Google hardens the Linux kernel in Android

By on
Google hardens the Linux kernel in Android

Memory protections and attack surface reductions.

Google has switched on new security features for the Linux kernel in Android, hoping to reduce vulnerabilities and to improve the robustness of its mobile operating system.

Android is built around the open source Linux kernel, the core computer program that controls the software running on devices, and the hardware they're built upon. 

The kernel defence mechanisms focus on memory protection and attack surface reduction, Google Android security team member Jeff Vander Stoep wrote in a blog this week.

Google has tightened up the kernel as well as adding userspace process memory protection to avoid vulnerabilities impacting unrelated parts of system memory.

Kernel memory is now segmented into logical sections, with restrictive page access permissions on each, Stoep said.

Android's Linux kernel will be prevented from directly accessing userspace memory to make exploits more difficult to execute, as attackers have much less control over kernel memory that's executable.

The stack-protector-strong option for the GCC 4.9 compiler can now be used for better protection against stack smashing attacks that seek to inject executable code into running processes to take control of them.

To harden the Linux kernel in Android, Google is also removing a number of its possible entry points.

The reduction in attack surfaces includes blocking access to the perf measurement and analysis tool in Android Nougat and onwards. Developers can still enable perf, but for the majority of users removing access to it improves security by reducing attack surfaces.

Apps will also be restricted from accessing most ioctl syscall commands with only a small whitelist of those used for network socket control and manipulation permitted in Nougat.

Most ioctl commands are not necessary for third-party apps' functionality, and Stoep said most kernel vulnerabilities reported for Android occur in drivers, and are reached through the syscalls - so removing access for apps improves security.

In Android Nougat, the now mandatory seccomp-bpf sandboxing mechanism will further restrict syscalls and their arguments through a configurable filter, to further shrink the attack surface for the Linux kernel.

A spate of serious vulnerabilities found in Android recently has forced Google to focus on improving the security for its mobile operating system, with the new Nougat version adding several improvements.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
android google security

Most Read Articles

Researchers say not to use myGovID until login flaw is fixed

Researchers say not to use myGovID until login flaw is fixed
Aussie Broadband boss says NBN Co could change price construct in months, if it wanted to

Aussie Broadband boss says NBN Co could change price construct in months, if it wanted to
Optus, Vocus score first deals in ATO telco carve-up

Optus, Vocus score first deals in ATO telco carve-up
'Zerologon' Windows domain admin bypass exploit released

'Zerologon' Windows domain admin bypass exploit released
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

A Migration Guide For Businesses Switching Mobile Device Management Solutions
A Migration Guide For Businesses Switching Mobile Device Management Solutions
Plan your post-COVID security strategy
Plan your post-COVID security strategy
The Executive's Guide To The Future Of Work
The Executive's Guide To The Future Of Work
Government Digital Transformation Requires Customer Obsession
Government Digital Transformation Requires Customer Obsession
Master the fundamentals of AWS cost efficiency
Master the fundamentals of AWS cost efficiency

Events

Log In

Username / Email:
Password:
  |  Forgot your password?