Google this week announced expanded compiler-based mitigations in Android P, in an attempt to make bugs harder to exploit and prevent specific types of issues from becoming vulnerabilities.
One of these is Control Flow Integrity (CFI), which represents a set of mitigations meant to “confine a program’s control flow to a call graph of valid targets determined at compile-time.” Android already supports CFI implementation in select components, but the next platform release will expand that support, the search giant says.
“This implementation focuses on preventing control flow manipulation via indirect branches, such as function pointers and virtual functions,” Google explains.
The idea is to use valid branch targets to reduce the set of allowable destinations an attacker can call, while indirect branches are used to detect runtime violations of the statically determined set of allowable targets, in which case the process aborts.
By restricting control flow to a small set of legitimate targets, Google attempts to make code-reuse attacks much harder to execute, while also making memory corruption vulnerabilities more difficult or even impossible to exploit.
CFI requires compiling with Link-Time Optimization (LTO), which also results in reduced binary size and improved performance, although compile time increases. According to Google, testing has revealed “negligible overhead to code size and performance.”
In Android P, CFI will be enabled by default widely within the media frameworks and other security-critical components, including NFC and Bluetooth.
Android P also expands the number of libraries that will benefit from Integer Overflow Sanitization, which was meant to safely abort process execution when an overflow is detected. Thus, an entire class of memory corruption and information disclosure vulnerabilities are mitigated.
Google has expanded the use of these sanitizers in the media framework with each release and also improved them to reduce performance impact.
“In testing, these improvements reduced the sanitizers’ performance overhead by over 75% in Android’s 32-bit libstagefright library for some codecs. Improved Android build system support, such as better diagnostics support, more sensible crashes, and globally sanitized integer overflow targets for testing have also expedited the rollout of these sanitizers,” the Internet company says.
Google decided to bring integer overflow sanitization to libraries where complex untrusted input is processed or security bulletin-level integer overflow flaws were reported. Thus, in Android P, the libui, libnl, libmediaplayerservice, libexif, libdrmclearkeyplugin, and libreverbwrapper libraries will benefit from these sanitizers.
“Moving forward, we’re expanding our use of these mitigation technologies and we strongly encourage vendors to do the same with their customizations,” Google notes.