Developers with Android’s Security Team peeled back some of the layers on the mobile operating system this week; describing the lengths Google goes to protect the Linux kernel.
In a post to Google’s Security Blog, Jeff Vander Stoep clarified several mitigations slated for inclusion in Nougat, the next stable Android build, and steps they’ve taken over the last few years to defend against kernel attacks.
Stoep detailed three mechanisms designed to protect the Linux kernel from threats, including a feature, Mark Memory As Read-Only/No-Execute, which helps break up kernel memory into sections.
A second feature sets restrictive page access permissions for each section; some sections are marked as read only and execute, some are marked as no-execute and also broken down into read-only and read-write.
The third feature helps protect the kernel by preventing it from directly accessing userspace memory. By isolating kernel access, Vander Stoep claims attackers should have a tougher time carrying out attacks, since they have less control over kernel memory that is executable.
Vander Stoep also discussed three ways Android is seeking to diminish the kernel’s attack surface. One of them, stack-protector-strong, is a feature that’s been kicking around since 2014 and helps protect against stack buffer overflows. The feature has evolved since its first iteration however, and now supports coverage for more than just character array types, he claims.
Reducing the number of entry points, including default access to debug features, has also hardened the kernel. In particular, the amount of access afforded perf, a popular developer tool, will be curbed in the next Android build. In Android Nougat, the operating system will block access to the performance-analyzing tool for Linux 2.6+ based systems, by default. Vander Stoep acknowledged that perf can be helpful but claims the tool “adds unnecessary attack surface” for most Android users.
Nougat will also tighten the reins around which apps can be accessed via IOCTL commands. Only a “small whitelist” of socket ioctl commands will be available to apps, Vander Stoep claims, since most kernel vulnerabilities occur in drivers and are reached via a ioctl syscall.
It won’t be too much of a burden on functionality, according to Vander Stoep.
“Some ioctl commands are needed by third-party applications, however most are not and access can be restricted without breaking legitimate functionality,” he said.
Lastly, Nougat will require all devices to support seccomp, a facility that includes an app sandboxing mechanism. Similar to how it plans to limit ioctl syscalls, Nougat can also help cut down on syscalls, which in turn narrows any potential attack surface, by requiring seccomp.
Google divulged information about Nougat two weeks ago when it announced it was planning on changing the way it handled trusted Certificate Authorities in the OS, something that should limit man-in-the-middle attacks. The new OS is expected to also allow developers to choose how apps trust CAs and trust only connections to certain domains if necessary.
Google routinely fixes vulnerabilities that could lead to kernel exploitation with monthly sets of Android patches. Since the Linux kernel is part of the backbone of Android’s security model and regularly interacts with Mediaserver, a playback engine that’s been by hit by over a dozen bugs in the past year, it has remained a prime target for attackers.
Earlier this month Google patched an elevation of privilege vulnerability in the kernel file system that could have led to a malicious app executing arbitrary code within the context of the kernel.
In June it patched multiple critical bugs in Qualcomm drivers (GPU, Wi-Fi, Video, Sound, etc.) that could have resulted in the same outcome.