Inferencium/website
1
0
Fork 0
Code Issues Activity

Add sources. Improve links.

Browse Source
This commit is contained in:
inference 2022-11-07 09:06:58 +00:00
commit 3d725d57e8
1 changed files with 51 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
about.html
View File

@ -57,33 +57,35 @@
Google Pixel 6</td>
<td>Google Pixel devices are the best Android devices available on
the market for
<a class="table-link" href="https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html">security and privacy</a>.<br>
<a class="table-link" href="https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html"
>security and privacy</a>.<br>
<br>
They allow locking the bootloader with a
<a class="table-link" href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later">custom Android Verified Boot (AVB)
key</a> in order to preserve security and privacy features when installing a custom
<a class="table-link" href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later"
>custom Android Verified Boot (AVB) key</a> in order to preserve security and privacy features when installing a custom
operating system, such as
<a class="table-link" href="https://source.android.com/docs/security/features/verifiedboot/">verified boot</a>
which verifies that the OS has not been corrupted or tampered with, and
<a class="table-link" href="https://source.android.com/docs/security/features/verifiedboot/verified-boot#rollback-protection">rollback protection</a>
which prevents an adversary from rolling back the OS or firmware version to a
<a class="table-link" href="https://source.android.com/docs/security/features/verifiedboot/"
>verified boot</a> which verifies that the OS has not been corrupted or tampered with, and
<a class="table-link" href="https://source.android.com/docs/security/features/verifiedboot/verified-boot#rollback-protection"
>rollback protection</a> which prevents an adversary from rolling back the OS or firmware version to a
previous version with known security vulnerabilities.<br>
<br>
They also include a
<a class="table-link" href="https://developer.android.com/training/articles/keystore#HardwareSecurityModule">hardware security module</a>
(Titan M2, improving on the previous generation
<a class="table-link" href="https://security.googleblog.com/2018/10/building-titan-better-security-through.html">Titan M</a>)
which is extremely resistant to both remote and physical attacks due to being
<a class="table-link" href="https://developer.android.com/training/articles/keystore#HardwareSecurityModule"
>hardware security module</a> (Titan M2, improving on the previous generation
<a class="table-link" href="https://security.googleblog.com/2018/10/building-titan-better-security-through.html"
>Titan M</a>) which is extremely resistant to both remote and physical attacks due to being
completely isolated from the rest of the system, including the operating system.
Titan M2 ensures that the device cannot be remotely compromised by requiring the
side buttons of the device to be physically pressed for some sensitive operations.
Titan M2 also takes the role of
<a class="table-link" href="https://source.android.com/docs/security/best-practices/hardware#strongbox-keymaster">Android StrongBox Keymaster</a>,
a <a class="table-link" href="https://source.android.com/docs/security/features/keystore">hardware-backed Keystore</a>
containing sensitive user keys which are unavailable to
<a class="table-link" href="https://source.android.com/docs/security/best-practices/hardware#strongbox-keymaster"
>Android StrongBox Keymaster</a>,
a <a class="table-link" href="https://source.android.com/docs/security/features/keystore"
>hardware-backed Keystore</a> containing sensitive user keys which are unavailable to
the OS or apps running on it without authorisation from Titan M2 itself.
<a class="table-link" href="https://android-developers.googleblog.com/2018/05/insider-attack-resistance.html">Insider attack
resistance</a> ensures that Titan M2 firmware can be flashed only if the user PIN/password
<a class="table-link" href="https://android-developers.googleblog.com/2018/05/insider-attack-resistance.html"
>Insider attack resistance</a> ensures that Titan M2 firmware can be flashed only if the user PIN/password
is already known, making it impossible to backdoor the device without already knowing
these secrets.<br>
<br>
@ -144,10 +146,12 @@
I have focused on security hardening and privacy hardening, placing performance below
those aspects, although my system is still very performant. Some of the hardening I
apply includes stack protection, signed integer overflow wrapping, and GrapheneOS'
hardened_malloc memory allocator.<br>
<a class="table-link" href="https://github.com/GrapheneOS/hardened_malloc/"
>hardened_malloc</a> memory allocator.<br>
<br>
