2022-06-30 06:19:28 +01:00
|
|
|
<!DOCTYPE html>
|
|
|
|
|
<html>
|
|
|
|
|
<head>
|
2022-10-29 23:54:59 +01:00
|
|
|
<title>Inferencium Network - About</title>
|
|
|
|
|
<link rel="stylesheet" href=infnet.css>
|
2022-06-30 06:19:28 +01:00
|
|
|
</head>
|
2022-10-29 01:30:35 +01:00
|
|
|
<div class="sidebar">
|
2022-10-29 23:54:59 +01:00
|
|
|
<a class="title">Inferencium Network</a><br>
|
|
|
|
|
<br>
|
|
|
|
|
<br>
|
|
|
|
|
<div><a href="about.html">About</a></div>
|
|
|
|
|
<div><a href="contact.html">Contact</a></div>
|
|
|
|
|
<div><a href="blog.html">Blog</a></div>
|
|
|
|
|
<div><a href="source.html">Source</a></div>
|
2022-10-29 01:30:35 +01:00
|
|
|
</div>
|
2022-06-30 06:19:28 +01:00
|
|
|
<body>
|
2022-10-29 23:54:59 +01:00
|
|
|
<h1>About</h1>
|
|
|
|
|
<br>
|
|
|
|
|
<h3>About Me</h3>
|
|
|
|
|
<p>I am Inference, a cybersecurity researcher based in United Kingdom.<br>
|
|
|
|
|
<br>
|
|
|
|
|
<p>I write about my research and experience in cybersecurity and also physical
|
|
|
|
|
security. Most of my postings are security-related, but I occasionally post
|
|
|
|
|
about other aspects of my life.</p>
|
|
|
|
|
<br>
|
|
|
|
|
<p>I am an open source advocate for the preservation and modifiability of
|
|
|
|
|
source code. I believe source code should be considered human knowledge as
|
|
|
|
|
much as past knowledge and teachings were; it is how modern humanity
|
|
|
|
|
survives and runs.<br>
|
|
|
|
|
Source code being modifiable allows it to be adapted
|
|
|
|
|
for use by anyone, whether to add features, harden it for increased security
|
|
|
|
|
and/or privacy, or provide accessibility for disabled users.<br>
|
|
|
|
|
I am also a modular design advocate for the ability to securely and
|
|
|
|
|
robustly make changes to hardware and software without the entire system
|
|
|
|
|
being affected.</p>
|
|
|
|
|
<br>
|
2022-11-03 05:27:50 +00:00
|
|
|
<p>If you want to contact me for any reason, you can use my
|
|
|
|
|
<a class="body-link" href="https://inferencium.net/contact.html">contact methods</a>.</p>
|
|
|
|
|
<br>
|
|
|
|
|
<br>
|
2022-10-29 23:54:59 +01:00
|
|
|
<br>
|
2022-10-31 00:22:30 +00:00
|
|
|
<h3>Hardware I Use</h3>
|
|
|
|
|
<h4>Smartphone</h4>
|
|
|
|
|
<table>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>Type</td>
|
|
|
|
|
<td>Hardware</td>
|
|
|
|
|
<td>Description</td>
|
|
|
|
|
<td>Source model<br>
|
|
|
|
|
<br>
|
|
|
|
|
(License)</td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>Smartphone</td>
|
|
|
|
|
<td><img src="img/google-pixel_6.png" width="100px" height="100px"/><br>
|
|
|
|
|
<br>
|
|
|
|
|
Google Pixel 6</td>
|
|
|
|
|
<td>Google Pixel devices are the best Android devices available on
|
2022-11-03 00:11:16 +00:00
|
|
|
the market for
|
2022-11-07 08:55:02 +00:00
|
|
|
<a class="table-link" href="https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html"
|
|
|
|
|
>security and privacy</a>.<br>
|
2022-11-03 00:11:16 +00:00
|
|
|
<br>
|
|
|
|
|
They allow locking the bootloader with a
|
2022-11-07 08:55:02 +00:00
|
|
|
<a class="table-link" href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later"
|
|
|
