Question regarding best use of auditor app

DeltaSlim

Hello everyone,

I have been a Graphene user for several years now. My threat model is particularly intense, i.e. it would not be unreasonable for my Graphene device to be targeted with sophisticated spyware. For this reason I heavily rely on the hardware-based attestation used by the auditor app to verify that my device has not been compromised in a persistent way (I am aware that, of course, this would not catch all malicious apps and processes, only those that "root" the device and modify the OS).

I also use multiple profiles to isolate various activities on my Graphene device. The way the device is set up currently, I use the auditor app in the owner profile to periodically verify that the unmodified official release of GoS is running, and all my activities are in various other profiles (i.e., if I were to receive a malicious message or interact with a malicious asset that would happen in a profile other than the owner profile). I do not use the auditor in any of those other profiles because, from what I understand, that would be redundant and therefore pointless.

Is that understanding correct? Or is there some theoretical benefit I am missing to also using the auditor in profiles other than the owner profile? This may be a stupid question, but is there a theoretical universe in which an adversary compromises only a user profile, doesn't touch the owner profile, and if I had had the remote verification turned on in said user profile I would have caught the compromise? To put it differently, is it possible there is something I may miss by only relying on the auditor in the owner profile?

I appreciate any thoughts/guidance on this

All the best
DS

Watermelon

DeltaSlim I am aware that, of course, this would not catch all malicious apps and processes, only those that "root" the device and modify the OS

This isn't true. Attestation relays the verified boot information captured during the last boot. It doesn't and can't recheck your OS while it's still running. (Worth noting that GrapheneOS made it so there's constant cryptographic verification of system apps on every read of them rather than just at boot/launch time and at install time. But still, the whole point of verified boot is that there's a chain of verification from the hardware, and since the verification happens by software running on the main CPU (boot ROM -> bootloader -> OS -> etc), the logical conclusion is that for it to be secure there has to be verification of each component before execution is transferred to it, with the exception of the boot ROM which is physically immutable.) If you want to reverify the OS, do a reboot. The “GrapheneOS (unmodified official release)” line in the Auditor output it more for identifying the identity of the operating system, to know you've not installed an unofficial mod of GrapheneOS — don't expect it to change after the initial verification.

DeltaSlim I do not use the auditor in any of those other profiles because, from what I understand, that would be redundant and therefore pointless.

Is that understanding correct?

The OS and hardware are the same regardless of the user profile, so I don't see the benefit in checking from them. There's also the disadvantage that the Auditor app would probably run like new without the existing pairings it has in the other profiles. (I never tried using it from a different profile, but I'd be very surprised if the pairings are shared across profiles. I expect pairings to be app data, and app data isn't supposed to be common across profiles.)

You might want to see a previous post I wrote:
https://discuss.grapheneos.org/d/28682-maximum-security-and-anonymity/4
(See item #9)
Edit: In the linked post I talked about doing the initial verification from Safe Mode. Do NOT delete the existing pairing!!! Do it from Safe Mode, confirm the dates there are what you expect them to be, and then remember these dates for all future times.

I also recommend you to reboot at least once a day, ideally even more.

DeltaSlim

Watermelon

I really appreciate the detailed reply my friend, and indeed I took a look at the other post (I had been unaware of this method involving using safe mode for initial verification, that's brilliant!)

In your post you say this "You're only secure if all of the info reported by Auditor matches your expectations and doesn't have any warnings; otherwise, either there's some fault somewhere, or something malicious happened."

What I've not seen anywhere is a real clean explanation of what exactly we could expect to see in the event that spyware were to fire on a Graphene device. Suppose some NGO group-style spyware were to fire and it is persistent spyware which roots the device. Surely at the level of the infected device it would boot in a way that mimics the boot process for GOS. What could the person with the infected device expect to see were they to attempt to use the auditor with another device and they had already performed initial verification? I suppose either a message indicating that the device had failed the check or a successful "pass" to another HSM? Is that right?

