Conversation

Having some fun with Android.

microsoftedge.github.io

Introduction Back in 2020 while reviewing Chromium code, I found issue 1068395, a Use-After-Free in Browser Process that can be used to escape the Chromium sandbox on Android Devices. This is an...

108

Daniel Micay

@DanielMicay

Replying to

@spoofyroot

By the way, even without Zygote screwing up probabilistic mitigations (not just ASLR) such as on GrapheneOS, ART is an issue. It uses a 32-bit heap in the lower 4G of the address space on 64-bit as an optimization and has a persistently relocated base address to optimize too.

4:55 PM · Mar 2, 2021Twitter Web App

Replying to

and

We used to deal with the persistently relocated base address but haven't been able to keep that code maintained / ported through recent Android versions. It uses PIC but it has pre-relocated data. I assume they'll eventually switch to 64-bit addresses for the ART memory at least.

Replying to

and

ART has the optimization of reusing a heap dump after basic initialization as part of compiling code. That's how it ends up with something it wants to persistently relocate as an optimization. So that combined with 32-bit pointers (not offsets) as optimization hurts ASLR too.

Show replies