|
|
>custom Android Verified Boot (AVB) key</a> in order to preserve security and privacy features when installing a custom
|
2022-11-03 00:11:16 +00:00
|
|
|
operating system, such as
|
2022-11-07 08:55:02 +00:00
|
|
|
<a class="table-link" href="https://source.android.com/docs/security/features/verifiedboot/"
|
|
|
|
|
>verified boot</a> which verifies that the OS has not been corrupted or tampered with, and
|
|
|
|
|
<a class="table-link" href="https://source.android.com/docs/security/features/verifiedboot/verified-boot#rollback-protection"
|
|
|
|
|
>rollback protection</a> which prevents an adversary from rolling back the OS or firmware version to a
|
2022-11-03 00:11:16 +00:00
|
|
|
previous version with known security vulnerabilities.<br>
|
|
|
|
|
<br>
|
2022-11-03 05:24:14 +00:00
|
|
|
They also include a
|
2022-11-07 08:55:02 +00:00
|
|
|
<a class="table-link" href="https://developer.android.com/training/articles/keystore#HardwareSecurityModule"
|
|
|
|
|
>hardware security module</a> (Titan M2, improving on the previous generation
|
|
|
|
|
<a class="table-link" href="https://security.googleblog.com/2018/10/building-titan-better-security-through.html"
|
|
|
|
|
>Titan M</a>) which is extremely resistant to both remote and physical attacks due to being
|
2022-11-03 00:11:16 +00:00
|
|
|
completely isolated from the rest of the system, including the operating system.
|
|
|
|
|
Titan M2 ensures that the device cannot be remotely compromised by requiring the
|
|
|
|
|
side buttons of the device to be physically pressed for some sensitive operations.
|
2022-11-03 05:24:14 +00:00
|
|
|
Titan M2 also takes the role of
|
2022-11-07 08:55:02 +00:00
|
|
|
<a class="table-link" href="https://source.android.com/docs/security/best-practices/hardware#strongbox-keymaster"
|
|
|
|
|
>Android StrongBox Keymaster</a>,
|
|
|
|
|
a <a class="table-link" href="https://source.android.com/docs/security/features/keystore"
|
|
|
|
|
>hardware-backed Keystore</a> containing sensitive user keys which are unavailable to
|
2022-11-07 07:54:16 +00:00
|
|
|
the OS or apps running on it without authorisation from Titan M2 itself.
|
2022-11-07 08:55:02 +00:00
|
|
|
<a class="table-link" href="https://android-developers.googleblog.com/2018/05/insider-attack-resistance.html"
|
|
|
|
|
>Insider attack resistance</a> ensures that Titan M2 firmware can be flashed only if the user PIN/password
|
2022-11-03 05:24:14 +00:00
|
|
|
is already known, making it impossible to backdoor the device without already knowing
|
|
|
|
|
these secrets.<br>
|
2022-10-31 00:22:30 +00:00
|
|
|
<br>
|
2022-11-07 07:54:16 +00:00
|
|
|
Google Pixel device kernels are compiled with
|
|
|
|
|
<a class="table-link" href="https://android-developers.googleblog.com/2018/10/control-flow-integrity-in-android-kernel.html"
|
|
|
|
|
>forward-edge control-flow integrity</a> and
|
|
|
|
|
<a class="table-link" href="https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux_30.html"
|
|
|
|
|
>backward-edge control-flow integrity</a> to prevent code reuse attacks against
|
|
|
|
|
the kernel. MAC address randomisation is
|
|
|
|
|
