#GrapheneOS has discovered a use-after-free memory corruption bug in Android 14 QPR2 for Bluetooth LE. This issue impacts the stock operating system as well. We have reported this to Google as a security bug today. We have already made an initial, minimally invasive patch to fix this:

GitHub

fix use-after-free for sink/source metadata · GrapheneOS/platform_packages_modules_Bluetooth@e295e58

This uses malloc/free to work around the existing code using a raw pointer to avoid invasive changes.

We have noted elsewhere that this code needs a major refactor and shouldn't be using raw pointers, but we want to avoid introducing new bugs with a quick patch. The hardware memory tagging support for Pixel 8 and later has helped massively. On devices earlier than them it likely would manifest as BLE audio devices not working without an error message since it wouldn't crash. Our MTE implementation detects it which is what led to us being able to fix it so quickly. The hardening GrapheneOS implements doesn't just help the users by making them safe from exploits, it helps developers by helping them to create more secure software by catching memory corruption bugs and uncovering them thanks to our features. See:

Usage guide | GrapheneOS

Pixels shipped a humongous hardware security feature by having memory tagging support but they do not use it for the OS to save around ~3.25% of memory usage. GrapheneOS enabled it by default for the OS and known user-installed apps compatible with it. As we have mentioned before, GrapheneOS is the first platform using MTE in production and Vanadium is the first web browser too. Progress towards Android 14 QPR2 is coming along nicely and hopefully all (which are minimal) regressions will be fixed soon.

#GrapheneOS: #Google has awarded bounties of $5000, $3000 and $250 for our 3 vulnerability reports related to physical data extraction attack vectors. Both $5000 and $3000 issues are being exploited in the wild. $250 bounty is for a minor issue we found while doing general USB hardening work. Most serious issue is the one with a $3000 bounty. We provided proof of in the wild exploitation and a proposal for preventing exploiting the class of vulnerabilities which is being implemented. For the one they're awarding $5000, we weren't sure they'd even consider it a bug. The most serious issue is likely only getting $3000 because we do not know the specific bug being exploited. It was classified a low quality report, not because we did a bad job but because we don't have that info. We did provide a way to prevent getting data by exploiting it. Our proposal for preventing getting data by exploiting the main issue should ship as a Pixel firmware update next month and the feature will become one of our baseline hardware requirements. It's already harder to use it with GrapheneOS and we've made major recent improvements. Our recent improvements: 1) New USB-C port control setting integrated into the USB-C controller driver to disable USB at a hardware level. It will become "Charging-only when locked, except before first unlock" by default" soon. Shipped in 2024022600:

Releases | GrapheneOS

2) We reimplemented our auto-reboot feature with a more hardened implemented which can't be bypassed by crashing system processes. This starts a timer when the device is locked which reboots unless it's successfully unlocked first. Shipped in 2024011300:

Releases | GrapheneOS

3) We reduced the default auto-reboot timer from 72 hours to 18 hours. This also shipped in 2024011300. 18 hours is enough that users don't encounter it in practice as long as they unlock their phone a couple times per day. Users who need max security can use 10 minutes. 4) We run a full compacting garbage collection in SystemUI and system_server when the device is locked. Android already does this after unlock to clear credentials. Goes well with our kernel zero-on-free since it zeroes the data. Shipped in 2024020500:

Releases | GrapheneOS

Our main proposal should ship for the Pixel firmware in April, resulting in the firmware's fastboot mode fully clearing all of the device's regular memory before enabling USB. We could implement the same thing for the OS to make sure there's no data left from an unclean reboot. Forensic companies keep misrepresenting adding support for extracting data from GrapheneOS via ADB based on a user providing lock method as being something more in their marketing. This is start of our response. We'll be pushing for much bigger changes for Android and Pixels. We fully intend to make the same proposals to other Android OEMs like Samsung. We're starting with Pixels because they're the devices we use due to their high level of security. We're also going to begin advocating for big changes like encrypted memory and funding PoC attacks. We've been working on a duress PIN/password feature for a while that's nearly ready to ship. It's taking so long because we had to prevent bypasses impacting existing panic / duress wipe apps and OS features. We also decided to do the USB-C control and auto-reboot features first. Since 2016, we've planned to support adding a PIN as a 2nd factor for fingerprint unlock. A new contributor has started working on this feature. We'll get it done after duress PIN/password. This will allow using passphrase primary unlock with fingerprint+PIN secondary unlock.

