Skip to content

Instantly share code, notes, and snippets.

View thestinger's full-sized avatar

Daniel Micay thestinger

View GitHub Profile
@thestinger
thestinger / attestation_response.md
Last active April 23, 2024 06:15

Please read through https://attestation.app/about again but also check out the upstream documentation on key attestation and the Auditor protocol documentation linked from that page while going through it. There's likely already be information there that's useful to you. I avoided trying to explain everything myself rather than delegating to existing documentation elsewhere like my protocol documentation in the app which shows the binary-level format of the attestation challenge and response.

Forgive me if this seems trivial to the security researchers out there, but I'm having a hard time wrapping my head around what having Remote Attestation actually does for the user, and what a user has to gain by setting this up for themselves by installing Auditor.

It provides you with hardware-verified information, and chains trust to the application which provides software-verified information. The whole point is that you are not trusting the OS or the user interface on the device to provide accurate information.

@thestinger
thestinger / gmscompat-commits.md
Last active March 20, 2024 13:35
Sandboxed Google Play compatibility layer commits
@thestinger
thestinger / Android_Q_Privacy.md
Last active January 31, 2024 22:25
Android Q privacy features in the context of the AndroidHardening / GrapheneOS work

Some of the privacy features that I developed in the past are now going to be standard Android features in the next major release. In some cases, the implementation that I worked on ended up being a direct inspiration for the upstream work. I also pushed them to enable permissions review by default, which may have had some influence on it finally shipping as enabled. It was seemingly implemented for some niche scenario and most of their privacy / security team didn't know about the feature existing when I talked to them about it in the past.

Most of my work has focused on improving security, and that focus will be somewhat increased in Android Q due to many of the privacy improvements being part of the baseline OS.

Android P had previously replaced some of the privacy features developed as part of the AndroidHardening project such as restricting access to the camera, microphone and sensors in the background.

Features that were not implemented by my past work:

@thestinger
thestinger / Linux ASLR comparison.md
Last active November 26, 2022 11:27
Comparing ASLR between mainline Linux, grsecurity and linux-hardened

These results are with glibc malloc on x86_64. The last public PaX and grsecurity patches don't support arm64 which is one of the two architectures (x86_64 kernels including x32/x86_32 and arm64 kernels including armv7 userspace) focused on by linux-hardened. There isn't anything other than x86_64 to compare across all 3 kernels although linux-hardened has the same end result for both x86_64 and arm64 (with slightly different starting points) and there are few mainline differences. The linux-hardened implementation of ASLR is a very minimal modification of the mainline implementation to fix the weaknesses compared to grsecurity. The intention is to upstream all of these changes, although care needs to be taken to properly justify them to avoid getting anything rejected unnecessarily.

Explanation of differences between kernels:

  • Mainline and linux-hardened base randomization entropy for the mmap base and executable to the vm.mmap_rnd_bits sysctl for 64-bit and
@thestinger
thestinger / todo.txt
Last active October 17, 2022 07:05
GrapheneOS Android 12 repository porting status
# done
- device_common
- device_generic_goldfish
- device_google_barbet
- device_google_bonito
- device_google_bonito-sepolicy
- device_google_bramble
- device_google_coral
- device_google_coral-sepolicy
@thestinger
thestinger / stats.txt
Created August 25, 2022 16:25
CAKE stats for Stable channel release of Android 13 GrapheneOS
0.releases.grapheneos.org
qdisc cake 8001: root refcnt 2 bandwidth 2Gbit besteffort triple-isolate nonat nowash no-ack-filter split-gso rtt 100ms raw overhead 0
Sent 825589304596 bytes 562670731 pkt (dropped 2197065, overlimits 23438538 requeues 0)
backlog 416930b 284p requeues 0
memory used: 5471404b of 15140Kb
capacity estimate: 2Gbit
min/max network layer size: 42 / 1514
min/max overhead-adjusted size: 42 / 1514
average network hdr offset: 14
@thestinger
thestinger / 13-experimental.md
Last active August 20, 2022 21:47
Experimental Android 13 GrapheneOS release
@thestinger
thestinger / twitter-verification-notability.md
Last active July 3, 2022 19:59
Sources which were used for our failed Twitter verification attempt at the start of July which was instantly automatically rejected with zero explanation and clearly no human reviewing any of it, likely due to a technical issue.
@thestinger
thestinger / twitter-verification-notability.md
Last active July 3, 2022 18:57
Sources which were used for our failed Twitter verification attempt at the end of May. The sources for the 2nd attempt will be a smaller higher quality set without any publishers which aren't Twitter verified.
@thestinger
thestinger / fonts.conf
Last active June 16, 2022 16:34
~/.config/fontconfig/fonts.conf
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
<alias>
<family>sans-serif</family>
<prefer>
<family>Source Sans Pro</family>
</prefer>
</alias>
<alias>