GrapheneOS [Unofficial]

Pixel 8 and Pixel 8 Pro are ARMv9 devices supporting hardware memory tagging. Stock OS currently has a very primitive experimental implementation available as a developer option. We're going to be deploying a more advanced implementation for hardened_malloc in production soon.

Hardware memory tagging is going to provide a massive increase to protection against remote exploitation for GrapheneOS users. It's the biggest security feature we'll be shipping since we started in 2014. We want to have it enabled by default in async (fast) mode for the base OS.

We can provide a toggle for choosing between asynchronous (fast) and synchronous (more secure).

Many user installed apps have latent memory corruption bugs so we aren't going to enable it for them initially. We'll provide a toggle for setting the default (disabled, async, sync).

There can be a per-app toggle for overriding the global default alongside the toggles we already provide for using the full 48-bit address space (enabled by default) and hardened malloc (enabled by default, requires 48-bit address space). This will be a security game changer.

ARM memory tagging support provides a limited form of memory safety for both memory unsafe languages (C, C++) and the small subset of unsafe code in memory safe languages (Rust, Java, Kotlin). hardened_malloc was designed to use memory tagging and will be making great use of it.

MTE uses 4 bit tags for each 16 bytes of memory. hardened_malloc will be using memory tagging for all small allocations, which means 128k and below by default. hardened_malloc already places random guards around large allocations and quarantines their address space on free.