due to the few remaining obsolete 32-bit still being used which use the WebView (these apps mostly aren't allowed to be installed anymore since Android 14 without using a special ADB command due to minimum API level 23)

A full list of changes from the previous release (version 121.0.6167.101.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

GrapheneOS has a list of security requirements for future devices based on the status quo of the current generation devices we support:

https://grapheneos.org/faq#future-devices

Other than security patches, hardware memory tagging support is easily the most important feature on this list.

GrapheneOS is the first platform using ARM hardware memory tagging in production. This provides a form of memory safety for memory unsafe languages. It has a high random chance of catching most memory corruption and always catches certain major classes of memory corruption bugs.

Hardware memory tagging is such an important feature that we highly prioritized integrating it and enabling it by default once it became available.

Snapdragon 8 Gen 3 still lacks memory tagging support so Snapdragon devices likely won't meet our requirements until 2025 or later.

Qualcomm usually does a good job with security but they've dropped the ball on this. Even MediaTek recently released an SoC platform with MTE support.

Other than memory tagging, the requirements on our list can be met by a theoretical security-focused Snapdragon-based device.

Samsung has committed to providing 7 years of security support with 7 generations of major OS updates, which matches current Pixels. We previously limited our update requirement to 4 years to enable using Snapdragon. We'll be raising it to 5 years for phones and 7 for tablets.

We'll be adding reset attack mitigation via memory zeroing for firmware-based boot modes to our list of requirements once it's shipped for Pixels in a few months. We recently filed upstream reports about vulnerabilities in firmware being exploited on stock OS Pixels due to this.

GrapheneOS implements memory zeroing in the kernel page and slab allocators which does zero most OS memory on reboot, but we don't consider that adequate. It's possible for the OS to lock up or crash in a way that it doesn't get an opportunity to zero. The firmware should do it.

A few of the existing features on our list of hardware requirements were implemented based on our proposals. We filed a bug about earlier Pixel generations using an overly truncated verified boot key hash, and we proposed pinning-based hardware attestation support (attest keys).

We have to do a lot of device-specific hardening work such as fixing or working around bugs uncovered by security features like hardened_malloc and MTE. We also do research into hardware/firmware issues despite not making it. Pixels have benefited from us regularly filing issues.

Our latest release provides another enhancement for our protection against firmware-based attacks on devices by forensics companies.

https://grapheneos.social/@GrapheneOS/111825976031359694

This replaces emergency reboots triggered by overheating with regular reboots. We're going to be doing more similar work.

GrapheneOS has zero-on-free for the main allocator used by native code (malloc) along with the kernel page allocator and slab allocator. In particular, zeroing data in the kernel page allocator heavily limits the lifetime of data and clean reboots clear most of the OS memory.

We believe that our zero-on-free features are why forensics companies are announcing support for obtaining data in After First Unlock state for the stock OS via firmware exploits while seemingly not being able to target GrapheneOS yet, but we're rolling our more improvements.

In an earlier release this month, we replaced our auto-reboot feature with a new implementation in the init process to prevent a potential bypass through crashing core system processes. We also made it stop chain in Before First Unlock state to make low timers much more usable.

The default auto-reboot timer was reduced from our initial choice of 72 hours to 18 hours.

GrapheneOS has provided a feature for disabling USB peripherals for years. By default, we disable USB peripherals while locked. USB is very complex and has other uses than this though.

Fast charging and the low-level protocol for USB-C are extremely complex. These are largely implemented by Linux kernel drivers and the core kernel USB support along with another implementation in the non-OS firmware boot modes, not the isolated USB controller hardware/firmware.

Android 12 added a device administration setting to supposedly disable USB data and a low level USB Hardware Abstraction Layer (HAL) implementation to go along with it. This does not really work as you would expect and only disables high level USB functionality like peripherals.

It also disables USB gadget support, which is already disabled by default other than device advertising itself as supporting MTP to be detected by computers by default without having MTP enabled until the user enables it. We investigated it near 12 launch but found it lacking.

USB gadget support is how MTP/PTP, MIDI, tethering (Ethernet), Android 14 QPR1 webcam support and the developer options Android Debug Bridge function. By default, Android uses MTP mode with MTP disabled until user unlocks and enables it. This adds no significant attack surface.

Attack surface for low-level USB-C and charging is massive. Vulnerabilities being leveraged by forensics companies are often USB bugs. Working reset attack mitigation is barely deployed by devices meaning they can target firmware USB while device is booted into a special mode.

