KindnessInfinity

joined 2 years ago
MODERATOR OF
 

Changes in version 82:

  • avoid crash in KidsSettingsModule initializer which tries to use a privileged operation (previous fix was incomplate)

A full list of changes from the previous release (version 81) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

 

GrapheneOS now has hardware memory tagging support in our Stable channel. Memory tagging greatly improves protection against targeted attacks. Thanks to hardware support on the Pixel 8 and Pixel 8 Pro, it's extremely low overhead despite the massive benefits it's able to provide.

GrapheneOS users on the Pixel 8 and Pixel 8 Pro can enable memory tagging via Settings ➔ Security ➔ More security settings ➔ Advanced memory protection beta on supported devices. We'll be enabling it by default soon since we have a solid approach to preserve app compatibility.

We integrated it into hardened_malloc where it's able to provide stronger security properties than the experimental stock OS implementation.

Our current toggle enables it for everything other than Vanadium, vendor executables and user installed apps bundling native libraries.

We'll be enabling memory tagging support for Vanadium by default via the standard Chromium implementation.

For the near future, we'll be leaving memory tagging disabled by default for user installed apps bundling native libraries to avoid introducing a new compatibility issues.

It will be possible to enable memory tagging for all user installed apps with the ability to opt-out for specific apps where it causes issues. We want to eventually have it globally enabled by default, but we expect it to uncover a lot of issues hardened_malloc hasn't before.

It's also possible to use MTE for protecting from stack buffer overflows and use-after-scope by aligning and tagging variables with an escaping pointer. LLVM has an implementation of this and we've confirmed it works but it may not be optimized enough to enable it quite yet.

When fully integrated into the compiler and each heap allocator, MTE enforces a form of memory safety. It detects memory corruption as it happens. 4 bit tags limit it to probabilistic detection for the general case, but deterministic guarantees are possible via reserving tags.

In hardened_malloc, we deterministically prevent sequential overflows by excluding adjacent tags. We exclude a tag reserved for free tag and the previous tag used for the previous allocation in the slot to help with use-after-free detection alongside FIFO and random quarantines.

MTE support for protecting the Linux kernel isn't enabled yet, but we can likely enable that by default too. However, it's currently part of kasan and is more oriented towards debugging than hardening. It's not entirely clear that enabling it in the current state is a good idea.

 

Changes in version 81:

  • avoid crash in KidsSettingsModule initializer which tries to use a privileged operation
  • update max supported version of Play services to 23.43
  • update max supported version of Play Store to 38.2

A full list of changes from the previous release (version 80) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

 

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS despite them not being secure. It will be a significant effort to port them properly without lost functionality and we're looking for a new developer to fund rather than reassigning any developers from their existing work on the OS.

Tags:

  • 2023103100 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
  • 2023103100-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023103000 release:

  • Keyboard: include words from all active locales in spell checking to support multiple locales again after the port to Android 14
  • Gallery: revert one of the 3 improvements to preview resolution due to it causing out-of-memory errors
  • Vanadium: update to version 119.0.6045.66.0
 

Changes in version 119.0.6045.66.0:

  • update to Chromium 119.0.6045.66

A full list of changes from the previous release (version 119.0.6045.53.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

 

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS despite them not being secure. It will be a significant effort to port them properly without lost functionality and we're looking for a new developer to fund rather than reassigning any developers from their existing work on the OS.

Tags:

  • 2023103000 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
  • 2023103000-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023102300 release:

  • add infrastructure for hardware memory tagging support
  • hardened_malloc: add support for hardware memory tagging launched with the ARMv9 cores on the Pixel 8 and Pixel 8 Pro
  • Settings: enable memory tagging toggle at Settings -> Security -> More security settings -> Advanced memory protection beta
  • Pixel 8, Pixel 8 Pro: enable memory tagging support for everything built by GrapheneOS (other than Vanadium, since Chromium currently disables it) and also user installed apps without native libraries (will be expanded to Vanadium later along with the option to use it for all user installed apps)
  • Pixel 8, Pixel 8 Pro: use asymmetric memory tagging mode on all cores to provide much higher security than asynchronous mode without much more overhead unlike the very expensive synchronous mode without any clear security benefits over asymmetric
  • enable parallel compilation of non-precompiled bytecode to native code for first-boot and first-boot-after-update with 2 processes for now (can be increased later)
  • improve user interface for reporting background package compilation progress
  • show crash dialog for first crash of an app since boot instead of waiting until the second crash like upstream Android
  • Gallery: fix low resolution image preview in editor
  • restore Android 13 behavior for installing APKs from the file manager by requesting permission for the app which created the APK (current Google Files behavior is a bit different and requests permission for Google Files, but the AOSP Files approach seems more useful)
  • SELinux policy: use per-app-instance MLS level for the update client domain as used for regular apps to provide better isolation from other system components
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.198
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.137
  • Vanadium: update to version 118.0.5993.111.0
  • Vanadium: update to version 119.0.6045.53.1
  • Vanadium: update to version 119.0.6045.53.1
  • GmsCompatConfig: update to version 80
 

