Overview of new advanced hardening on GrapheneOS version 2024083100 and later
1364 sats \ 11 comments \ @final 2 Sep security
GrapheneOS version 2024083100 came out a few days ago with a lot of new hardening features and enhancements. Here is a quick rundown of what they are:

DCL control lists
Dynamic Code Loading (DCL) is a practice in Android apps to allow loading/executing code that is not part of the initial codebase (i.e. the APK) either from storage or memory. Some apps use this, while the practice is heavily discouraged on official Android documentation.
Apps that perform dynamic code execution have larger attack surface for injection and tampering attacks. It also makes the app more time-consuming to reverse engineer and verify. Being able to forcibly disable them for apps can close some of these risks. We completely forbid dynamic code generation for the base OS including preventing doing it via memory mapped files or the filesystem already as part of GrapheneOS hardening, so this is not relevant to system apps.
GrapheneOS now has a per-app dynamic code loading restriction toggle for dynamic code from memory and from storage, there is also a global toggle for dynamic code from memory, but per-app storage does not have it as many apps depend on Google's dynamite module system for Google Play which still needs phasing out.

WebView JIT Toggle
Any app that uses WebView can now have a per-app toggle for allowing JavaScript JIT in the WebView. Vanadium already has a toggle to block JIT which is on by default.
JavaScript JIT increases attack surface for memory-related vulnerabilities in web browsers. A large portion of known vulnerabilities from browsers come from the JIT engine. Many Chromium (and firefox) exploits in the wild or bugs discovered in contests traditionally come from V8 and JIT (or relevant equivalents).
Exploitation of browsers is popular in targeted campaigns, including this recently uncovered campaign of an alleged North Korean state actor using a then unknown V8 vulnerability: https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/ - not using JIT significantly cuts the attack surface involved in making attacks like these successful.
Toggling JIT in WebView will allow you to disable it if it breaks certain apps, it is better to have it on though.

RANDSTRUCT (Kernel 6.1 and above)
GrapheneOS now enables structure randomization (or randstruct) for releases using Kernel 6.1 and later. At the time of writing only the 9th generation Pixels use this, but upstream should migrate eventually.
A potential technique for attacking the Linux kernel is using memory boundary flaws to overwrite data of memory structures. When the order of that fields are stored within a structure is known, it is easy to calculate where sensitive fields reside. Sensitive fields can be function pointers, which could be overwritten with a location containing malicious code that the kernel can then execute, or security credentials, which can be used in privilege escalation attacks.
Enabling RANDSTRUCT in kernel randomizes the order of structures and function pointer tables at compile-time based on a seed. This means that kernel exploits leveraging them need to be catered to specific seeds which makes indiscriminate attacks ineffective. Currently, the seed changes every OS release and is the hash of the latest commit. This is to make sure GrapheneOS is still reproducible.
In the future, there will be different seeds for each device, not just each OS version.

Accessing new features
All the user toggles can be accessed via the GrapheneOS Exploit Protection safety center:
https://m.stacker.news/49522
RANDSTRUCT is not a toggleable option and is just kernel hardening.
https://grapheneos.org/donate
write
preview
related posts
21 sats \ 1 reply \ @nichro 3 Sep
I see the new settings now, but they seem to allow JIT and DCL by default.
Was this decision because tests revealed many commonly used apps used DCL and caused issues, or is it standard because it's a newly added feature?
Good work as always!
reply
50 sats \ 0 replies \ @final OP 3 Sep
Was this decision because tests revealed many commonly used apps used DCL and caused issues, or is it standard because it's a newly added feature?
Security features known to cause compatibility / UX issues aren't enabled by default. This feature would certainly break some apps using DCL heavily, it would be up to users to try them out. Ideally, the feature helps provide indicators of what apps are using it and what to replace. Potentially also a good choice for campaigning other app devs to use it less.
reply
0 sats \ 3 replies \ @cascdr 3 Sep
@CHADBot /eli5
reply
393 sats \ 1 reply \ @CHADBot 3 Sep bot
Okay, let's take a look at what @final is saying in a more simple way.
  1. DCL control lists: Imagine your apps being like a party you're hosting. Normally, you want only the people you invited to come. But now suppose there's a way for party crashers to sneak in. This is what dynamic code loading can do - it lets extra pieces of code join the app party, even if they weren't invited. This could be risky because you don't know what these extra bits of code might do. GrapheneOS has now added bouncers at the door. You can now choose to have them stop all uninvited codes, or only some, depending on the app.
  2. WebView JIT Toggle: Just like a city has different roads, computer programs have different ways to do things. One of these is called JIT, or Just-In-Time compilation, often used in web browsing. But, these routes can sometimes be dangerous and allow nasty stuff through. Because of this, GrapheneOS has added stop signs to these risky routes. You can control whether you’d like to block these routes or not for each app that uses them.
  3. RANDSTRUCT: Think of a secret club where all your important tools and information are hidden inside and they are always in the same places. If a bad guy figures out where stuff is, they can cause real damage. Now, what if we could move things around inside the club every time the bad guy looks away? This is what RANDSTRUCT does - it moves the important stuff about in a random way each time, making it harder for bad guys to find them. Right now, it changes every time there's a new version of GrapheneOS. In the future, it might change for each device too.
  4. Accessing the new features: All these new things can be adjusted in a place called the GrapheneOS Exploit Protection safety center. It's like a control panel where you can set up your security options. But note, RANDSTRUCT isn't an option you can toggle on or off, it's just part of making the system safer.
Bottom line: @final is talking about new safety features on GrapheneOS. These features give you better control over who and what can interact with your apps, how your apps process information, and protect your device's secret stuff by changing its location. All these make your device harder to attack.
Made with 🧡 by CASCDR
reply
10 sats \ 0 replies \ @ek 7 Sep
This is pretty good. @CHADbot is like a peak into the future.
reply
42 sats \ 0 replies \ @CHADBot 3 Sep bot
You have summoned CHADBot. Please zap this post 21 sats to receive service.
Made with 🧡 by CASCDR
reply
0 sats \ 2 replies \ @cascdr 3 Sep
@CHADBot /trumpMode for
reply
90 sats \ 0 replies \ @CHADBot 3 Sep bot
There's nothing better than new features and greater protection. @final hits it out of the park with the new GrapheneOS release. Tremendous!
Dynamic Code Loading (DCL) restrictions - phenomenal idea. This is how we keep our apps safe, folks! Big on security by closing out danger zones.
And how about that WebView JIT Toggle? @final gets it. We've got to have that CHOICE! Cutting off vector attacks and keeping things running smoothly.
RANDSTRUCT with Kernel 6.1 - This is huge, people! By randomizing structures, we're stifling attacks, ensuring better safety. Next level genius. Go big or go home!
Superb accessibility from the Exploit Protection safety center. Property of the people!
You want world class, secure tech? #GrapheneOS delivers! And they're not stopping, folks. Support the cause at https://grapheneos.org/donate. You'd be mad not to back this winner.
Made with 🧡 by CASCDR
reply
42 sats \ 0 replies \ @CHADBot 3 Sep bot
You have summoned CHADBot. Please zap this post 21 sats to receive service.
Made with 🧡 by CASCDR
reply
0 sats \ 0 replies \ @Solomonsatoshi 3 Sep
Unfortunate that apparently Graphene only works in Pixel6 phone. I would love to be able reverse engineer an old android phone into linux or other open source non corporate OS
reply
0 sats \ 0 replies \ @koqoo 2 Sep
is it any better than Calyx OS?
reply