- Edited
First of all, wow and thank you so much for your hard and tireless work! That's an incredible list of changes and new features, I'm really impressed!
I've tried to read up on the following two features:
- Settings: add per-app memory dynamic code loading restriction toggle (applies to both native code and Android Runtime class loading for Java/Kotlin)
and
- Settings: add per-app WebView JIT restriction toggle
I found this description helpful:
The vast majority of local and remote code execution vulnerabilities are memory corruption bugs caused by memory unsafe languages or rare low-level unsafe code in an otherwise memory safe language. Most of the remaining issues are caused by dynamic code execution/loading features. Our main focus is on preventing or raising the difficulty of exploiting memory corruption bugs followed by restricting dynamic code execution both to make escalation from a memory corruption bug harder and to directly mitigate bugs caused by dynamic code loading/generation/execution such as a JIT compiler bug or a plugin loading vulnerability.
source: https://grapheneos.org/features
Can I imagine using this toggles similar to the memory tagging and native code debugging toggles (The most secure setting will be on by default as with the settings mentioned above and if an app crashes using these settings, I can then switch memory dynamic code loading restriction and/or WebView JIT restriction on or off)?
By the way: If anyone has an easy to understand explanation of how dynamic code loading and WebView JIT works - would be great if you could share it.