<a class="table-link" href="https://android-developers.googleblog.com/2017/04/changes-to-device-identifiers-in.html"
|
|
|
|
|
>implemented well, along with minimal probe requests and randomised initial sequence numbers</a>.<br>
|
2022-10-31 00:22:30 +00:00
|
|
|
<br>
|
2022-11-07 07:54:16 +00:00
|
|
|
Google releases
|
|
|
|
|
<a class="table-link" href="https://source.android.com/docs/security/bulletin/pixel/"
|
|
|
|
|
>guaranteed monthly security updates</a>, ensuring Google Pixel devices are
|
2022-10-31 00:22:30 +00:00
|
|
|
up-to-date and quickly protected against security vulnerabilities.<br>
|
|
|
|
|
<br>
|
|
|
|
|
Pixel 6-series devices are a large improvement over the already very secure and private
|
|
|
|
|
previous generation Pixel devices. They replace ARM-based Titan M with RISC-V-based Titan M2,
|
|
|
|
|
reducing trust by removing ARM from the equation. Titan M2 is more resiliant to attacks than
|
2022-11-07 07:54:16 +00:00
|
|
|
Titan M, and is
|
|
|
|
|
<a class="table-link" href="https://www.tuv-nederland.nl/assets/files/cerfiticaten/2022/09/nscib-cc-22-0228971-cert-final.pdf"
|
|
|
|
|
>AVA_VAN.5 certified</a>, the highest level of vulnerability assessment. Google's
|
2022-10-31 00:25:44 +00:00
|
|
|
in-house Tensor SoC includes Tensor Security Core, further improving device security.<br>
|
2022-11-07 07:54:16 +00:00
|
|
|
Pixel 6-series devices are supported for a
|
|
|
|
|
<a class="table-link" href="https://support.google.com/nexus/answer/4457705#zippy=%2Cpixel-and-later"
|
|
|
|
|
>minimum of 5 years from launch</a>, an increase from
|
|
|
|
|
previous generations'
|
|
|
|
|
<a class="table-link" href="https://support.google.com/nexus/answer/4457705#zippy=%2Cpixel-xl-a-a-g-and-a-g"
|
|
|
|
|
>support lifecycles of 3 years</a>.</td>
|
2022-10-31 00:22:30 +00:00
|
|
|
</tr>
|
|
|
|
|
</table>
|
|
|
|
|
<br>
|
|
|
|
|
<br>
|
2022-10-29 23:54:59 +01:00
|
|
|
<h3>Software I Use</h3>
|
|
|
|
|
<h4>Desktop</h4>
|
|
|
|
|
<table>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>Type</td>
|
|
|
|
|
<td>Software</td>
|
|
|
|
|
<td>Description</td>
|
2022-10-30 02:38:49 +00:00
|
|
|
<td>Source model<br>
|
2022-10-31 00:22:30 +00:00
|
|
|
<br>
|
2022-10-30 02:38:49 +00:00
|
|
|
(License)</td>
|
2022-10-29 23:54:59 +01:00
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>Operating system</td>
|
|
|
|
|
<td><img src="img/logo-gentoo_linux.png" width="100px" height="100px"/><br>
|
|
|
|
|
<br>
|
|
|
|
|
Gentoo Linux</td>
|
|
|
|
|
<td>Gentoo Linux is a highly modular, source-based Linux-based operating system
|
|
|
|
|
which allows vast customisation to tailor the operating system to suit your specific
|
|
|
|
|
needs. There are many advantages to such an operating system, with the most notable
|
|
|
|
|
being the ability to optimise the software for security, privacy, performance,
|
2022-10-30 02:38:49 +00:00
|
|
|
or power usage; however, there are effectively unlimited other use cases, or a
|
2022-10-29 23:54:59 +01:00
|
|
|
combination of multiple use cases.<br>
|
2022-10-31 00:22:30 +00:00
|
|
|
<br>
|
2022-10-29 23:54:59 +01:00
|
|
|
