Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Uncategorized

Google Details Memory-Related Security Improvements in Android 11

Google has shared details on Android 11’s security enhancements, including memory safety improvements.

Google this week shared details on how it is fighting memory bugs in Android 11, as well as on other security improvements that the upcoming platform version will deliver.

Android 11, the 18th version of the mobile operating system, is set to arrive in the third quarter of the year, but has been available for developers since the beginning of 2020.

One of the main improvements in the new operating system iteration is related to initialization of memory, which is expected to eliminate an entire class of issues that occur in C/C++: uninitialized memory bugs.

Such flaws usually appear when the used memory hasn’t first been initialized to a known safe value. Thus, a variable has the value previously placed there, and attackers could predict and even control the value, Google explains.

This could result in information disclosure, including the bypass of ASLR (Address Space Layout Randomization), or control flow hijacks using stack or heap spray.

“When uninitialized memory results in a bug, it is often challenging to identify the source of the error, particularly if it is rarely triggered. Eliminating an entire class of such bugs is a lot more effective than hunting them down individually,” Google says.

The alternative is automatic stack variable initialization, which would initialize local variables with either zeros or a pattern: the former is safer for strings, pointers, indexes, and sizes, while the latter is generally safer for return values.

With automatic stack and heap initialization merged in the upstream Linux kernel, Android will benefit from these features as well, so that attackers can no longer control local variables and heap.

Advertisement. Scroll to continue reading.

Despite performance overhead, both stability and security are improved, Google says.

With the release of Android 11, Google is making Scudo the default native allocator for Android.

Although it doesn’t fully prevent exploitation, Scudo can help identify and mitigate heap memory corruption bugs such as double free, arbitrary free, heap-based buffer overflow, and use-after-free.

“It also proactively organizes the heap in a way that makes exploitation of memory corruption more difficult, by reducing the predictability of the allocation patterns, and separating allocations by sizes,” the tech giant says.

The upcoming Android iteration also includes the in-production heap memory safety bug detection tool GWP-ASan, which is integrated in Scudo, and support for kernel HWASAN (also referred to as Software Tag-Based KASAN (KernelAddressSANitizer)).

Additionally, Google has expanded compiler mitigations and the use of CFI (Control Flow Integrity) to mitigate exploits and harden the NFC stack.

Related: Researcher Demonstrates Android App Hacking via Intents

Related: StrandHogg 2.0 Vulnerability Allows Hackers to Hijack Android Devices

Related: The Security of Your Android Device May Depend on Where You Live

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.