We proposed improvements for Pixels in Android security bug reports we filed recently. They're already working on it and we expect it will be shipped in a few months, ending the ability to get data from After First Unlock mode via special firmware modes, but not the OS itself.

We proposed improvements for Pixels in Android security bug reports we filed recently. They're already working on it and we expect it will be shipped in a few months, ending the ability to get data from After First Unlock mode via special firmware modes, but not the OS itself.

We've also discussed the possibility of offering a toggle for disabling fast charging while locked or as a whole for further attack surface reduction. This would certainly not be enabled by default and our focus is on the always enabled or at least default enabled protections.

Our existing default-enabled USB protection disables adding new peripherals while locked. Peripherals you add while unlocked work after locking. Android's standard USB gadget control is based around approval while unlocked, which is similar. We just need to make this lower level.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024012600-redfin (Pixel 4a (5G), Pixel 5)
• 2024012600 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024011600 release:

• isolate eSIM activation app from non-system apps to avoid it sharing data with sandboxed Google Play
• make eSIM activation toggle available without sandboxed Google Play installed (eSIM management no longer requires sandboxed Google Play)
• make the eSIM activation app toggle persistent instead of it being disabled at boot
• remove misleading message about device info being sent to Google message before eSIM download
• hardened_malloc: use tag 0 for freed slots instead of reserving a tag to allow using 15 of 16 possible tag values for random tags (there are 3 dynamic exclusions of the random values for the previous tag along with the 2 current or previous adjacent tags)
• Settings: prevent disabling Camera2/CameraX extension provider app (Pixel Camera Services for Pixels) since it breaks apps using CameraX
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro): use a normal reboot on overheating instead of an emergency reboot to harden against physical attacks
• kernel: enable reset attack mitigation for UEFI systems supporting it (Tensor Pixels use minimalistic littlekernel-based boot firmware rather than UEFI and the previous Snapdragon Pixels using UEFI didn't implement this but we may need this for future devices)
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.208
• kernel (Pixel 8, Pixel 8 Pro, Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.147
• kernel (Generic 6.1): update to latest GKI LTS branch revision including update to 6.1.73
• Launcher: disable gradient at the top of the home screen again (change lost with Android 14 QPR1 due to it being reimplemented upstream)
• rewrite HTTPS network time implementation to make it much more maintainable and robust along with providing better debug output via ADB
• Vanadium: update to version 120.0.6099.230.0
• Vanadium: update to version 121.0.6167.71.0
• Vanadium: update to version 121.0.6167.101.0
• Vanadium: update to version 121.0.6167.101.1
• GmsCompatConfig: update to version 93
• Seedvault: update to latest revision (will be replaced with a better backup implementation in the future)

Changes in version 93:

• update max supported version of Play services to 24.03
• update max supported version of Play Store to 39.3

A full list of changes from the previous release (version 92) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 121.0.6167.101.1:

• fix implementation of temporarily using default client hints for WebView until it has a frozen user agent

A full list of changes from the previous release (version 121.0.6167.101.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 121.0.6167.101.0:

• update to Chromium 121.0.6167.101
• replace high entropy client hints with placeholders from the frozen user agent (form factor as Mobile, device model as K, platform version as Android 10 and a reduced version number with zero for the minor parts) to improve compatibility with problematic bot detection checks while not providing any additional information
• raise minimum API level to 33 (Android 13) from the default API level 29 (Android 10) to reduce the work required for our upcoming features

A full list of changes from the previous release (version 121.0.6167.71.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 92:

• update max supported version of Play services to 24.02
• update max supported version of Play Store to 39.2

A full list of changes from the previous release (version 90) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 121.0.6167.71.0:

• update to Chromium 121.0.6167.71

A full list of changes from the previous release (version 120.0.6099.230.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 120.0.6099.230.0:

• update to Chromium 120.0.6099.230

A full list of changes from the previous release (version 120.0.6099.210.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024011600-redfin (Pixel 4a (5G), Pixel 5)
• 2024011600 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024011300 release:

• work around upstream Android bug causing system_server crash due to failed security-related assertion by denying the action without crashing system_server, which avoids turning a buggy security check into a denial of service issue
• add workaround for upstream Android crash reporting bug recording clean f2fs filesystem check results as errors which is resulting in many users receiving filesystem check error reports on GrapheneOS due to our user-facing notifications for serious errors/crashes
• add workaround for upstream Android crash reporting bug causing old crashes to be reported again
• add workaround for upstream Android crash reporting bug wrongly attributing certain app crashes to system_server
• only show kernel crashes when the user opts into showing all system crashes as notifications since there are many false positives caused by hardware issues such as some users having devices which sometimes fail to resume from sleep while idle
• only show report button in log viewer for system_server Java/native crashes, MTE crashes and filesystem check errors (which now have non-error results properly filtered out) due to receiving too many reports about upstream bugs and hardware issues
• hide specific system apps and also sandboxed Google Play from Aurora Store so users don't try to update them through it and receive errors
• Log Viewer: explicitly set status bar color to fix light mode icon colors
• kernel (Pixel 4a (5G), Pixel 5, Pixel 5a): add missing kernel changes from the past 2 releases

