Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Google Expands Android’s Compiler-Based Mitigations

Google this week announced expanded compiler-based mitigations in Android P, in an attempt to make bugs harder to exploit and prevent specific types of issues from becoming vulnerabilities.

Google this week announced expanded compiler-based mitigations in Android P, in an attempt to make bugs harder to exploit and prevent specific types of issues from becoming vulnerabilities.

One of these is Control Flow Integrity (CFI), which represents a set of mitigations meant to “confine a program’s control flow to a call graph of valid targets determined at compile-time.” Android already supports CFI implementation in select components, but the next platform release will expand that support, the search giant says.

“This implementation focuses on preventing control flow manipulation via indirect branches, such as function pointers and virtual functions,” Google explains.

The idea is to use valid branch targets to reduce the set of allowable destinations an attacker can call, while indirect branches are used to detect runtime violations of the statically determined set of allowable targets, in which case the process aborts.

By restricting control flow to a small set of legitimate targets, Google attempts to make code-reuse attacks much harder to execute, while also making memory corruption vulnerabilities more difficult or even impossible to exploit.

CFI requires compiling with Link-Time Optimization (LTO), which also results in reduced binary size and improved performance, although compile time increases. According to Google, testing has revealed “negligible overhead to code size and performance.”

In Android P, CFI will be enabled by default widely within the media frameworks and other security-critical components, including NFC and Bluetooth.

Android P also expands the number of libraries that will benefit from Integer Overflow Sanitization, which was meant to safely abort process execution when an overflow is detected. Thus, an entire class of memory corruption and information disclosure vulnerabilities are mitigated.

Google has expanded the use of these sanitizers in the media framework with each release and also improved them to reduce performance impact.

“In testing, these improvements reduced the sanitizers’ performance overhead by over 75% in Android’s 32-bit libstagefright library for some codecs. Improved Android build system support, such as better diagnostics support, more sensible crashes, and globally sanitized integer overflow targets for testing have also expedited the rollout of these sanitizers,” the Internet company says.

Google decided to bring integer overflow sanitization to libraries where complex untrusted input is processed or security bulletin-level integer overflow flaws were reported. Thus, in Android P, the libui, libnl, libmediaplayerservice, libexif, libdrmclearkeyplugin, and libreverbwrapper libraries will benefit from these sanitizers.

“Moving forward, we’re expanding our use of these mitigation technologies and we strongly encourage vendors to do the same with their customizations,” Google notes.

Related: Google Turns TLS on By Default on Android P

Related: Android Vendors Regularly Omit Patches in Security Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.