A 0-click exploit chain for the Pixel 10

Posted by happyhardcore 8 hours ago

A 0-click exploit chain for the Pixel 10(projectzero.google)

290 points | 122 commentspage 2

NooneAtAll3 8 hours ago||

fascinating how GrapheneOS achieves high security level on the same hardware where Google failed to even randomize android's kernel location

jnwatson 7 hours ago||

Randomizing the kernel location is of marginal utility at best. There are so many info leaks that KASLR ends up being only a small speed bump on the way to exploitation.

Here's a cool project that inventories all your KASLR info leaks: https://github.com/bcoles/kasld

aftbit 5 hours ago|||

Is Graphene vulnerable to these exploits?

StilesCrisis 7 hours ago|||

It's easy to be secure if you just remove features. There's obvious tension here.

Aachen 6 hours ago||

Could you be any more specific about what features they've removed such that the hardening functions work? Because I think there are none

StilesCrisis 5 hours ago||

They're quite open about it. https://grapheneos.org/features#attack-surface-reduction

mtlmtlmtlmtl 1 hour ago||

You said removing features. This link is talking about making certain feautures optional and disabled by default, not removing them.

icf80 8 hours ago|||

google has lost its focus with pixel phones

Aachen 6 hours ago||

on selling ads or what do you mean their focus used to be that they've lost? I'm not at all negative about more paid features that they've been offering over time, from workspace to youtube to hardware. Still very conflicted about giving Google of all places my custom, but for e.g. phones it's hard to avoid and second-hand the prices are really quite competitive for a tangible hardware product (not a software subscription that you're stuck on). Not bad to shift focus to making these Pixel devices imo, so long as they remain open that is

jeffbee 7 hours ago||

KASLR isn't an effective mitigation against anything, and to me this is part of GrapheneOS's catalog of superficial but meaningless claims.

ysnp 5 hours ago||

I've not seen someone refer to a portion of GrapheneOS's mitigations as superficial and meaningless before. What might an OS with significant improvements to usable attack surface reduction and exploit mitigations look like to you? What sort of things (given a team of less than a dozen contending with OS updates, upgrades and device support) would you have liked to see implemented?

mschuster91 6 hours ago||

And that is against a device whose BSP is actually open source and available for research!

Now imagine the dark horrors hiding in the BSPs of other Android devices... or embedded devices in general.

Frankly, it should be a requirement of Google's certification process that everything regarding drivers gets upstreamed into the Linux kernel. Yes, even if this adds quite a time delay to the usual hardware development process.

codedokode 8 hours ago|

I read about Pixel 9 Dolby Decoder bug, and it is based on integer overflow. It was a mistake to allow "+" operator to overflow, and this must be fixed in new languages like Rust, but it is not.

tialaramex 7 hours ago||

In Rust the decision about whether to pay for overflow checks or just wrap (because all modern hardware will just wrap if you don't check and that's cheaper) is a choice you can make when compiling software, by default you get checks except in release builds but you can choose checks everywhere, even in release builds or no checks even in debug.

By definition in Rust it's incorrect to overflow the non-overflowing integer types, and so if you intend say wrapping you should use the explicit wrapping operations such as wrapping_add or the Wrapping<T> types in which the default operators do wrap - but if you turn off checks then it's still safe to be wrong, just as if you'd call the wrapping operations by hand instead of using the non-wrapping operations.

That Dolby overflow code looks awkward enough that I can't imagine writing it in Rust even if the checking was off - but I wasn't there. However the reason it's on Project Zero is that it resulted in a bounds miss, and that Rust would have prevented anyway.

kllrnohj 34 minutes ago|||

I love most of what Rust does, but this is something they just got wrong. The + operator should always trap on overflow. Which Rust kinda wanted to do (hence why it does that in debug builds), but then they chickened out about the performance risk for release builds, undermining the entire thing. The result is just weak lip service to "no UB!", since debug and release still have very different behavior

I think Zig has the most interesting approach here with 3 different "+" operators (+ aborts on overflow, +& wraps, and +| saturates) along with addWithOverflow builtin. It'd probably be a challenge for Rust to adopt that at this point, but it'd be a great improvement

codedokode 5 hours ago||||

> is a choice you can make when compiling software

That is not a solution because it means the code can behave differently, and expose vulnerability if wrong compilation settings are chosen.

The functions like "wrapping_add" have such a long names so that nobody wants to use them and they make the code ugly. Instead, "+" should be used for addition with exceptions, and something like "wrap+" or "<+>" or "[+]" used for wrapping addition.

That's how people work, they will choose the laziest path (the simplest function name) and this is why you should use "+" for safer, non-wrapping addition and make the symbol for wrapping addition long and unattractive. Make writing unsafe code harder. This is just basic psychology.

