Share this page!

GrapheneOS Profile picture
Twitter logo
18 Jul, 7 tweets, 5 min read
@GrassFedBitcoin @CalyxOS GrapheneOS is heavily focused on security enhancements making exploitation significantly harder:

grapheneos.org/features

Those other operating systems don't improve resistance against exploitation and won't provide more resistance against an exploit working against AOSP/stock.
@GrassFedBitcoin @CalyxOS The vast majority of remote code execution exploits are based on memory corruption bugs. Defending against those is a major focus of GrapheneOS. A lot of the bugs won't be exploitable beyond denial of service. In most cases, the exploits will need substantial changes at minimum.
@GrassFedBitcoin @CalyxOS If they specifically target GrapheneOS and put work into adjusting their exploit chains and finding new bugs as necessary, then they could certainly develop an exploit working against GrapheneOS. Costs will be higher and they'll usually need to specifically take it into account.
@GrassFedBitcoin @CalyxOS Firmware exposed to remote attack surface like the radios (Wi-Fi, Bluetooth, cellular, NFC) and GPU is generally a lot harder to exploit than the OS and those components are isolated. It's much rarer and generally involves using an OS exploit to bypass the component isolation.
@GrassFedBitcoin @CalyxOS Nearly all of these exploits are memory corruption bugs. GrapheneOS does actually provide hardening for firmware through attack surface reduction including the LTE only mode and other features. It can't directly harden firmware, but it can avoid exposing as much attack surface.
@GrassFedBitcoin @CalyxOS So, for example, with the GrapheneOS 4G only mode enabled, vulnerabilities in 2G, 3G and 5G are not usable to exploit the cellular radio, only those exposed by 4G.

The radio firmware also does have substantial hardening and internal sandboxing, but GrapheneOS can't improve it.
@GrassFedBitcoin @CalyxOS GrapheneOS also fortifies the OS against exploitation by an attacker that has gained code execution on a component like the GPU or radio.

Main hardening we provide is for the most common path of exploiting an RCE bug in userspace and then exploiting the kernel to escape sandbox.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with GrapheneOS

GrapheneOS Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @GrapheneOS

GrapheneOS Profile picture
18 Jul
GrapheneOS 2021.07.16.19 release: grapheneos.org/releases#2021.….

See the linked release notes for an overview of the changes since the previous release.
This release adds an experimental version of the highly anticipated feature for running Play services and friends as sandboxed apps without any special privileges.

Details are at grapheneos.org/usage#sandboxe….

Secondary user support and dynamite module compatibility is coming soon.
Once dynamite module compatibility is implemented, nearly all the APIs will be working. This doesn't work yet because it has no special SELinux MAC/MLS policy due to being in the normal app sandbox. We need to add shims on both ends sending the modules via standard file sharing.
Read 4 tweets
GrapheneOS Profile picture
1 Jul
Play services compatibility layer in active development and an early prototype has the basics working.

It will allow users to install Play services as a regular app in specific profiles without granting it any special privileges. Most functionality can work with this approach.
Play services won't be bundled with the OS. It will be up to users to choose to install Play services in a profile.

It won't be part of the upcoming July security update release but there will likely be an initial experimental implementation ready for testing by the end of July.
This approach will be drastically more maintainable than attempting to reimplement the APIs. It will be much easier to port to new major OS versions and will provide much more of the functionality. It will also have all the usual security checks and component/server key pinning.
Read 5 tweets
GrapheneOS Profile picture
20 Jun
Next release of GrapheneOS will finally have a fix for IPv6 privacy addresses to prevent them being used to track users not only across connections to the same network but across networks.

Future devices won't have this particular kind of issue anymore due to upstream fixes.
All of the blatant issues with Wi-Fi anonymity should be resolved now. Hardware/firmware on the supported devices has done things properly for a while but there were higher-level anonymity issues. Of course, it would be a good idea to go over everything from the bottom up again.
It won't be possible to provide the same kind of Wi-Fi anonymity on other hardware unless it goes out of the way to minimize leaked information and randomize sequence numbers, etc. in the same way.

Should be possible to properly do this on most modern Snapdragon devices though.
Read 4 tweets
GrapheneOS Profile picture
29 May
Someone has been impersonating Bromite's (bromite.org) developer on Telegram. They convinced a bunch of room admins and a lot of people in the rooms. Once they had a couple trusted people convinced, they chained from them to everyone else. The web of trust at work...
This is a serious issue. They had the unofficial Bromite room and a bunch of other people convinced.

They were using the stolen identity to spread misinformation including attacking GrapheneOS in coordination with others. We intervened and then their false identity fell apart.
The username they were using was TheAntimatter. They appear to have started doing it right after csagan5 (Bromite's developer) left the platform.

They pretended they switched to a pseudonym to avoid harassment. Please be more skeptical. This unraveled fast from our intervention.
Read 6 tweets
GrapheneOS Profile picture
29 May
GrapheneOS makes a lot of privacy improvements, not just security improvements.

A recent focus has been fixing difficult issues to prevent users being tracked via Wi-Fi. Android and other Linux-based OSes along with iOS, etc. have flaws preventing MAC randomization from working.
See grapheneos.org/features#graph… for an overview of the features added by GrapheneOS. This is a list of what we improve upon over Android 11.

It doesn't take credit for what Android provides, as is common elsewhere. That's even the case for features we participated in getting landed.
On Android and iOS you can be tracked across Wi-Fi networks, apps can use sensors to record coarse movement, location and audio information without a way to fully revoke it and the attempts at preventing cross-app tracking are very incomplete even across profiles. Lots more too.
Read 8 tweets
GrapheneOS Profile picture
27 May
@ihackbanme @spoofyroot If the device is deeply compromised, how is this going to help you? Why would the attacker allow you to use an OS mechanism to analyze it?

Verified boot, attestation (via our Auditor app and attestation.app) and a sideloaded update are the only things countering them.
@ihackbanme @spoofyroot If you don't have meaningful verified boot, then they don't even need to exploit the OS every boot to maintain their deep level of persistent access.

If you have a way to grant persistent root access, you don't have meaningful verified boot for the OS accomplishing anything.
@ihackbanme @spoofyroot In the verified boot security model, persistent state is not trusted. If there's a way to grant root access to an application persistently or even to make it available to the user in the OS persistently then that compromise is permanent root access without exploitation each boot.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @GrapheneOS has new unrolls!

Check out other threads from @GrapheneOS!

Read all threads by @GrapheneOS

:(