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024011300-redfin (Pixel 4a (5G), Pixel 5)
• 2024011300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024010400 release:

• replace auto-reboot implementation with a new more hardened implementation based on a timer in the init process which also avoids rebooting when the device hasn't been unlocked since boot
• reduce default auto-reboot timer from 72 hours to 18 hours
• add log viewer available at Settings > System > View logs to avoid needing developer options for making useful bug reports and inspecting the device for issues
• reimplement our user-facing crash reporting infrastructure with our new log viewer app
• Settings: add links to log viewer in app info and system settings
• show report button in sandboxed Google Play crash report UI
• adevtool: integrate support for Pixel Camera Services (currently provides Night mode for GrapheneOS Camera and other apps on Pixel 6 and later)
• adevtool: improve and clean up infrastructure for device support
• adevtool: drop devices not supported with Android 14
• adevtool: remove unused default permissions configuration
• Contact Scopes: add handling of malformed contact data subtype names to avoid crash
• show notification after hardened_malloc detects memory corruption via a direct check (does not cover memory corruption detected via memory protected address space)
• kernel: disable sysrq by default rather than waiting for init to disable it
• kernel: disable unused sysrq serial support
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.206
• kernel (Pixel 8, Pixel 8 Pro, Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.145
• kernel (Generic 6.1): update to latest GKI LTS branch revision including update to 6.1.69
• GmsCompatConfig: update to version 91
• Vanadium: update to version 120.0.6099.210.0
• System Updater: use sentence case for notification channel names

We've recently reported firmware vulnerabilities that are being exploited by forensic companies to obtain data from devices that are not at rest. If device is at rest, it isn't relevant and data is safe. Our auto-reboot feature is there to get devices back at rest automatically.

We've currently reported these issues for Pixels and will be filing similar issues with Samsung. We don't have as much leaked information about how they're doing it for Galaxy phones, but we can propose the same generic mitigations eliminating the main classes of vulnerabilities.

Secure element throttling is crucial to secure typical lock methods like a random 6 digit PIN or even a typical passphrase. Non-Pixel/non-iPhone devices are mostly missing it so data isn't safe even at rest for typical lock methods (much less than 7-8 random diceware words).

Pixels have used a secure element for this since the Pixel 2, but the NXP and ARM secure core Titan M1 had a fair number of vulnerabilities. Pixel 6 substantially improved this, so there's more focus than ever at exploiting the OS / firmware while the device isn't at rest.

For nearly any current generation secure element, there will likely eventually be a firmware vulnerability discovered. If you want to completely rule out a brute force, use a strong random passphrase. Can take good advantage of each user profile having separate encryption keys.

GrapheneOS has been heavily focused on securing against remote attacks and also providing privacy/security from apps. Those features make physical exploits harder, but we plan to add more features focused on it alongside auto-reboot and blocking new USB peripherals while locked.

Many apps and operating systems implement insecure duress features which can be bypassed. They do a standard wipe via reboot to recovery, which can be easily interrupted. Our implementation avoids this and will be shipped soon. However, we also proposed it to Android for the API.

Android 12 device admin API for disabling USB data is disappointing, since it's similar to what we already did and doesn't disable data lines.

Our default auto-reboot timer will be reduced from 72 hours. We also plan to add more attack surface reductions and other mitigations.

Our latest release reduced the default auto-reboot timer from 72 hours since last unlock to 18 hours since last unlock:

https://grapheneos.org/releases#2024011300

We also improved the implementation by moving it from system_server to init to make it robust against system_server bugs like crashes.

Our new implementation also avoids rebooting when the device is already at rest (Before First Unlock). This makes setting a very low timer such as 10 minutes much more usable. Alarms work before first unlock via included Clock app but most apps don't implement support for this.

Our main proposal to them was that Pixels should zero memory in firmware for every reboot/shutdown and perhaps even for every boot.

