final [GrapheneOS] 📱👁️🗨️ on Nostr: #GrapheneOS: We're continuing work on integrating ARMv9 security features. MTE is the ...
#GrapheneOS: We're continuing work on integrating ARMv9 security features. MTE is the highest impact and most interesting of these features, but there's less important work to do expanding usage of PAC and BTI. Android uses Clang's type-based CFI but not everywhere so BTI is still useful.
Pixel 8 was the first device with a usable MTE implementation despite it launching as part of ARMv8.5. Android world stayed on ARMv8.2 until ARMv9 and Apple hasn't shipped MTE. Apple was a much earlier adopter of the much less useful PAC. From our perspective, PAC was a misstep.
PAC is a weak probabilistic mitigation requiring lots of case-by-case integration. MTE can provide many deterministic guarantees and does a much better job as a probabilistic mitigation by catching memory corruption rather than only protecting specific memory corruption targets.
PAC requires bits which would have been better served by 16-bit MTE support and using a 48-bit address space. Hardware shadow stack is a better backwards edge CFI approach. MTE could be used to mimic hardware shadow stack support via a reserved tag for ShadowCallStack.
We're currently the first platform using userspace heap MTE for hardening in production. We plan to do the same with userspace stack MTE along with doing both in the kernel. Turning ShadowCallStack in the kernel into a hardware protected shadow stack would also be nice to ship.
In the kernel, Pixel OS uses PAC for backwards edge CFI and Clang type-based CFI for forward-edge. We use ShadowCallStack + PAC together and enable BTI in addition to type-based CFI due to lots of functions being excluded from type-based CFI. We plan to do the same in userspace.
Pixel 8 was the first device with a usable MTE implementation despite it launching as part of ARMv8.5. Android world stayed on ARMv8.2 until ARMv9 and Apple hasn't shipped MTE. Apple was a much earlier adopter of the much less useful PAC. From our perspective, PAC was a misstep.
PAC is a weak probabilistic mitigation requiring lots of case-by-case integration. MTE can provide many deterministic guarantees and does a much better job as a probabilistic mitigation by catching memory corruption rather than only protecting specific memory corruption targets.
PAC requires bits which would have been better served by 16-bit MTE support and using a 48-bit address space. Hardware shadow stack is a better backwards edge CFI approach. MTE could be used to mimic hardware shadow stack support via a reserved tag for ShadowCallStack.
We're currently the first platform using userspace heap MTE for hardening in production. We plan to do the same with userspace stack MTE along with doing both in the kernel. Turning ShadowCallStack in the kernel into a hardware protected shadow stack would also be nice to ship.
In the kernel, Pixel OS uses PAC for backwards edge CFI and Clang type-based CFI for forward-edge. We use ShadowCallStack + PAC together and enable BTI in addition to type-based CFI due to lots of functions being excluded from type-based CFI. We plan to do the same in userspace.