GrapheneOS isn't vulnerable to the 3 recently disclosed Linux kernel vulnerabilities named Copy Fail, Copy Fail 2 and Dirty Frag. Current Android Open Source Project SELinux policies block exploiting all 3 bugs. Standard AOSP GKI kernel configuration also has 2/3 of the vulnerable features disabled.
Post
Replies:
6
Boosts:
7
Attack surface reduction via fine-grained SELinux policy rules and stripping out unused kernel features via kernel configuration goes a long way to protecting against vulnerabilities. There's also seccomp-bpf for various standard sandboxes but most of the attack surface reduction is via SELinux.
AOSP uses SELinux to allowlist ioctl commands for drivers, permitted socket types, etc. in a fine-grained way. It strictly controls a lot of functionality prone to vulnerabilities including user namespaces and io_uring which aren't allowed to be used by apps or nearly any of the base OS processes.
These kinds of issues are rare and attack surface reduction is the best way to defend against them. GrapheneOS does additional kernel attack surface reduction but in these 3 cases it's enough to have modern AOSP GKI kernel and SELinux policies. We also greatly improve generic exploit protections.
Local privilege escalation vulnerabilities in the Linux kernel are very common. However, the vast majority are memory corruption bugs rather than these memory-related logic errors. We defend against the memory corruption bugs with hardware memory tagging, zero-on-free and similar generic defenses.
Linux has a massive amount of code for the core kernel and drivers for the hardware. All of the code runs with full privileges with no isolation. In a microkernel, each of these 3 recent vulnerabilities would have been in isolated processes. Virtualization will have a major role in addressing this.
Despite these not being traditional memory corruption, a memory safe language with a better type system would definitely help. Containing low-level handling of memory to a much smaller portion of the kernel and mostly using safe abstractions for networking, device drivers, etc. would help a lot.
