I-GrapheneOS: Yeyiphi enye indlela kwi-Android kwaye luluphi utshintsho olukhoyo kwinguqulo yayo engu-2024011300?

Darkcrizt

Imizuzu ye6

IgrapheneOS

I-GrapheneOS yifolokhwe yeprojekthi ye-AndroidHardening

Zimbalwa iintsuku ezidlulileyo Ukukhutshwa kwenguqulo entsha ye-GrapheneOS 2024011300 yabhengezwa, uguqulelo apho ukuqaliswa ngokutsha okuzenzekelayo kubhalwe kwakhona, idityanisiwe umjongi omtsha welog, i-kernel ihlaziywe, uphuculo luye lwaphunyezwa kunye nokunye.

Kwabo bangaziyo ngeGrapheneOS, kuya kufuneka uyazi ukuba oku Yifolokhwe ye-codebase ye-AOSP (Iprojekthi ye-Android Open Source), eyandisiweyo kwaye yalungiswa ukuphucula ukhuseleko kunye nokuqinisekisa ubumfihlo bomsebenzisi. IgrapheneOS yayidla ngokubizwa ngokuba yi-AndroidHardening kwaye yahlulwa kwiprojekthi yeCopperheadOS ngenxa yeengxabano phakathi kwabasunguli bayo.

Phakathi Iimpawu eziphambili kunye neendlela zeGrapheneOS, ivelele:

  • Ukwahlukaniswa kunye nolawulo lofikelelo: Ubuchwephesha bovavanyo buphunyezwa ukomeleza ukwahlukaniswa kwesicelo kunye nolawulo lofikelelo lwegranular. Oku kubandakanya ukusebenzisa ukuphunyezwa kobunini be-malloc, uguqulelo olulungisiweyo lwe-libc kunye nokhuseleko lorhwaphilizo lwememori, kunye nolwahlulo olungqongqo ngakumbi lwendawo yedilesi yenkqubo.
  • Ukuhlanganiswa kwe-AOT kunye ne-Non-JIT: I-Android Runtime isebenzisa kuphela i-AOT (phambi kwexesha) ukuhlanganiswa endaweni yeJIT (nje-ngexesha).
  • I-Linux Kernel ekhuselweyo: I-Linux kernel ibandakanya iindlela ezininzi zokhuseleko ezongezelelweyo, ezifana nethegi ye-canary ukuvala ukuphuphuma kwebuffer. I-SELinux kunye ne-seccomp-bpf zisetyenziselwa ukuphucula ukusetyenziswa kwesicelo.
  • Ulawulo lwemvume ethile: Ukufikelela kwimisebenzi yenethiwekhi, abenzi boluvo, incwadi yeedilesi, kunye nezixhobo ezijikelezayo zivunyelwe kuphela kwizicelo ezikhethiweyo. Ukufunda kwibhodi eqhotyoshwayo kuvunyelwe kuphela kwizicelo ezigxininise kwigalelo.
  • Isichongi sabucala: Ngokungagqibekanga, ukufumana ulwazi malunga ne-IMEI, idilesi ye-MAC, inombolo yesiriyali yekhadi le-SIM kunye nezinye izichongi zehardware akuvumelekanga.
  • Khu seleko: Imilinganiselo eyongezelelweyo iphunyeziwe ukwahlula iinkqubo ezinxulumene ne-Wi-Fi kunye neBluetooth kunye nokuthintela ukuvuza kwemisebenzi engenazingcingo.
  • uguqulelo oluntsonkothileyo: Isebenzisa ungqinisiso lwe-cryptographic yamacandelo okulayisha kunye noguqulelo oluntsonkothileyo kwinqanaba lenkqubo yefayile ye-ext4 kunye ne-f2fs (idatha iguqulelwe ngokuntsonkothileyo kusetyenziswa i-AES-256-XTS kunye namagama efayile yi-AES-256-CTS isebenzisa i-HKDF-SHA512 ukuvelisa isitshixo esahlukileyo kwifayile nganye) , endaweni yesixhobo sokuthintela
  • Ngaphandle kukaGoogle:Ngokusisiseko, ayibandakanyi usetyenziso kunye neenkonzo zikaGoogle, kodwa ikuvumela ukuba ufake iinkonzo zikaGoogle Play kwindawo ekwanti.
  • Uphuhliso lwezicelo zakho: Iprojekthi iphuhlisa izicelo ezininzi zobunikazi ezigxile kukhuseleko kunye nobumfihlo, njengeChromium (Vanadium) esekwe kwisikhangeli, isibonisi esikhuselekileyo sePDF, i-firewall, isicelo soMphicothi-zincwadi sokuqinisekisa isixhobo kunye nokubhaqwa kokungena, usetyenziso lwekhamera olugxile kubumfihlo kunye nemfihlo. inkqubo yokugcina ebizwa ngokuba yiSeedvault.

Yintoni entsha ekhoyo inguqulelo entsha yeGrapheneOS 2024011300?