GrapheneOS zeroes freed memory for malloc and the kernel slab/page allocators which helps, but firmware cooperation is needed for completeness

Changes in version 120.0.6099.210.0:

• update to Chromium 120.0.6099.210

A full list of changes from the previous release (version 120.0.6099.193.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 91:

• update max supported version of Play services to 23.50
• update max supported version of Play Store to 39.1
• update Android Gradle plugin to 8.2.1

A full list of changes from the previous release (version 90) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024010400-redfin (Pixel 4a (5G), Pixel 5)
• 2024010400 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023123100 release:

• full 2024-01-01 security patch level
• full 2024-01-05 security patch level
• rebased onto UQ1A.240105.004 Android Open Source Project release
• Sandboxed Google Play compatibility layer: stop hiding Android Auto from the Play Store since it breaks Play Store dependent functionality
• Sandboxed Google Play compatibility layer: mark Android Auto as owned by our app repository client to stop the Play Store from updating it
• Sandboxed Google Play compatibility layer: add Network permission to baseline permissions needed for wireless Android Auto
• Sandboxed Google Play compatibility layer: add list of requirements for Android Auto voice commands
• Sandboxed Google Play compatibility layer: add back dedicated name for Sandboxed Google Play crash notification channel
• Sandboxed Google Play compatibility layer: skip Android Auto crash reports when it lacks baseline permissions and show a dedicated notification about the problem instead
• Keyboard: add workaround for multi-locale spell checking and remove our attempt at implementing it properly in the keyboard itself for now
• AppCompatConfig: update to version 3
• Vanadium: update to version 120.0.6099.193.0
• adevtool: remove unused permission configuration

Changes in version 120.0.6099.193.0:

• update to Chromium 120.0.6099.193

A full list of changes from the previous release (version 120.0.6099.144.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

We've added documentation for the hardware memory tagging implementation in hardened_malloc:

https://github.com/GrapheneOS/hardened_malloc?tab=readme-ov-file#memory-tagging

GrapheneOS on Pixel 8 / Pixel 8 Pro is the first platform using ARM MTE in production. Stock Pixel OS has it as a hidden development option requiring using ADB.

GrapheneOS uses hardened_malloc as the system allocator and enables memory tagging by default. MTE is enabled for all base OS apps and nearly all executables. It's only temporarily disabled for surfaceflinger (due to upstream bug in Android 14 QPR1) and a few vendor executables.

For user installed apps, we enable MTE by default for apps without bundled native libraries and apps marked as compatible. We give users the option to enable MTE for all user installed apps in Settings > Security and users can then toggle it off for specific incompatible apps.

We added a user-facing notification for crashes caused by MTE detecting memory corruption. It makes it easy for users to copy the traceback for reporting the bug to app developers. This also means users don't need to guess when the toggle to disable MTE for an app is relevant.

Our Vanadium browser is also the first browser using MTE in production. In Vanadium, we enable Chromium's PartitionAlloc MTE implementation. PartitionAlloc's implementation isn't nearly as good as hardened_malloc, but we intend to improve PartitionAlloc's security in the future.

Chromium marks itself as compatible with MTE but then disables it as runtime, so other Chromium-based browser have MTE disabled even when the OS has it enabled. We found a bug in Chromium's MTE integration which we had to fix to avoid WebView crashes. It works smoothly for us.

We're also planning on enabling Clang's stack allocation MTE support but it currently breaks Chromium's C++ garbage collection integration along with apps doing in-process unwinding via libunwind. We want MTE for the Linux kernel too, but it integrates it as a debugging feature.

hardened_malloc's MTE implementation is already best in class, but there are some improvements to consider. It currently statically reserves a value for free slots, which reduces the random choices from 15 to 14. It may make sense to use the default 0 tag for free data instead.

MTE obsoletes hardened_malloc's canary and write-after-free check features, so we disable them when it's enabled. However, we haven't figured out an approach to save the memory reserved for canaries yet due to Android supporting dynamically toggling MTE at runtime which is messy.

hardened_malloc uses MTE for all slab allocations, which are all the allocation size classes from 16 bytes through 128k bytes with statically reserved regions for each one. It doesn't need MTE for any metadata since all metadata is in a statically reserved region solely for that.

For allocations beyond the max slab allocation size (128k), there are randomly sized guards placed before/after each allocation along with an address space quarantine on free. MTE would still be valuable for large/arbitrary overflows and use-after-free beyond the quarantine.

We need to investigate the cost of tagging the large allocations above 128k by default.

For non-MTE-capable hardware, we could consider reserving a huge region for allocations above 128k with our own best-fit implementation in userspace to separate them from non-malloc mappings.

Changes in version 3:

• revert to default behavior of allowing dynamic code execution from storage for Android Auto

A full list of changes from the previous release (version 2) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.