top | item 45779908

(no title)

Andromxda | 4 months ago

GrapheneOS releases patches very quickly, often even faster than OEMs do. But patches are only useful for fixing individual known vulnerabilities. GrapheneOS additionally focuses on defending against whole classes of vulnerabilities. [1] For example, in addition to fixing memory corruption bugs in individual system components, GrapheneOS has deployed memory protections for the entire OS in the form of hardened_malloc [2] and by enabling the ARM memory tagging extension for the kernel, most system processes (with very few exceptions) and all user-installed apps.

The honeypot theories don't make sense, since GrapheneOS is fully open source, and very transparent about developers, funding, infrastructure, and other internal stuff.

[1] https://grapheneos.org/features#exploit-protection

[2] https://github.com/GrapheneOS/hardened_malloc

discuss

MYEUHD|4 months ago

> GrapheneOS is fully open source

Not really. There is a bunch of proprietary firmware running on those phones, which can be exploited with or without the help of the manufacturer.

rollcat|4 months ago

Firmware is not OS.

Your machine is a distributed system. The firmware is what runs a specific node.

Yes they usually have DMA, shared busses, etc. That's an implementation detail.

gf000|4 months ago

Show me any device on earth that can run a browser that has no proprietary code whatsoever (including hardware) on it?

Yokolos|4 months ago

Reminds me of that one case a few weeks back where Graphene wasn't allowed to release a patch because Google wasn't planning on releasing a patch for it for a few more months.

linux_modder|4 months ago

GrapheneOS has a security preview release channel that is opt-in but includes patches from these embargoed vulns already. Again, it's opt-in but for those with a higher threat model use-case it's nice to have.