Menu
Google beefs Linux up kernel defenses in Android

Google beefs Linux up kernel defenses in Android

New security changes in Android Nougat protect the kernel's memory and reduce its attack surface

Future versions of Android will be more resilient to exploits thanks to developers' efforts to integrate the latest Linux kernel defenses into the operating system.

Android's security model relies heavily on the Linux kernel that sits at its core. As such, Android developers have always been interested in adding new security features that are intended to prevent potentially malicious code from reaching the kernel, which is the most privileged area of the operating system.

One older example is Security Enhancements for Android (SEAndroid), a set of kernel add-ons and tools that make exploitation of certain vulnerabilities harder by enforcing access controls.

SEAndroid, which is based on the NSA-developed SELinux project, started being used to enforce the application sandbox boundaries in Android 4.3 (Jelly Bean).

In a blog post Wednesday, Jeff Vander Stoep, a member of the Android Security team, revealed some of the more recent kernel security additions that will make the upcoming Android Nougat and future Android versions harder to compromise. These include various memory protections, as well as changes intended to reduce the kernel's attack surface.

One new configuration option called CONFIG_DEBUG_RODATA segments the kernel memory into multiple sections and limits how much of this memory is writeable and executable. Attackers need writeable and executable memory pages in order to inject malicious code into them via exploits, and then run that code with kernel privileges.

Another config option, called CONFIG_CPU_SW_DOMAIN_PAN, prevents the kernel from directly accessing user space memory, giving attackers even less control over where their exploits can execute code.

The existing protection against stack-based buffer overflows, a family of memory corruption vulnerabilities, has also been improved by providing coverage for more array types, Vander Stoep said.

The attack surface of the kernel has been reduced by blocking default access to debugging features like the perf system, which used for performance monitoring. The access to IOCTL commands has also been restricted for third-party applications as much as possible without breaking legitimate functionality.

"Most of the kernel vulnerabilities reported on Android occur in drivers and are reached using the ioctl syscall," Vander Stoep said.

Android developers have also hardened the OS's media-handling processes, which have been a source of many vulnerabilities over the past year. This has been done through a sandboxing mechanism called seccomp, which was first introduced on Nexus devices in Android Lollipop. With Android Nougat, seccomp support will be required for all devices.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments