Google hardens the Linux kernel in Android

By on
Google hardens the Linux kernel in Android

Memory protections and attack surface reductions.

Google has switched on new security features for the Linux kernel in Android, hoping to reduce vulnerabilities and to improve the robustness of its mobile operating system.

Android is built around the open source Linux kernel, the core computer program that controls the software running on devices, and the hardware they're built upon. 

The kernel defence mechanisms focus on memory protection and attack surface reduction, Google Android security team member Jeff Vander Stoep wrote in a blog this week.

Google has tightened up the kernel as well as adding userspace process memory protection to avoid vulnerabilities impacting unrelated parts of system memory.

Kernel memory is now segmented into logical sections, with restrictive page access permissions on each, Stoep said.

Android's Linux kernel will be prevented from directly accessing userspace memory to make exploits more difficult to execute, as attackers have much less control over kernel memory that's executable.

The stack-protector-strong option for the GCC 4.9 compiler can now be used for better protection against stack smashing attacks that seek to inject executable code into running processes to take control of them.

To harden the Linux kernel in Android, Google is also removing a number of its possible entry points.

The reduction in attack surfaces includes blocking access to the perf measurement and analysis tool in Android Nougat and onwards. Developers can still enable perf, but for the majority of users removing access to it improves security by reducing attack surfaces.

Apps will also be restricted from accessing most ioctl syscall commands with only a small whitelist of those used for network socket control and manipulation permitted in Nougat.

Most ioctl commands are not necessary for third-party apps' functionality, and Stoep said most kernel vulnerabilities reported for Android occur in drivers, and are reached through the syscalls - so removing access for apps improves security.

In Android Nougat, the now mandatory seccomp-bpf sandboxing mechanism will further restrict syscalls and their arguments through a configurable filter, to further shrink the attack surface for the Linux kernel.

A spate of serious vulnerabilities found in Android recently has forced Google to focus on improving the security for its mobile operating system, with the new Nougat version adding several improvements.

Copyright © iTnews.com.au . All rights reserved.
Tags:
android google security

Most Read Articles

Ransomware strikes Victorian speed cameras

Ransomware strikes Victorian speed cameras
NBN Co adds 50 new suburbs to FTTC rollout

NBN Co adds 50 new suburbs to FTTC rollout
Ombudsman stunned by Vic CIO's 'calculated nepotism'

Ombudsman stunned by Vic CIO's 'calculated nepotism'
First NBN FTTC areas unlikely to be able to order retail service

First NBN FTTC areas unlikely to be able to order retail service
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Optimising Enterprise Data Centres for the Cloud
Optimising Enterprise Data Centres for the Cloud
Growing companies have a growing interest in technology
Growing companies have a growing interest in technology
RSA NetWitness® Endpoint. Respond 3X Faster to Threats
RSA NetWitness® Endpoint. Respond 3X Faster to Threats
Building platforms for future health and education
Building platforms for future health and education
Breach Level Index Report
Breach Level Index Report

Events

Log In

Username:
Password:
|  Forgot your password?