chromium VS termux-packages

We had a close call with malvertising ourselves, so we wrote an osquery query to alert on .dmg/.iso/.pkg downloads from unknown sources:

https://github.com/chainguard-dev/osquery-defense-kit/blob/m...

This query should not be your only line of defense, but can provide an early heads up before the package is opened. You can deploy this query with Kolide, as it uses osquery under the hood.

It was once possible to have a query like this that worked on Linux using the user.xdg.origin.url extended file attribute, but Chromium dropped support for it in 2019 for privacy reasons: https://chromium.googlesource.com/chromium/src/+/a9b4fb70b43...

Steps to reproduce:

1. Clone <https://chromium.googlesource.com/chromium/src>.

2. Navigate to this directory in Emacs dired.

3. Run magit-status.

4. Observe how long it takes for Emacs to become responsive again. For me it's 28 seconds, while running git status in the terminal takes 6 seconds.

The last one is very anglo-centric (or at least centric to fully latinized languages). Do you not find the rules[0] in for example chrome working?

[0]: https://chromium.googlesource.com/chromium/src/+/main/docs/i...

I don't think "airtight hatchway" applies here because what is to say the entry point isn't exploiting w3wp.exe remotely and executing code from the stack. Then let's say a memory page containing FREB code has permission PAGE_EXECUTE_READWRITE set (a plausible possibility for JIT compiling akin to eBPF), providing a convenient (and plausibly deniable) location for an extended amount of malicious code to be stored and executed from. Or w3wp.exe has permission to create a new memory page with PAGE_EXECUTE_READWRITE set and again this is plausibly deniable because FREB may need to do similar for JIT compiling. It it were almost any other process, a memory page set to PAGE_EXECUTE_READWRITE would sound alarm bells (or at least it should).

The second aspect is how well is w3wp.exe isolated? Can and does it use "AppContainer" isolation and is it strict? For example, could code executed by w3wp.exe create a new network socket, execute another process, write to a file in any path even though it shouldn't have a need to do so? Perhaps a different process sample123.exe is compromised, which by itself isn't too much of a problem due to its high degree of isolation. However, sample123.exe has permission to write to a pipe shared with w3wp.exe and can use this permission to exploit a bug in w3wp.exe (not exposed remotely) to allow code to execute with different/higher permissions of w3wp.exe, or using a plausibly deniable PAGE_EXECUTE_READWRITE memory page of w3wp.exe to store and execute code from without immediately sounding alarm bells.

_If_ strong process isolation was in place and working for w3wp.exe and/or sample123.exe, the "airtight hatchway" may not have been breached because whilst malicious code may have been executable from a stack, the malicious code wouldn't have been able to achieve much or anything of concern (can't read files from disk, can't access memory of other processes, can't login to a SQL database and start pulling data of other users, etc, etc).

I'm not sure what the equivalent of "systemd-analyze security" is for Windows, but it'd be well worthwhile for Windows system owners to demand similar easy-to-use tools for auditing the level of isolation of and required interfaces between applications (spoiler: just like a typical Linux system, the results will not be comforting, but seemingly with Windows you wouldn't know). Windows process isolation features introduced over the years are poorly documented, hard to use due to lack of tooling and often not used except for a few high profile applications such as Chromium and Adobe Acrobat. Chromium possibly has one of the best overviews of how sandboxing/process isolation can be achieved in Windows because they would have gone through a lot of pain in being amongst the first to figure it out[1].

[1] https://chromium.googlesource.com/chromium/src/+/HEAD/docs/d...

I am more paranoid and cautious than, say, 95% of the programmers I've known. Maybe more. I still don't trust myself to write safe C.

Specifically, I do not think I'm smart enough to violate the Chrome team's Rule of 2: https://chromium.googlesource.com/chromium/src/+/master/docs...

> The Rule Of 2 is: Pick no more than 2 of untrustworthy inputs; unsafe implementation language; and high privilege.

I do know of a few C programmers I'd trust: DJB, many of the OpenBSD team, the Dovecot maintainers, and a few others with long track records of security.

But I don't trust myself because I've used fuzzers on my Rust code, trying billions of inputs. And I've found DDOS bugs that would have been crashing bugs in C.

What's more damning, the most careful C code I ever wrote has an enormous, sneaky test suite. It was tested with every sanitizer I could find. It used carefully designed error handling conventions. Still, in the last 20 years, it has been the subject of several CVEs. You see, I relied on a high-quality 3rd party XML parser, and that parser had a handful of bugs.

Out of 7 billion people on this planet, the number that I'd personally trust to reliaby write CVE-free C code is in the low triple digits. I'm not one of them.

Understanding Rust is a cakewalk compared to understanding "undefined behavior" in the C standard, or to making sure a large C program never overflows an addition, or accesses memory out of bounds. But Rust is not the only option.

As an industry, we need to stop making the same endless security mistakes. It's not OK.

Time to dig out my Wyse 50 again! https://chromium.googlesource.com/chromium/src/+/HEAD/docs/o...

Thanks. Yes, rendering and shaping are distinct but some of the linked libraries did one, the other, or both and the parent commenter singled out rastering which is how I ended up putting FreeType and HarfBuzz in the same sentence. Even then both are commonly used in tandem (see [1]-[9]) and have a few overlapping functionalities.

> it does support BiDi, complex script shaping

Hey, that is indeed quite good. Would you mind if I ask you how well is the support for popular Asian languages?

> linking C and Rust in WASM is unfortunately not really possible

Damn. I am not very experienced in Rust but I would not have guessed that. I apologize if I misrepresented difficulties related to targeting WASM.

[1] https://github.com/apple-oss-distributions/WebKit/tree/WebKi...

[2] https://github.com/apple-oss-distributions/WebKit/tree/WebKi...

[3] https://github.com/chromium/chromium/tree/main/third_party/f...

[4] https://github.com/chromium/chromium/tree/main/third_party/h...

[5] https://searchfox.org/mozilla-central/source/modules/freetyp...

[6] https://searchfox.org/mozilla-central/source/gfx/harfbuzz

[7] https://cs.android.com/android/platform/superproject/+/maste...

[8] https://cs.android.com/android/platform/superproject/+/maste...

[9] https://www.amazon.com/gp/help/customer/display.html?nodeId=...

Hello i like Linux too . and check https://github.com/termux/termux-packages/issues/15579

Please begin to use https://termux.dev instead, since termux.org is uncontrolled

and link: https://github.com/termux/termux-packages/wiki/Termux-and-Android-10

When Google announced changes introduced in Android 10 and raised SDK requirements of Play Store, it became obvious that further Termux existence on Play Store is questionable. Basically at the same point Fornwall reduced development activity on the project but still was present in discussions regarding the Android 10 problem until finally disappeared. Fornwall made few appearances later, but totally ignored all our requests to unpublish the app from Play Store.

You can run XMRig through Termux.

Initially Android 5/6 was dropped[0] since 2020-01-01, but this year it was decided to bring Android 5/6 support back.[1]

[0] https://github.com/termux/termux-packages/issues/4467

[1] https://github.com/termux/termux-app/pull/2740

Termux has an open source repository of packages. It's similar to arch, debian, alpine, etc. https://github.com/termux/termux-packages

Termux doesn't get special privileges unless you root your device. It can't go messing with your phone data unless you granted it permission to do so (but even then it doesn't have access to everything). It's no worse than any other Android app IMHO.