KindnessInfinity

joined 2 years ago
MODERATOR OF
grapheneos
androidapps
sorted by: new top controversial old
0
GrapheneOS Memory Tagging Has Found Bluetooth LE Memory Corruption Bugs (Updated With More Information) (grapheneos.social)
submitted 1 year ago* (last edited 1 year ago) by KindnessInfinity@lemmy.ml to c/grapheneos@lemmy.ml
0 comments fedilink
 

Our hardware memory tagging support for Pixel 8 and Pixel 8 Pro has uncovered a memory corruption bug introduced in Android 14 QPR2 for Bluetooth LE. We're currently investigating it to determine how to fix or temporarily disable the newly introduced feature as a workaround.

Disabling memory tagging for this process isn't an acceptable workaround even in the short term because it's a major attack surface whether or not this particular bug turns out to be exploitable. This only occurs with certain Bluetooth LE devices, not all Bluetooth devices.

We've developed a patch for the upstream Android 14 QPR2 use-after-free bug we discovered with Bluetooth LE. Our priority is getting out a GrapheneOS release with our fix soon and we'll report it as an Android security bug. This should resolve the BLE audio regressions too.

A user able to reproduce the issue with Samsung Galaxy Buds2 Pro in Bluetooth LE mode has confirmed our fix works. This issue also impacts stock Pixel OS. GrapheneOS detects it via hardened_malloc memory tagging support and we added MTE crash notifications with a report to send.

This use-after-free has been reported as a security bug (b/328916844 for Googlers).

Our initial minimally invasive patch:

https://github.com/GrapheneOS/platform_packages_modules_Bluetooth/commit/e295e5888f97ba11a4d07aff3b6bc48b2512831c

This code needs a major refactor and shouldn't be using raw pointers, but we want to avoid introducing new bugs with a quick patch.

Android has ported a lot of the Bluetooth code to Rust. This is a demonstration of why they need to put more resources into porting the rest of the code into Rust.

They should also be testing HWASan and MTE builds with more real world usage including using assorted BT devices.

Pixels shipped a massive hardware security feature (MTE) they aren't enabling for the OS to save 3.125% memory/cache usage. It's silly. Heap MTE has near 0% perf overhead in async mode and is cheaper than increasingly ineffective legacy mitigations like SSP in asymmetric mode.

GrapheneOS enables MTE for the base OS and known compatible user installed apps by default. There's a user-facing opt-in via Settings > Security to turn it on for all user-installed apps. We provide a clear notification with a crash report to copy and a per-app toggle for it too.

We provide a nicer MTE implementation as part of hardened_malloc which uses the standard random tags with a dedicated free tag but adds dynamic exclusion of previous tag and current (or previous) adjacent tags. We also fixed Chromium's integration and will improve PartitionAlloc.

GrapheneOS is the first platform using MTE in production, and does a lot more too:

https://grapheneos.org/features#exploit-protection

Our Vanadium browser is the first browser using it in prod:

https://grapheneos.org/features#vanadium

We plan to add stack MTE, improve PartitionAlloc and make new kernel slab MTE.

This issue was fixed in the March 9th release of GrapheneOS:

https://grapheneos.org/releases#2024030900

We also reported it as an Android vulnerability in the same day and it has been initially triaged as a High severity and High quality report.

We're working on additional reports from users.

0
GrapheneOS Planned Features For The Near Future (grapheneos.social)
 

In the near future, we plan to ship support for a per-app toggle for memory tagging, a per-app toggle for ptrace replacing the global one, duress PIN/password and a toggle for enabling Android Auto by granting a list of special privileges which can be reduced via shims over time.

We're also working on various other small features and initial work on some longer term projects including App Communication Scopes. In order to work on more at the same time, we need more developers, and we're currently moving forward with hiring additional full time developers.

This is a preview of App Communication Scopes from an incomplete proof of concept we made for a previous version. The goal is to provide the ability to disable communication with user installed apps within a profile with the ability to enable it on a case-by-case basis instead.

Screenshot of setting screen with a heading that reads "Restrict App Communication". Below the heading is a black and white icon of a cube with black outline. Below the cube icon is a title for the selected app, titled "Apps". Below "Apps" title, is a number 9. Underneath current app information, is a light blue bar with black text that is positioned to left side that reads "Restrict App Communication" and positioned to the right side is a switch toggled on. Below the bar is a list of several apps installed on the device, with app icons, titles on left side and switches on right side that are all toggled in the off position.

GrapheneOS already provides Contact Scopes and Storage Scopes as alternatives to granting apps contacts and media/storage permissions where apps will work without access to any of the user's data and the user grants it case-by-case. We plan to provide more features like these.

0
GrapheneOS version 2023101300 released (grapheneos.org)
 

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS despite them not being secure. It will be a significant effort to port them properly without lost functionality and we're looking for a new developer to fund rather than reassigning any developers from their existing work on the OS.

Tags:

  • 2023101300 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023101100 release:

  • exempt non-app system packages from new package visibility restrictions to fix many APIs in secondary users
  • Sandboxed Google Play compatibility layer: expand background activity launch shim to all the core Google Play apps to fix sandboxed Play Store compatibility issues with Android 14
  • Sandboxed Google Play compatibility layer: fix "Don't show again" notification action which broke after Android 14 port
  • Pixel 5: add back support for battery share (reverse wireless charging) via the new infrastructure in Android 14 which we already adopted for 6th/7th/8th generation Pixels
  • GmsCompatConfig: update to version 78
0
GrapheneOS version 2023100800 released (grapheneos.org)
 

This is the initial non-experimental release of GrapheneOS based on Android 14. Our initial public experimental release (2023100600) was published on October 6th so there have already been a couple days of public testing. All of our documented features are now ported to Android 14. We'll be continuing to work on fixing regressions including new Android bugs and new compatibility issues caused by our features. However, it's already stable and usable.

This release provides the full 2023-10-06 patch level for all supported devices along with the recommended security patches only included in Android 14.

Android 13 is no longer actively developed upstream and now only receives backports of the Android Security Bulletin patches, not the recommended patches included in the latest stable release of Android. Pixels are also now only supported via Android 14 and require Android 14 to achieve a patch level above 2023-10-01. Android 14 has had publicly available experimental releases since February 2023 and is already a mature OS. It also contains significant privacy and security enhancements which more than offset the attack surface from added features. These reasons are why we have so heavily prioritized porting to Android 14 and began to defer more and more of our other work until after Android 14 since around July 2023.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS despite them not being secure. It will be a significant effort to port them properly without lost functionality and we're looking for a new developer to fund rather than reassigning any developers from their existing work on the OS.

Tags:

  • 2023100800 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023100300 release:

  • full 2023-10-06 security patch level
  • rebased onto UP1A.231005.007 Android Open Source Project release as the initial port of all GrapheneOS features to Android 14
  • add default-enabled toggle for automatic per-app exploit protection compatibility mode configuration
  • temporarily add Google Camera to automatic exception list for hardened_malloc
  • add back support for displaying app compilation progress at boot
  • restore Android 13 work profile pause behavior by stopping the profile from running instead of only suspending apps
  • fix cosmetic issue for adevtool envsetup.sh integration
  • adevtool: download: add option to unpack factory images
  • adevtool: collect-state: fix the output file name format
  • adevtool: collect-state: add an option to automatically make prep OS build
  • Vanadium: update to version 117.0.5938.153.0
  • Vanadium: update to version 118.0.5993.48.0
  • GmsCompatConfig: update to version 77
  • Auditor: update to version 75
view more: ‹ prev next ›