You can find my personal Gentoo Linux configuration in my personal
<a class="table-link" href="https://git.inferencium.net/inference/cfg/">configuration respository</a>.</td>
<a class="table-link" href="https://git.inferencium.net/inference/cfg/"
>configuration respository</a>.</td>
<td>Open source<br>
<br>
(GPLv2-only)</td>
@ -160,17 +164,21 @@
<td>Chromium is a highly secure web browser which is often ahead of other
web browsers in security aspects. It has a dedicated security team and a
very impressive
<a class="table-link" href="https://www.chromium.org/Home/chromium-security/brag-sheet/">security brag sheet</a>.
<a class="table-link" href="https://www.chromium.org/Home/chromium-security/brag-sheet/"
>security brag sheet</a>.
Chromium's security features include a strong
<a class="table-link" href="https://code.google.com/p/chromium/wiki/LinuxSandboxing">multi-layer sandbox</a>,
strong <a class="table-link" href="https://www.chromium.org/Home/chromium-security/site-isolation">site isolation</a>,
<a class="table-link" href="https://www.chromium.org/Home/chromium-security/binding-integrity">Binding Integrity</a>
memory hardening, and
<a class="table-link" href="https://www.chromium.org/developers/testing/control-flow-integrity/">control-flow integrity (CFI)</a>.<br>
<a class="table-link" href="https://code.google.com/p/chromium/wiki/LinuxSandboxing"
>multi-layer sandbox</a>,
strong <a class="table-link" href="https://www.chromium.org/Home/chromium-security/site-isolation"
>site isolation</a>,
<a class="table-link" href="https://www.chromium.org/Home/chromium-security/binding-integrity"
>Binding Integrity</a> memory hardening, and
<a class="table-link" href="https://www.chromium.org/developers/testing/control-flow-integrity/"
>control-flow integrity (CFI)</a>.<br>
<br>
You can learn more about Chromium by visiting its
<a class="table-link" href="https://www.chromium.org/Home/">official website</a>
which provides extensive documentation.</td>
<a class="table-link" href="https://www.chromium.org/Home/"
>official website</a> which provides extensive documentation.</td>
<td>Open source<br>
<br>
(BSD 3-Clause)</td>
@ -198,21 +206,25 @@
system information, a secure app spawning feature which avoids sharing address
space layout and other secrets AOSP's default Zygote app spawning model would
share,
<a class="table-link" href="https://github.com/GrapheneOS/kernel_gs-gs101/">hardened kernel</a>,
hardened memory allocator
(<a class="table-link" href="https://github.com/GrapheneOS/hardened_malloc/">hardened_malloc</a>)
to protect against common memory corruption vulnerabilties,
<a class="table-link" href="https://github.com/GrapheneOS/platform_bionic/">hardened Bionic standard C library</a>,
<a class="table-link" href="https://github.com/GrapheneOS/platform_system_sepolicy/">stricter SELinux policies</a>,
and local and remote hardware-backed attestation
(<a class="table-link" href="https://attestation.app/">Auditor</a>) to ensure the OS has
not been corrupted or tampered with. GrapheneOS only supports devices which receive
<a class="table-link" href="https://github.com/GrapheneOS/kernel_gs-gs101/"
>hardened kernel</a>, hardened memory allocator
(<a class="table-link" href="https://github.com/GrapheneOS/hardened_malloc/"
>hardened_malloc</a>) to protect against common memory corruption vulnerabilties,
<a class="table-link" href="https://github.com/GrapheneOS/platform_bionic/"
>hardened Bionic standard C library</a>,
<a class="table-link" href="https://github.com/GrapheneOS/platform_system_sepolicy/"
>stricter SELinux policies</a>, and local and remote hardware-backed attestation
(<a class="table-link" href="https://attestation.app/about/"
>Auditor</a>) to ensure the OS has not been corrupted or tampered with.
GrapheneOS only supports
<a class="table-link" href="https://grapheneos.org/faq#device-support"
>high security and well-supported devices</a> which receive
full support from their manufacturers, including firmware updates, long support
lifecycles, secure hardware, and overall high security practices.<br>
<br>
For an extensive list of features GrapheneOS provides, visit its
<a class="table-link" href="https://grapheneos.org/">official website</a>
which provides extensive documentation.</td>
<a class="table-link" href="https://grapheneos.org/features/"
>official website</a> which provides extensive documentation.</td>
<td>Open source<br>
<br>
(MIT)</td>
@ -230,7 +242,8 @@
and always-on Incognito mode as an option.<br>
<br>
Vanadium's source code, including its Chromium patchset, can be found in its
<a class="table-link" href="https://github.com/GrapheneOS/Vanadium/">official repository</a>.</td>
<a class="table-link" href="https://github.com/GrapheneOS/Vanadium/"
>official repository</a>.</td>
<td>Open source<br>
<br>
(GPLv2-only)</td>