Without having bad OPSEC and giving away too much, I do a lot of work with other individuals who have extreme threat models and especially after all of this bullshit fanfare around the latest iPhone's memory integrity enforcement, I find myself spending a lot of time justifying still recommending everyone use Graphene over ios. Some arguments for this are obvious (as far as I am concerned proprietary operating systems are spyware, ios collects a lot of telemetry on users, Apple has adversarial politics and in any case you should not be trusting any third party, especially not a big US corporation, with information that could burn you or your contacts, etc etc), but it is a bit more difficult arguing that Graphene is more resilient than ios to targeted spyware if the ios device is one of the latest with MIE and has lockdown mode enabled. I of course point out that features like the duress password and disabling USB-C are critical mitigations for situations where an adversary has physical access, but on spyware specifically a lot of my argument falls back on the strength of the auditor in guaranteeing that the device has not been compromised with persistent spyware. Can you help me understand if there is anything I am missing in that assertion? I know GOS does a lot to harden the OS in general, but it seems to me that a user being able to have virtual certainty that persistent spyware has not infected the device is massive.

de0u

DeltaSlim Suppose some NGO group-style spyware were to fire and it is persistent spyware which roots the device. Surely at the level of the infected device it would boot in a way that mimics the boot process for GOS.

If the malware doesn't compromise the bootloader itself (I don't think this has been demonstrated so far) then corrupting the system partition would be caught by verified boot.

My sense is that so far NSO-like malware corrupts messaging apps, which is a much lower bar. Are there events to date in which malware has corrupted a system partition without being detected by verified boot?

de0u

DeltaSlim I do a lot of work with other individuals who have extreme threat models and especially after all of this bullshit fanfare around the latest iPhone's memory integrity enforcement, I find myself spending a lot of time justifying still recommending everyone use Graphene over ios.

I think Apple's recent hardware and software upgrade to memory integrity is a genuine improvement. One advantage Apple has is that they control and can upgrade the system software fairly quickly, which Google has struggled with -- the GrapheneOS project has been forced to disable MTE for various Google blobs because (empirically) Google hasn't yet been able to leverage MTE trips into fixes. In some cases (e.g., baseband), Google doesn't control that code for existing devices. Now that Apple makes their own cellular and Wi-Fi/Bluetooth chips, they don't face that obstacle.

I think it will be very interesting to see the next Cellebrite capability-matrix leak: will they still be able to get into the latest iPhones?

Watermelon

DeltaSlim What I've not seen anywhere is a real clean explanation of what exactly we could expect to see in the event that spyware were to fire on a Graphene device.

Nothing. This is the truth. You're using the tool of attestation for something it can't fulfill. Read the next paragraphs.

DeltaSlim Surely at the level of the infected device it would boot in a way that mimics the boot process for GOS.

No. It would either get cleared away when you reboot, or stay on the device and re-exploit the OS at every boot. The latter can be mitigated by security updates that fix the vulnerability that allows this re-exploitation, so updates plus verified boot give you the powerful property of being able to heal from an infection, at least on the level of the OS, which is meaningful from a security point of view because the OS enforces security settings and permissions. It could still have infected other apps on the device not covered by verified boot.

DeltaSlim I suppose either a message indicating that the device had failed the check

Possible (that's included in what I said that you quoted), but unlikely.

DeltaSlim or a successful "pass" to another HSM?

Possible, and more likely than the previous because it's less noticeable, but it would be apparent in the Auditor app's report, and included in what I said that you quoted. You need to read the entire report and pay attention to the first line and the timestamps at the end.

DeltaSlim MIE

MIE is an inferior version security-wise of what GrapheneOS on Pixel 8 and newer has already provided much earlier than Apple. Read Apple's blog post, the memory tagging only covers “key” areas, whereas GrapheneOS covers almost the entire base OS including all preinstalled apps (including Vanadium, and the system WebView which other apps usually embed) in a mode which the GrapheneOS team claims is pretty much equivalent security-wise to the synchronous mode used now by Apple, in addition to being able to enforce memory tagging on any app you install, which is impossible in Apple.

DeltaSlim lockdown mode

Apple's Lockdown Mode is not a security feature, it's a security weakness. It ties together security features in a way that forces you to take all of them together if you can, or none of them if not. GrapheneOS provides all the benefits that Lockdown Mode/Android's “Advanced idontrememberwhatitscalled trash” enabled provide (and beyond) in the default installation, and doesn't tie together security features like this to allow you to have something in the middle in addition to the two extremes.

DeltaSlim I know GOS does a lot to harden the OS in general

This is the key here. You can't detect spyware compromise with Auditor, but the OS does much more to prevent and contain an advanced infection, and Auditor allows you to see that the OS is what you expect it to be (official GrapheneOS, roughly an up-to-date version) rather than an unofficial fake GrapheneOS version. Even if you consider the OS to be compromised, it doesn't necessarily mean that the OS-provided section in the Auditor output is completely untrustworthy, because all OS components are sandboxed, so an infected OS doesn't necessarily mean the OS was completely taken over.

de0u

Watermelon I just read the Wikipedia article on Pegasus (admittedly not a primary source). I don't see anything there that indicates persistence.

