Google Improves Android Core Security
It is not a secret that the Android kernel is largely based on the Linux kernel and replicates its security model. As in the case of Linux and other desktop operating systems, Android provides its applications with a closed virtual address space that allows you to efficiently distribute resources between them, as well as manage their security. Android also provides applications with DEP & ASLR security technologies, which hinders the exploitation of vulnerabilities in them. The sandbox mechanism and system of rights (permissions) ensure that the running application will get access only to the data and resources meant for it.
Recently, Android developers have reported that they are working on protective measures for kernel components that operate in their address space that is inaccessible to simple applications. The Android security bulletins published by us this year have repeatedly pointed out LPE vulnerabilities in the kernel and drivers that allowed an application to run its code in kernel mode.
')
According to the authors, the new versions of Android will offer DEP technology in kernel mode, which will complicate the exploitation of LPE vulnerabilities and the placement of the shell code there. Such a technique will be implemented due to segmentation, i.e., the division of kernel memory into special sections with setting permissions for them. Sections intended for storing code will be marked as read-only and executable, and data sections will be marked with a ban on the execution of NX.
Another security feature is similar to Intel’s microprocessor-based Supervisor Mode Access Prevention (SMAP) protection measure, which prevents kernel-mode code from accessing the user portion of the address space. Android introduces restrictive measures that isolate the kernel from direct access to such memory.
Another protective measure is aimed at preventing attacks on the stack memory of the buffer overflow type.
These protective measures relate to the operation of the Android kernel with memory, another category of new protective measures is called Attack Surface Reduction (ASR), that is, it includes conceptual protective measures that immediately cut off the successful use of entire classes of attacks.
ASR by default disables the debugging feature of the device, which, previously, was available for inclusion to all users.
ASR also restricts applications access to executable IOCTL operations on devices through the ioctl () system call. Since ioctl is used to exploit certain types of vulnerabilities, ASR introduces the concept of whitelist IOCTL operations that will be allowed for an application to use.
ASR introduces a new feature called Seccomp, which is an additional security setting for an application isolation mechanism called sandbox. Seccomp allows you to limit the application running in Android from making certain system calls or passing certain arguments to it using a special filter. It is worth noting that this function is similar to the win32k syscalls filtering function that we specified , which will appear on Windows 10 users as early as next week, along with a big update for this OS.
These security features should appear in the new release of Android 7.0 (Nougat).
be secure.
Recently, Android developers have reported that they are working on protective measures for kernel components that operate in their address space that is inaccessible to simple applications. The Android security bulletins published by us this year have repeatedly pointed out LPE vulnerabilities in the kernel and drivers that allowed an application to run its code in kernel mode.
')
According to the authors, the new versions of Android will offer DEP technology in kernel mode, which will complicate the exploitation of LPE vulnerabilities and the placement of the shell code there. Such a technique will be implemented due to segmentation, i.e., the division of kernel memory into special sections with setting permissions for them. Sections intended for storing code will be marked as read-only and executable, and data sections will be marked with a ban on the execution of NX.
This feature is included in the section. Code is marked as read only + execute. Data sections.
Another security feature is similar to Intel’s microprocessor-based Supervisor Mode Access Prevention (SMAP) protection measure, which prevents kernel-mode code from accessing the user portion of the address space. Android introduces restrictive measures that isolate the kernel from direct access to such memory.
Directly accessing userspace memory. This can make it easier for attackers to significantly reduce the number of attacks over the memory card that is, it is particularly consistent with CONFIG_DEBUG_RODATA enabled.
Another protective measure is aimed at preventing attacks on the stack memory of the buffer overflow type.
Protects against stack overflows, but also provides for protection against fragments. It has been added to the gcc 4.9 compiler.
These protective measures relate to the operation of the Android kernel with memory, another category of new protective measures is called Attack Surface Reduction (ASR), that is, it includes conceptual protective measures that immediately cut off the successful use of entire classes of attacks.
ASR by default disables the debugging feature of the device, which, previously, was available for inclusion to all users.
It can be used for analyzing both kernel and userspace applications. But it adds up to the Android users. In Android, access to perf will be blocked by default.
ASR also restricts applications access to executable IOCTL operations on devices through the ioctl () system call. Since ioctl is used to exploit certain types of vulnerabilities, ASR introduces the concept of whitelist IOCTL operations that will be allowed for an application to use.
In Android, you can use the ioctl commands to be available. For select devices, applications' access to GPU ioctls has been similarly restricted.
ASR introduces a new feature called Seccomp, which is an additional security setting for an application isolation mechanism called sandbox. Seccomp allows you to limit the application running in Android from making certain system calls or passing certain arguments to it using a special filter. It is worth noting that this function is similar to the win32k syscalls filtering function that we specified , which will appear on Windows 10 users as early as next week, along with a big update for this OS.
Seccompassourcing and syscall arguments available through a configurable filter. It can dramatically cut down on the kernel. Since the seccomp was first introduced on Nexus devices in Lollipop, its availability across the Android ecosystem has steadily improved. With Android Nougat, seccomp support is a requirement for all devices. On android media hardening effort.
These security features should appear in the new release of Android 7.0 (Nougat).
be secure.
Source: https://habr.com/ru/post/306712/
All Articles