From c3f5f59c4545ac75eebac8a9d51719e0d12e17ce Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 17 Dec 2020 01:32:46 -0500 Subject: [PATCH] move more content to the features page --- static/features.html | 12 ++++++++++-- static/index.html | 40 ++++++++++++++-------------------------- 2 files changed, 24 insertions(+), 28 deletions(-) diff --git a/static/features.html b/static/features.html index e1a10453..780ff4b0 100644 --- a/static/features.html +++ b/static/features.html @@ -67,10 +67,18 @@
  • Stronger app sandbox
  • Hardened libc providing defenses against the most common classes of vulnerabilities (memory corruption)
    • -
  • Our own hardened malloc (memory allocator) +
  • Our own hardened malloc (memory allocator) leveraging modern hardware capabilities to provide substantial defenses against the most common classes of vulnerabilities (heap memory corruption) along with - reducing the lifetime of sensitive data in memory
    • + reducing the lifetime of sensitive data in memory. The hardened_malloc project is + portable to other Linux-based operating systems and is being adopted by other + security-focused operating systems like Whonix. The + hardened_malloc + README has extensive documentation on it. Our allocator also heavily influenced the + design of the next-generation + musl malloc implementation which offers substantially better security than musl's + previous malloc while still having minimal memory usage and code size. +
  • Hardened compiler toolchain
  • Hardened kernel
  • Prevention of dynamic native code execution in-memory or via the filesystem for the base OS without going via the package manager, etc.
    • diff --git a/static/index.html b/static/index.html index e479c4d1..9914bc01 100644 --- a/static/index.html +++ b/static/index.html @@ -64,33 +64,21 @@ foundation, but for now the developers represent the project.

    GrapheneOS improves the privacy and security of the OS from the bottom up. It - has a hardened kernel, libc, malloc and compiler toolchain with many low-level - improvements. These changes are designed to eliminate whole classes of serious - vulnerabilities or provide meaningful barriers to exploitation. We avoid making - changes without a clear rationale and we regularly work towards simplifying and - replacing these low-level improvements. The malloc implementation is our own hardened_malloc - providing cutting edge security for modern systems. The hardened_malloc project is - portable to other Linux-based operating systems and is being adopted by other - security-focused operating systems like Whonix. The hardened_malloc - README has extensive documentation on it. Our work also heavily influenced the - design of the next-generation - musl malloc implementation which offers substantially better security than musl's - previous malloc while still having minimal memory usage and code size.

    + deploys technologies to mitigate whole classes of vulnerabilities and make exploiting + the most common sources of vulnerabilities substantially more difficult. It improves + the security of both the OS and the apps running on it. The app sandbox and other + security boundaries are fortified. GrapheneOS tries to avoid impacting the user + experience with the privacy and security features. Ideally, the features can be + designed so that they're always enabled with no impact on the user experience and no + additional complexity like configuration options. It's not always feasible, and + GrapheneOS does add various toggles for features like the Network permission, Sensors + permission, restrictions when the device is locked (USB peripherals, camera, quick + tiles), etc. along with more complex user-facing privacy and security features with + their own UX.

    -

    There are also many under-the-hood changes at a higher level, including major - improvements to SELinux policies particularly for the app sandbox. GrapheneOS tries to - avoid impacting the user experience with the privacy and security features. Ideally, - the features can be designed so that they're always enabled with no impact on the user - experience and no additional complexity like configuration options. It's not always - feasible, and GrapheneOS does add various toggles for features like the Network - permission, Sensors permission, restrictions when the device is locked (USB - peripherals, camera, quick tiles), etc. along with more complex user-facing privacy - and security features with their own UX.

    - -

    See the new features page for more details on GrapheneOS - features.

    +

    The features page provides an overview of the substantial + privacy and security improvements added by GrapheneOS to the Android Open Source + Project.

    Official releases are available on the releases page and installation instructions are on the install page.