Az Android Developers Blog oldalon Jeff Vander Stoep, az Android Security csapat tagja arról írt, hogy újabb kernel-szintű védelmeket állítottak csatasorba, illetve csökkentették a lehetséges támadási felület:
Android relies heavily on the Linux kernel for enforcement of its security model. To better protect the kernel, we’ve enabled a number of mechanisms within Android. At a high level these protections are grouped into two categories — memory protections and attack surface reduction. [...] One of the major security features provided by the kernel is memory protection for userspace processes in the form of address space separation. Unlike userspace processes, the kernel’s various tasks live within one address space and a vulnerability anywhere in the kernel can potentially impact unrelated portions of the system’s memory. Kernel memory protections are designed to maintain the integrity of the kernel in spite of vulnerabilities. [...] Attack surface reduction attempts to expose fewer entry points to the kernel without breaking legitimate functionality. Reducing attack surface can include removing code, removing access to entry points, or selectively exposing features.
Két részre oszthatók a most foganatosított intézkedések:
- Memóriavédelem
- Mark memory as read-only/no-execute
- Restrict kernel access to userspace
- Improve protection against stack buffer overflows
- Támadási felület csökkentés
- Remove default access to debug features
- Restrict app access to ioctl commands
- Require seccomp-bpf
Részletek itt.