Conversation

twitter.com/DanielMicay/st It's worth noting that CONFIG_DEBUG_LIST is enabled in GrapheneOS with panic on data corruption, which according to bugs.chromium.org/p/project-zero breaks the exploit primitive. However, this is just one vulnerability, and many won't be mitigated like that.

Quote Tweet

Daniel Micay

@DanielMicay

Oct 4, 2019

Unfortunately, due to lack of resources and support, it hasn't yet been possible to start doing this for the ongoing revival of the project. In the past, I used to do it myself, but don't have the time and energy available anymore and people aren't stepping up to fill that gap.

Show this thread

Replying to

TBF this bug is purely in Android, not Linux. Binder is Android nonsense. :-)

Replying to

Binder is in the upstream kernel and is used outside of Android too. It's used to implement userspace mobile device drivers which are used elsewhere. It's the communication mechanism between the sandboxes. Other OSes reuse those drivers even if they use dbus, etc. elsewhere.

Replying to

and

Microkernels with a focus on security end up needing to design a very efficient, lightweight and powerful IPC mechanism as part of a tiny core kernel. Need to be able to enforce a flexible / powerful security model at a high level among other things. Linux doesn't have an answer.

12:43 PM · Oct 4, 2019Twitter Web App

Replying to

and

So, instead, there are a whole bunch of competing out-of-tree mechanisms and all the lackluster POSIX and assorted legacy options not meeting real world requirements. Linux approach is to end up offering a dozen bad options with most systems using a variety of them at once.

Replying to

and

Binder ended up upstream, unlike essentially all the other attempts at offering a more modern IPC mechanism, and it's definitely used more broadly than Android now. Beyond just using drivers designed for an Android environment too. It's among what's available so people use it.

Show replies

Replying to

Pipes, especially with splice support? Shared memory and futexes? I think Linux has some very powerful clean ones - although shared memory does not work reasonably across privilege domains, pipes do. Most of the fancy stuff is premature optimization & ignorance of existing stuff.