improve documentation on process spawning model

2020-08-29 03:35:08 -04:00 · 2020-08-29 03:35:08 -04:00 · cb73e3ce62
commit cb73e3ce62
parent 77dab97e4d
1 changed files with 25 additions and 10 deletions
--- a/static/usage.html
+++ b/static/usage.html
@ -340,16 +340,31 @@
                <a href="#exec-spawning">Exec spawning</a>
            </h2>
-            <p>You may notice that cold start app spawning time takes a bit longer (i.e. in the
+            <p>GrapheneOS creates fresh processes (via exec) when spawning applications instead of
-            ballpark of 100ms) than stock Android, along with higher app memory usage. This is due
+            using the traditional Zygote spawning model. This improves privacy and security at the
-            to security centric exec spawning model used by GrapheneOS to provide each application
+            expense of higher cold start app spawning time and higher initial memory usage. It
-            with a unique address space layout, random hardened_malloc heap layout and unique keys
+            doesn't impact runtime performance beyond the initial spawning time. It adds somewhere
-            / seeds for other probabilistic exploit mitigations like stack canaries, setjmp
+            in the ballpark of 100ms to app spawning time on the flagship devices and is only very
-            protection and future features like randomized memory tags. Exec spawning doesn't
+            noticeable on lower-end devices with a weaker CPU and slower storage. The spawning
-            cause a performance cost after launching an app, and similarly doesn't cause any extra
+            time impact only applies when the app doesn't already have an app process and the OS
-            latency for app spawning if the app was already running / cached in the background. It
+            will try to keep app processes cached in the background until memory pressure forces
-            isn't very noticeable on flagship devices with a high end CPU like a Pixel 3, and is a
+            it to start killing them.</p>
-            lot more noticeable on a lower end device like a Pixel 3a.</p>
+
            <p>In the typical Zygote model, a template app process is created during boot and
            every app is spawned as a clone of it. This results in every app sharing the same
            initial memory content and layout, including sharing secrets that are meant to be
            randomized for each process. It saves time by reusing the initialization work. The
            initial memory usage is reduced due to copy-on-write semantics resulting in memory
            written only during initialization being shared between app processes.</p>
            <p>The Zygote model weakens the security provided by features based on random secrets
            including Address Space Layout Randomization (ASLR), stack canaries, heap canaries,
            randomized heap layout and memory tags. It cripples these security features for since
            every app has the values for every other app and the values don't change for fresh app
            processes until reboot. Much of the OS itself is implemented via non-user-facing apps
            with privileges reserved for OS components. The Zygote template is reused across user
            profiles, so it also provides a temporary set of device identifiers across profiles
            for each boot via the shared randomized values.</p>
            <h2 id="bugs-uncovered-by-security-features">
                <a href="#bugs-uncovered-by-security-features">Bugs uncovered by security features</a>