>GrapheneOS is heavily focused on security enhancements making exploitation significantly harder:
>grapheneos.org/features
>Those other operating systems [Calyx and Lineage] don't improve resistance against exploitation and won't provide more resistance against an exploit working against AOSP/stock.
>If they specifically target GrapheneOS and put work into adjusting their exploit chains and finding new bugs as necessary, then they could certainly develop an exploit working against GrapheneOS. Costs will be higher and they'll usually need to specifically take it into account.
>Firmware exposed to remote attack surface like the radios (Wi-Fi, Bluetooth, cellular, NFC) and GPU is generally a lot harder to exploit than the OS and those components are isolated. It's much rarer and generally involves using an OS exploit to bypass the component isolation.
>Nearly all of these exploits are memory corruption bugs. GrapheneOS does actually provide hardening for firmware through attack surface reduction including the LTE only mode and other features. It can't directly harden firmware, but it can avoid exposing as much attack surface.
>So, for example, with the GrapheneOS 4G only mode enabled, vulnerabilities in 2G, 3G and 5G are not usable to exploit the cellular radio, only those exposed by 4G.
>The radio firmware also does have substantial hardening and internal sandboxing, but GrapheneOS can't improve it.
>GrapheneOS also fortifies the OS against exploitation by an attacker that has gained code execution on a component like the GPU or radio.
>Main hardening we provide is for the most common path of exploiting an RCE bug in userspace and then exploiting the kernel to escape sandbox.
GrapheneOS runs only on Pixel phones which have great hardware security.
Likely not ; they might be, by chance - but the exploits are often for bugs in places like media parsing libraries (e.g. jpeg decoder), which are not usually modified in those alternatives.
Different compile settings might render an exploit ineffective. But I’d expect any remotely popular Android derivative (e.g. lineage) to be tested by the attacker - and even postmarketOS, which is not Android based, is likely to use some of the same media parsing libraries.
>GrapheneOS is heavily focused on security enhancements making exploitation significantly harder:
>grapheneos.org/features
>Those other operating systems [Calyx and Lineage] don't improve resistance against exploitation and won't provide more resistance against an exploit working against AOSP/stock.
>If they specifically target GrapheneOS and put work into adjusting their exploit chains and finding new bugs as necessary, then they could certainly develop an exploit working against GrapheneOS. Costs will be higher and they'll usually need to specifically take it into account.
>Firmware exposed to remote attack surface like the radios (Wi-Fi, Bluetooth, cellular, NFC) and GPU is generally a lot harder to exploit than the OS and those components are isolated. It's much rarer and generally involves using an OS exploit to bypass the component isolation.
>Nearly all of these exploits are memory corruption bugs. GrapheneOS does actually provide hardening for firmware through attack surface reduction including the LTE only mode and other features. It can't directly harden firmware, but it can avoid exposing as much attack surface.
>So, for example, with the GrapheneOS 4G only mode enabled, vulnerabilities in 2G, 3G and 5G are not usable to exploit the cellular radio, only those exposed by 4G.
>The radio firmware also does have substantial hardening and internal sandboxing, but GrapheneOS can't improve it.
>GrapheneOS also fortifies the OS against exploitation by an attacker that has gained code execution on a component like the GPU or radio.
>Main hardening we provide is for the most common path of exploiting an RCE bug in userspace and then exploiting the kernel to escape sandbox.
GrapheneOS runs only on Pixel phones which have great hardware security.
Also, DON'T USE CopperheadOS: https://grapheneos.org/history/copperheados