In an attempt to improved the security of Android, Google is looking into integrating the latest Linux kernel defenses into the next version of the popular mobile operating system.
According to the Internet giant, a series of mechanisms have been enabled within Android, which are grouped into two categories; memory protections and attack surface reduction.
The ultimate goal, Google says, is to deliver better kernel security and ensure that its integrity is maintained even if vulnerabilities are discovered.
For the upcoming Android 7.0 release, codenamed Nougat, Google is planning memory protections such as having memory marked as “read-only/no execute,” restricting kernel access to userspace, and improving protection against stack buffer overflows. The new platform iteration will also strictly enforce verified boot, Google revealed earlier this month.
“One of the major security features provided by the kernel is memory protection for userspace processes in the form of address space separation,” Jeff Vander Stoep of the Android Security team explains. Because kernel’s tasks live within one address space, a vulnerability anywhere in the kernel could impact unrelated portions of the system’s memory, but kernel memory protections should prevent that, he also notes.
By marking memory as read-only/no-execute, the kernel memory will be fragmented into logical sections and restrictive page access permissions will be set for each section. Code will be marked as read only + execute, while data sections will be marked as no-execute and will also be segmented into read-only and read-write sections.
By restricting kernel access to userspace memory, Google is looking to make a series of attacks more difficult, given that attackers would have less control over the executable kernel memory, particularly with CONFIG_DEBUG_RODATA enabled. “Similar features were already in existence, the earliest being Grsecurity’s UDEREF,” Vander Stoep explains.
Android 7.0 will also include stack-protector-strong as protection against stack buffer overflows. It is similar to stack-protector, but covers more array types, unlike the original, which only protected character arrays.
Google is looking into lowering the number of entry points to the kernel through removing code, removing access to entry points, or selectively exposing features. The upcoming Android versions will remove default access to debug features, will restrict app access to ioctl commands, and will require seccomp-bpf, Vander Stoep says.
Android Nougat will block access to perf, a tool that allows developers to analyze the kernel and userspace applications, but which creates an unnecessary attack surface. However, developers will be able to access perf through enabling developer settings and using adb to set a property: “adb shell setprop security.perf_harden 0”.
The upcoming Android version will also block access to most commands used by ioctl() syscall, similar to the per-command control over the ioctl syscall by SELinux. Because most kernel vulnerabilities in Android occur in drivers and are reached using the ioctl syscall, only a small whitelist of socket ioctl commands will be available to applications in future Android releases.
Furthermore, Android 7.0 will require seccomp support in all devices, because it provides an additional sandboxing mechanism so that a process could restrict the syscalls and syscall arguments. “Restricting the availability of syscalls can dramatically cut down on the exposed attack surface of the kernel,” Google’s employee explains.