C has the same problem, they have functions checking for overflow, but they also have long and ugly names that discourage their use.

> modern hardware will just wrap if you don't check and that's cheaper

So you suggest that because x86 is a poorly designed architecture, we should adapt programing languages to its poor design? x86 will be gone sooner or later anyway.

Also, there are languages like JS, Python, Swift which chose the right path, it is only C and Rust developers who seem to be backwards.

tialaramex 23 minutes ago||

> That is not a solution because it means the code can behave differently, and expose vulnerability if wrong compilation settings are chosen.

If the software is correct nothing changes. The existence of people who write nonsense but expect you to work around that doesn't change between languages, they write crap in Swift or Python or Javascript just the same.

The long names are because there are, in fact, a lot of things you might want. Although Swift manages to take several pages and lots of diagrams to explain what wrapping is, that is in fact all their special operators do. What if you don't want wrapping? Too bad.

Rust provides saturating, which is almost always what you wanted for signal processing (e.g. audio) as well as separate "carry" booleans to do arithmetic the way you were probably shown in primary school, the wrapping most often provided on hardware and useful in cryptography among other places and explicitly cheap but dangerous and expensive but safe options. It also provides both kinds of division (and remainder), which doesn't matter for the unsigned integers but is important for signed integers and is a source of confusion and woe when languages provide only one kind or worse a mixture that makes no mathematical sense. These all need names.

Asmod4n 6 hours ago|||

__builtin_add_overflow Exists and it’s basically free on most CPUs out there.

tialaramex 6 hours ago||

> __builtin_add_overflow Exists and it’s basically free on most CPUs out there.

This is a very C-flavoured "solution". For those who haven't seen it this involves a pointer (!) and we're going to compute the addition, write the result to the pointed-at integer and then if that didn't fit and so it overflowed we'll return true otherwise false.

The closest Rust analogy would be T::carrying_add which returns a pair to achieve a similar result.

And yeah, checking is "basically free" unless it isn't, that's not different. If you haven't measured you don't know, same in every programming language.

It's never been true that you can't write correct software in C or C++ the problem is that in practice you won't do so.

jerf 7 hours ago|||

I've been using this as a touchstone for whether or not we are actually going to take security seriously for a long time.

We've moved slightly closer to this, but in a world where we're still arguing over memory safety being necessary we've probably still got a ways to go before we notice that addition silently overflowing is a top-10 security issue. It's the silent top-10 security issue, I guess.

fyrn_ 7 hours ago||

Isn't it often combined with poor bounds checks to be exploitable? It's not as if rust or VM based languages don't help a lot with this

IshKebab 7 hours ago||

It isn't because no ISA implements add like that, so there's always performance on the table if you check every time, and people would probably endlessly moan about how Rust is 20% slower than C on this add-heavy microbenchmark.

That said you can enable overflow checks in Rust's release mode. It's literally two lines:

  [profile.release]
  overflow-checks = true

I wonder if it would make sense for ISAs to have trapping versions of add and subtract. RISC-V's justification for not doing that is that it's only a couple more instructions to check afterwards. It would be interesting to see the performance difference of `overflow-check = true` on high performance RISC-V chips once they are available.

codedokode 5 hours ago|||

I think it is 3 extra instructions on RISC-V if you add signed numbers. So 1 addition (the most popular operation) turns into 4 instructions. What are those people thinking? I generally like RISC-V but this part in my opinion, is wrong. They should just have added "overflow enabled" bit to the add instruction.

IshKebab 1 hour ago||

In fairness I don't think it's quite as much of a no brainer as you'd think. Firstly, when RISC-V was developed Rust was still pre-1.0. People didn't think it would amount to anything. So most high performance code was C/C++ which doesn't have checked arithmetic.

Second, it's easy to say "trap on overflow" but traps are super annoying. You really ideally would want to avoid leaving user mode. As soon as you trap to the OS you're now dealing with signals which are pretty much the worst thing in the world. The 4 instruction case at least lets you just branch to other code.

So you ideally want an "add or branch" instruction, but there isn't enough space in the opcodes for that. The fallback is flags, which also massively suck. I don't know if anyone has a great solution to this problem.

tialaramex 7 hours ago||||

It does seem like "What if we offer checked integer arithmetic operations?" is a cheaper experiment than CHERI's "What if we mechanically reify extent based provenance"?"

IshKebab 1 hour ago||

But also way less impactful. It would solve maybe 20% of serious security vulnerabilities whereas CHERI solves like 60% at least. More if you use its strong compartmentalisation capabilities (heh).

That said, CHERI is super complicated. Checked integer arithmetic operations would be way simpler.

kps 5 hours ago|||

> It isn't because no ISA implements add like that

MIPS does (did?). And VAX, IBM/360, ....