Our first experimental release based on Android 14 was published on October 6th. We think we already had this issue resolved for that release:

https://arstechnica.com/gadgets/2023/10/android-14s-ransomware-data-storage-bug-locks-out-users-remains-unfixed/

We've made additional fixes for upstream user profile issues still impacting the stock Pixel OS since then too

We've run into multiple Linux kernel f2fs data corruption issues before Android 14 while testing new Linux kernel LTS revisions. We avoided any of the serious issues slipping past our internal testing. The only one to make it into the Alpha channel only caused update rollback.

 

Changes in version 119.0.6045.53.1:

  • disable Privacy Guides feature since we already have third party cookies disabled by default and the other problematic features it covers aren't supported by Vanadium and aren't meant to be offered as options

A full list of changes from the previous release (version 119.0.6045.53.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

 

Changes in version 119.0.6045.53.0:

  • update to Chromium 119.0.6045.53
  • drop our change making disabling third party cookies (which is our default) apply to partitioned cookies since it has few benefits, is difficult to maintain and will lose the compatibility benefits of replacing this with full cookie partitioning

A full list of changes from the previous release (version 118.0.5993.111.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

 

Changes in version 80:

  • update max supported version of Play services to 23.42
  • update max supported version of Play Store to 38.1

A full list of changes from the previous release (version 79) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

 

We've been making more progress on hardware memory tagging support for Pixel 8 and Pixel 8 Pro. Our initial hardened_malloc integration has no noticeable overhead in fastest asynchronous mode and the asymmetric mode is lower overhead than legacy mitigations like stack canaries.

Asynchronous is very fast but can be bypassed via races. Synchronous is very high overhead and aimed at debugging. It's still much faster than HWAsan (based on Top Byte Ignore) and especially ASan. Asymmetric is nearly as fast as asynchronous and as secure as synchronous.

There isn't any clear way to bypass asynchronous write checks for the asymmetric mode since they're checked immediately on reads and system calls. io_uring might be able to bypass it, but it's not relevant since it's only allowed for 2 core SELinux domains (fastbootd, snapuserd).

Memory tagging is going to be a huge game changer and GrapheneOS will be on the leading edge deploying it. Stock Pixel OS has it as a developer option which isn't usable in practice since it breaks far too much. The implementation is also much less powerful than hardened_malloc.

Use-after-free is detected until another allocation is made in the same slot with the same random tag chosen for it. hardened_malloc already defends this by quarantining freed allocations by default. They go through a First-In-First-Out ring buffer and a swap with a random array.

Arbitrary read/write via buffer overflows are caught by the random tags. They're unfortunately currently only 4 bit, but a future architecture revision could raise them to 8 bit. CFI, PAC, etc. only try to defend specific targets and don't work well against arbitrary read/write.

Nearly all remote code execution vulnerabilities in the OS are memory corruption bugs: either use-after-free or buffer overflows. The majority involves the malloc heap and the rest mostly involves the stack which could also use MTE-based defenses to replace SSP + ShadowCallStack.

Most apps are a similar story as the base OS. Chromium has pervasive type confusion bugs which MTE doesn't explicitly protect against, but CFI and PartitionAlloc already do. Vanadium already has CFI enabled unlike Android Chrome, but there are more CFI features we need to enable.

After the initial hardened_malloc memory tagging implementation is shipped and enabled by default for the OS and many user installed apps, we can consider using more selection of tags (see https://github.com/GrapheneOS/hardened_malloc/blob/main/README.md#memory-tagging). We can also consider using MTE beyond inside hardened_malloc.

 

Changes in version 118.0.5993.111.0:

  • update to Chromium 118.0.5993.111

A full list of changes from the previous release (version 118.0.5993.80.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

view more: ‹ prev next ›