I have focused on security hardening and privacy hardening, placing performance below
|
|
|
|
|
those aspects, although my system is still very performant. Some of the hardening I
|
|
|
|
|
apply includes stack protection, signed integer overflow wrapping, and GrapheneOS'
|
|
|
|
|
hardened_malloc memory allocator.<br>
|
2022-10-30 02:38:49 +00:00
|
|
|
<br>
|
2022-11-03 00:11:16 +00:00
|
|
|
You can find my personal Gentoo Linux configuration in my personal
|
2022-11-07 08:55:02 +00:00
|
|
|
<a class="table-link" href="https://git.inferencium.net/inference/cfg/"
|
|
|
|
|
>configuration respository</a>.</td>
|
2022-10-29 23:54:59 +01:00
|
|
|
<td>Open source<br>
|
|
|
|
|
<br>
|
2022-10-30 02:38:49 +00:00
|
|
|
(GPLv2-only)</td>
|
2022-10-29 23:54:59 +01:00
|
|
|
</tr>
|
2022-10-30 02:38:49 +00:00
|
|
|
<tr>
|
|
|
|
|
<td>Web browser</td>
|
|
|
|
|
<td><img src="img/logo-chromium.png" width="100px" height="100px"/><br>
|
|
|
|
|
<br>
|
|
|
|
|
Chromium</td>
|
|
|
|
|
<td>Chromium is a highly secure web browser which is often ahead of other
|
|
|
|
|
web browsers in security aspects. It has a dedicated security team and a
|
|
|
|
|
very impressive
|
2022-11-07 08:55:02 +00:00
|
|
|
<a class="table-link" href="https://www.chromium.org/Home/chromium-security/brag-sheet/"
|
|
|
|
|
>security brag sheet</a>.
|
2022-10-30 02:38:49 +00:00
|
|
|
Chromium's security features include a strong
|
2022-11-07 08:55:02 +00:00
|
|
|
<a class="table-link" href="https://code.google.com/p/chromium/wiki/LinuxSandboxing"
|
|
|
|
|
>multi-layer sandbox</a>,
|
|
|
|
|
strong <a class="table-link" href="https://www.chromium.org/Home/chromium-security/site-isolation"
|
|
|
|
|
>site isolation</a>,
|
|
|
|
|
<a class="table-link" href="https://www.chromium.org/Home/chromium-security/binding-integrity"
|
|
|
|
|
>Binding Integrity</a> memory hardening, and
|
|
|
|
|
<a class="table-link" href="https://www.chromium.org/developers/testing/control-flow-integrity/"
|
|
|
|
|
>control-flow integrity (CFI)</a>.<br>
|
2022-10-30 02:38:49 +00:00
|
|
|
<br>
|
|
|
|
|
You can learn more about Chromium by visiting its
|
2022-11-07 08:55:02 +00:00
|
|
|
<a class="table-link" href="https://www.chromium.org/Home/"
|
|
|
|
|
>official website</a> which provides extensive documentation.</td>
|
2022-10-30 02:38:49 +00:00
|
|
|
<td>Open source<br>
|
|
|
|
|
<br>
|
|
|
|
|
(BSD 3-Clause)</td>
|
2022-10-29 23:54:59 +01:00
|
|
|
</tr>
|
|
|
|
|
</table>
|
|
|
|
|
<h4>Smartphone</h4>
|
|
|
|
|
<table>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>Type</td>
|
|
|
|
|
<td>Software</td>
|
|
|
|
|
<td>Description</td>
|
2022-10-30 02:38:49 +00:00
|
|
|
<td>Source model<br>
|
|
|
|
|
<br>
|
|
|
|
|
(License)</td>
|
2022-10-29 23:54:59 +01:00
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>Operating system</td>
|
|
|
|
|
<td><img src="img/logo-grapheneos.png" width="100px" height="100px"/><br>
|
|
|
|
|
<br>
|
|
|
|
|
GrapheneOS</td>
|
|
|
|
|
<td>GrapheneOS is a security-hardened, privacy-hardened, secure-by-default
|
|
|
|
|
Android-based operating system which implements extensive, systemic security
|
|
|
|
|