While the new #GrapheneOS version based on Android 14 QPR2 is now available as per the website and RSS feeds, this is an alpha build and will likely have bugs that need to be seen and fixed. It's been agreed instead that it wouldn't be appropriate to make such an announcement. Alpha/beta testers are welcome to use the community social platforms on the site to discuss their reports on the alpha. A proper announcement will be made when the Android 14 QPR2-based release is available in stable for everyone.

Little #GrapheneOS tip: Installing 'Markup' from the Apps app allows you to use the more robust screenshot editor from the stock Pixel OS. While you miss certain things like filters, the freehand drawing and cropping is far better. The Markup app has no permissions, nor can it access the Internet.

Hi again, #GrapheneOS version 2024030300 released: This is a quality of life improvement update, mainly with improvements to the updater and for the settings app to help with the migration over to Android 14 QPR2. Changes since the 2024022800 release: - System Updater: ignore configured constraints for user-initiated update checks - System Updater: avoid automatic retry for user-initiated update checks - Settings: migrate to new Compose-based Settings infrastructure in preparation for Android 14 QPR2 - improve GrapheneOS infrastructure for per-app notifications - Setup Wizard: improve wording for secondary user setup word - adevtool: fix overlay parsing issues -adevtool: include missing "Learn more" fingerprint setup text - GmsCompatConfig: update to version 97

Releases | GrapheneOS

#privacy #security

For the curious user, here is the work done for the new USB port controls on #GrapheneOS: https://github.com/GrapheneOS/platform_frameworks_base/pull/485 This is a replacement for the former grsecurity-based deny_new_usb integration with screen lock integration included. That older feature only covered USB peripherals and it didn't cover USB alternate modes, gadgets or low-level USB attack surface from the USB-C implementation itself. Blocking of USB peripherals were on a high level and there were still some attack surface previously. We cover all of this now including turning off the data lines in hardware. You also have the option to deactivate the USB port entirely when in OS mode.

#GrapheneOS version 2024022800 released: This release fixes a bug with sideloading caused by the new USB port controls. Changes since the 2024022600 release: - Tensor Pixels: fix issue with the USB changes breaking recovery sideloading and the fastbootd flashing mode used by the web installer which blocked us being able to release the previous release to all users - Settings: change "Charging only" to "Charging-only" for the USB-C port mode options to make the meaning clearer - Vanadium: update to version 122.0.6261.90.0

Releases | GrapheneOS

#GrapheneOS #privacy #security

Reason #57526 on verifying: Tornado Cash IPFS front-ends had backdoor code that hijacked deposit certificates and was hidden in plain sight for just almost two months inside a governance proposal made by Butterfly Effects. https://gas404.medium.com/tornado-cash-notes-exploit-from-jan-1st-and-the-actions-you-must-take-6076748bc886

🔥 Hello again, new #GrapheneOS Update 2024022600. This time we have a new security feature that's been worked on for a while: USB-C Port Security. This is a significant security enhancement. This feature allows users of Tensor Pixels (6 and later) to have fine grained controls on USB controller functionality including totally disabling data lines or the port when the OS is in use. There are 5 modes: - On (current) - Charging-only when locked except in BFU (before first-unlock) - Charging-only when locked - Charging-only - Off (which even disables charging while booted into the normal OS mode). This is different from the previous existing USB control features including the Android 12 USB HAL toggle which only disable high-level kernel functionality which still left all the low-level kernel driver, USB protocol and USB controller attack surface enabled. Other changelogs: - kernel (5.10, 5.15): add support for ignoring USB alt modes - kernel (Tensor Pixels): extend max77759 USB-C controller driver used by Tensor Pixels with support for a sysfs node providing fine-grained control over the USB-C data path at the USB controller level - Setup Wizard: fix crash for SIM locales not recognized by com.android.internal.app.LocalePicker

Releases | GrapheneOS

#GrapheneOS #Privacy #Security

Most hardcore top level domain? 🧐 #asknostr