I think Auditor checks that a known (non-downgraded) bootloader booted a known (non-downgraded) OS that was properly signed by a known signing authority and that the OS launched a legitimate (non-downgraded) version of the Auditor app (source). I do not believe that Auditor checks the integrity of the running system or the integrity of any user-installed apps.

So, if -- hypothetically -- a messenger app received a "very evil" message, bad enough that the message being stored in the app's message store is enough to activate malware that would compromise the app and escape the app sandbox, then that would be bad, and it would be "persistent" as long as the messenger app's data storage included the "very evil" message. But I think the common case is "merely regularly evil" messages, meaning that the app is infected once when the message is received.

DeltaSlim Suppose some NGO group-style spyware were to fire and it is persistent spyware which roots the device. Surely at the level of the infected device it would boot in a way that mimics the boot process for GOS.

Personally I am not aware of malware that can do that on a phone with a verified boot path. Thus a "factory reset", which would delete all user-installed apps, would be enough to remove any malware that is unable to corrupt the bootloader. Note that for non-Apple desktop/laptop/server "PCs", there have been multiple demonstrations of persistent UEFI bootkits. In my opinion, the general state of UEFI code bases is gravely concerning.

Watermelon

de0u My sense is that so far NSO-like malware corrupts messaging apps, which is a much lower bar. Are there events to date in which malware has corrupted a system partition without being detected by verified boot?

I believe what Pegasus and the like do is compromise the messaging app, a web browser through a link you click on (I believe not all their infection methods are zero-click), or a lower-level component (baseband, kernel, etc) through a network compromise, and from there it exploits the OS itself and escapes the sandbox. And to avoid corrupting the system partition in a way that breaks booting or clears the infection, it's either not achieving persistence on the device (most people don't reboot their device so often, but let's not forget that spyware like Pegasus is sent to a victim by someone who's actively aware and trying to hack them, so they could send the infection again if it was cleared by a reboot very quickly thereafter) or it re-exploits the OS on every boot.

It's spyware like Graphite (heh) that I heard only infects the messaging app, which is brilliant when you consider the fact that many people have their entire digital life on it.

Novalissoide

de0u next Cellebrite capability-matrix leak

What worries me a bit is, what if there's no more of these leaks going forward, if they effectively 'plug the leaks'?

Watermelon

de0u I do not believe that Auditor checks the integrity of the running system or the integrity of any user-installed apps.

Indeed it doesn't and can't currently do this. About user-installed apps though, if GrapheneOS would come preloaded with pinned signing certificates for specific third-party package names, that might constitute an integrity check, although I don't know whether Android verifies apps with their signature on every launch or every read, or rather only what I know it does — on every install and update.

de0u

Watermelon if GrapheneOS would come preloaded with pinned signing certificates for specific third-party package names, that might constitute an integrity check [...]

This seems somewhat unlikely, since it would take a fair amount of developer time to keep that up to date, and to negotiate with everybody who would want their favorite app to be listed. What would happen when Google next changes their signature policy, or an app developer starts offering their app on a new web store...

Watermelon [...] I don't know whether Android verifies apps with their signature on every launch or every read, or rather only what I know it does — on every install and update.

Checking the app signature on every launch would be slow and also technically hard, because for GrapheneOS that would mean checking the APK and the compiled binary.

Watermelon

Honestly, I know where this thinking comes from, the thinking that Auditor verifies the integrity of the resident copy of the operating system. When I discovered it's not doing this, I was baffled. I think they could improve the description of the app to be more accurate and friendly to newbies, this was one of my earliest criticisms about GrapheneOS. But anyway, we can't expect Auditor to use a hardware capability that doesn't exist. They've improved the app with some really nice improvements in the meanwhile.

de0u

Watermelon Honestly, I know where this thinking comes from, the thinking that Auditor verifies the integrity of the resident copy of the operating system. When I discovered it's not doing this, I was baffled. I think they could improve the description of the app to be more accurate and friendly to newbies, this was one of my earliest criticisms about GrapheneOS.

Pull requests against the web site have been accepted. Small changes are more likely to be accepted, and also changes that closely match the style and conventions of the existing text.

If you think that adding or changing five words or less would help, it might make sense to give it a shot. Prepare text, fork the repo, commit to your repo, file an issue, make a draft pull request, wait for the syntax check to run, upgrade the draft pull request. Then probably wait a while!

Edit: if five words can't do it, try to hold it to ten, though the likelihood of acceptance will be lower.