Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google to Boost Linux Kernel Defenses in Android 7.0

In an attempt to improved the security of Android, Google is looking into integrating the latest Linux kernel defenses into the next version of the popular mobile operating system. 

In an attempt to improved the security of Android, Google is looking into integrating the latest Linux kernel defenses into the next version of the popular mobile operating system. 

According to the Internet giant, a series of mechanisms have been enabled within Android, which are grouped into two categories; memory protections and attack surface reduction.

The ultimate goal, Google says, is to deliver better kernel security and ensure that its integrity is maintained even if vulnerabilities are discovered.

For the upcoming Android 7.0 release, codenamed Nougat, Google is planning memory protections such as having memory marked as “read-only/no execute,” restricting kernel access to userspace, and improving protection against stack buffer overflows. The new platform iteration will also strictly enforce verified boot, Google revealed earlier this month.

“One of the major security features provided by the kernel is memory protection for userspace processes in the form of address space separation,” Jeff Vander Stoep of the Android Security team explains. Because kernel’s tasks live within one address space, a vulnerability anywhere in the kernel could impact unrelated portions of the system’s memory, but kernel memory protections should prevent that, he also notes.

By marking memory as read-only/no-execute, the kernel memory will be fragmented into logical sections and restrictive page access permissions will be set for each section. Code will be marked as read only + execute, while data sections will be marked as no-execute and will also be segmented into read-only and read-write sections.

By restricting kernel access to userspace memory, Google is looking to make a series of attacks more difficult, given that attackers would have less control over the executable kernel memory, particularly with CONFIG_DEBUG_RODATA enabled. “Similar features were already in existence, the earliest being Grsecurity’s UDEREF,” Vander Stoep explains.

Advertisement. Scroll to continue reading.

Android 7.0 will also include stack-protector-strong as protection against stack buffer overflows. It is similar to stack-protector, but covers more array types, unlike the original, which only protected character arrays.

Google is looking into lowering the number of entry points to the kernel through removing code, removing access to entry points, or selectively exposing features. The upcoming Android versions will remove default access to debug features, will restrict app access to ioctl commands, and will require seccomp-bpf, Vander Stoep says.

Android Nougat will block access to perf, a tool that allows developers to analyze the kernel and userspace applications, but which creates an unnecessary attack surface. However, developers will be able to access perf through enabling developer settings and using adb to set a property: “adb shell setprop security.perf_harden 0”.

The upcoming Android version will also block access to most commands used by ioctl() syscall, similar to the per-command control over the ioctl syscall by SELinux. Because most kernel vulnerabilities in Android occur in drivers and are reached using the ioctl syscall, only a small whitelist of socket ioctl commands will be available to applications in future Android releases.

Furthermore, Android 7.0 will require seccomp support in all devices, because it provides an additional sandboxing mechanism so that a process could restrict the syscalls and syscall arguments. “Restricting the availability of syscalls can dramatically cut down on the exposed attack surface of the kernel,” Google’s employee explains.

Related: Android 7.0 to Strictly Enforce Verified Boot

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.