Kolu guqulelo lutsha oluvezwa iGrapheneOS 2024011300, enye yeenguqu zayo ezibalulekileyo el Gqibezela ukuyilwa ngokutsha kokuphunyezwa kwendlela yokuqalisa ngokutsha ngokuzenzekelayo, ukususela ngoku, le ndlela sebenzisa isibali-xesha kwinkqubo yokuqalisa endaweni yenkqubo_yeseva, eye yaphucula ukhuseleko kwaye yaphelisa ithuba lokuphinda iqalise isixhobo esingazange sivulwe. Ukongeza, ixesha lokuqalisa kwakhona ngokuzenzekelayo lincitshisiwe ukusuka kwii-72 ukuya kwiiyure ze-18.

Kuyakhankanywa ukuba Umbono ophambili wokuqalisa kwakhona ngokuzenzekelayo kukusetha kwakhona izahlulo ezisebenzayo (ikhutshiwe) ngedatha yomsebenzisi ebuyela kwimo yayo yokuqala engabhalwanga emva kwexesha elithile lokungasebenzi. Idatha yeprofayile yomsebenzisi iguqulelwe ngokuntsonkothileyo emva kokuba isixhobo siqale ngokutsha kwaye zikhutshiwe kuphela emva kokuba umsebenzisi efake igama lokungena. Ukuba umsebenzisi akayivulanga iseshoni evuliweyo ngaphezu kweeyure ze-18, isixhobo siya kuqalisa ngokuzenzekelayo. Ukuphela kwexesha lokuqalisa ngokutsha ngokuzenzekelayo kunokulungiswa kwiiSetingi > Ukhuseleko > UkuziQalisa kwakhona.

Los Abaphuhlisi beGrapheneOS bakhankanya ukuba ulungelelwaniso lweli nqaku lusekwe kubuthathaka bamva nje Ifunyenwe kuGoogle Pixel kunye nee-smartphones ze-Samsung Galaxy. Obu buthathaka buvumela iinkampani zokuhlalutya i-forensic ukuba zihlole abasebenzisi kwaye zikhuphe idatha ngelixa isixhobo sikwimo esebenzayo, oko kukuthi, xa iseshini iyasebenza kwaye idatha ikhutshiwe. Ukuqaliswa kokuqalisa ngokutsha okuzenzekelayo kunceda ukunciphisa lo mngcipheko ngokuqalisa kwakhona isixhobo emva kwexesha elide lokungasebenzi, ngaloo ndlela kuthintela uhlalutyo olungagunyaziswanga lwezitshixo ezinokuthi zihlale kwinkumbulo ukuba isixhobo siwela kwizandla ezingalunganga.

Olunye utshintsho olugqamayo kwinguqulelo entsha yi Uhlaziyo lwe-Linux kernel kwizixhobo zePixel kunye nenkxaso ye-sysrq ivaliwe. I-Pixel 6, i-Pixel 6 Pro, i-Pixel 6a, i-Pixel 7, i-Pixel 7 Pro, i-Pixel 7a, i-Pixel Tablet kunye nezixhobo ze-Pixel Fold, ihlaziywe kwinguqulo yakamuva ye-GKI (i-Generic Kernel Image), eyi-5.10.206. Ngelixa izixhobo zePixel 8 kunye nePixel 8 Pro, uhlaziyo lwekernel luyinguqulo 5.15.145. Ukongeza, kwakha nge-kernel 6.1.69 sele ilungisiwe. Olu hlaziyo lunokubandakanya ukuphuculwa kokhuseleko, ukulungiswa kwebug, kunye neempawu ezintsha ezibonelelwa ziinguqulelo zamva nje zeLinux kernel.

Ukongeza koku, kwakhona kuphawulwe ukuba umjongi welog yongeziwe (Useto> Inkqubo> Jonga iilogi), ekuvumela ukuba uvavanye iingxaki ezivelayo kwaye wenze lula ukulungiswa kweengxelo zempazamo, kunye ne-interface yokungenisa iingxelo zokuphahlazeka zenziwe ngokutsha.

En inkxaso ye-adevtool yeNkonzo yeKhamera yePixel iye yaziswa, ekuvumela ngoku ukuba usebenzise imowudi yasebusuku kwizicelo kwii-smartphones zePixel 6+. Kwelinye icala, adevtool iyekile ukuxhasa izixhobo ezingahambelani ne-Android 14.

Ye- Olunye utshintsho olwahlukileyo:

  • Yongeza imveliso yesaziso xa i-detector yokonakala kwememori ivuliwe kwi-malloc.
  • Umkhangeli weVanadium uhlaziywe kwi-codebase ye-Chromium 120
  • GmsCompatConfig: uhlaziyo kwinguqulelo 92
  • bonisa isaziso emva kokuba i-hardened_malloc ibhaqa ukonakala kwememori usebenzisa i-check ngqo (ayilugubungeli urhwaphilizo lwememori oluchongwe kwisithuba sedilesi yememori ekhuselweyo)

Okokugqibela, kufanelekile ukukhankanya ukuba unomdla wokwazi ngakumbi ngayo, Ungajonga iinkcukacha kwi ukulandela ikhonkco.