and privacy hardening to the Android Open Source Project used as its base
|
|
|
|
|
codebase. Its hardening includes closing gaps for apps to access sensitive
|
|
|
|
|
system information, a secure app spawning feature which avoids sharing address
|
|
|
|
|
space layout and other secrets AOSP's default Zygote app spawning model would
|
2022-11-03 00:11:16 +00:00
|
|
|
share,
|
2022-11-07 08:55:02 +00:00
|
|
|
<a class="table-link" href="https://github.com/GrapheneOS/kernel_gs-gs101/"
|
|
|
|
|
>hardened kernel</a>, hardened memory allocator
|
|
|
|
|
(<a class="table-link" href="https://github.com/GrapheneOS/hardened_malloc/"
|
|
|
|
|
>hardened_malloc</a>) to protect against common memory corruption vulnerabilties,
|
|
|
|
|
<a class="table-link" href="https://github.com/GrapheneOS/platform_bionic/"
|
|
|
|
|
>hardened Bionic standard C library</a>,
|
|
|
|
|
<a class="table-link" href="https://github.com/GrapheneOS/platform_system_sepolicy/"
|
|
|
|
|
>stricter SELinux policies</a>, and local and remote hardware-backed attestation
|
2022-11-07 08:55:56 +00:00
|
|
|
(<a class="table-link" href="https://attestation.app/about/"
|
2022-11-07 08:55:02 +00:00
|
|
|
>Auditor</a>) to ensure the OS has not been corrupted or tampered with.
|
|
|
|
|
GrapheneOS only supports devices which receive
|
2022-10-30 02:38:49 +00:00
|
|
|
full support from their manufacturers, including firmware updates, long support
|
|
|
|
|
lifecycles, secure hardware, and overall high security practices.<br>
|
|
|
|
|
<br>
|
2022-10-29 23:54:59 +01:00
|
|
|
For an extensive list of features GrapheneOS provides, visit its
|
2022-11-07 08:55:02 +00:00
|
|
|
<a class="table-link" href="https://grapheneos.org/"
|
|
|
|
|
>official website</a> which provides extensive documentation.</td>
|
2022-10-29 23:54:59 +01:00
|
|
|
<td>Open source<br>
|
|
|
|
|
<br>
|
|
|
|
|
(MIT)</td>
|
|
|
|
|
</tr>
|
2022-10-30 02:38:49 +00:00
|
|
|
<tr>
|
|
|
|
|
<td>Web browser</td>
|
|
|
|
|
<td><img src="img/logo-vanadium.png" width="100px" height="100px"/><br>
|
|
|
|
|
<br>
|
|
|
|
|
Vanadium</td>
|
|
|
|
|
<td>Vanadium is a security-hardened, privacy-hardened Chromium-based web browser
|
|
|
|
|
which utilises GrapheneOS' operating system hardening to implement stronger
|
2022-10-31 00:22:30 +00:00
|
|
|
defenses to the already very secure Chromium web browser. Its hardening alongside
|
|
|
|
|
Chromium's base security features includes disabling JavaScript just-in-time (JIT)
|
|
|
|
|
compilation by default, stubbing out the battery status API to prevent abuse of it,
|
|
|
|
|
and always-on Incognito mode as an option.<br>
|
2022-10-30 02:38:49 +00:00
|
|
|
<br>
|
2022-11-03 00:11:16 +00:00
|
|
|
Vanadium's source code, including its Chromium patchset, can be found in its
|
2022-11-07 08:55:02 +00:00
|
|
|
<a class="table-link" href="https://github.com/GrapheneOS/Vanadium/"
|
|
|
|
|
>official repository</a>.</td>
|
2022-10-30 02:38:49 +00:00
|
|
|
<td>Open source<br>
|
|
|
|
|
<br>
|
|
|
|
|
(GPLv2-only)</td>
|
2022-10-29 23:54:59 +01:00
|
|
|
</table>
|
|
|
|
|
<br>
|
|
|
|
|
<br>
|
2022-06-30 06:19:28 +01:00
|
|
|
</body>
|
|
|
|
|
</html>
|
