As attacks on mobile devices continue to evolve and become more sophisticated, Google is enabling new security mechanisms in Android, including a number of additional memory protections and an extension of the operating system’s sandbox.
The next version of Android, known as Nougat, will benefit from these security upgrades, which are designed to provide better memory protection and reduce the attack surface in the operating system. Android is the most widely deployed mobile OS on the planet, and as such it is the most popular target for attackers. The OS is based on Linux, and much of its security comes from enforcements contained in the Linux kernel. In Nougat, Google is adding some new mechanisms that are designed to upgrade the protections Android has against common attack types.
One of the upgrades is a feature that marks some memory as read-only or no-execute. This helps defeat certain kinds of memory corruption attacks and has been present in desktop operating systems for some time.
“This feature segments kernel memory into logical sections and sets restrictive page access permissions on each section. Code is marked as read only + execute. Data sections are marked as no-execute and further segmented into read-only and read-write sections. This feature is enabled with config option CONFIG_DEBUG_RODATA,” Jeff Vander Stoep of the Android security team, said in a post explaining the new defenses.
Google also is introducing a system that restricts the kernel’s access to certain portions of userspace, which limits the amount of control that an attacker has over executable kernel memory. Nougat also will include a better protection mechanism against stack buffer overflows.
Android Nougat also will include expanded sandbox protection.
“Much like its predecessor, stack-protector, stack-protector-strong protects againststack buffer overflows, but additionally provides coverage for more array types, as the original only protected character arrays,” Vander Stoep said.
In the area of attack surface reduction, Google is blocking access to a couple of features and commands that make the kernel more susceptible to attack.
“The kernel’s perf system provides infrastructure for performance measurement and can be used for analyzing both the kernel and userspace applications. Perf is a valuable tool for developers, but adds unnecessary attack surface for the vast majority of Android users. In Android Nougat, access to perf will be blocked by default,” Vender Stoep said.
Android Nougat also will include expanded sandbox protection. The new OS will require all devices to use the seccomp sandboxing tool.
“Seccomp provides an additional sandboxing mechanism allowing a process to restrict the syscalls and syscall arguments available using a configurable filter. Restricting the availability of syscalls can dramatically cut down on the exposed attack surface of the kernel. Since seccomp was first introduced on Nexus devices in Lollipop, its availability across the Android ecosystem has steadily improved. With Android Nougat, seccomp support is a requirement for all devices,” Vander Stoep says.
Nougat is due for release later this summer.
