Charlie Miller: 'Difficult to write exploits' for Android 4.1

Charlie Miller: 'Difficult to write exploits' for Android 4.1

Summary: Android 4.1 Jelly Bean is the most secure version yet. Android now fully implements Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Unfortunately, most Android users will never get to use Jelly Bean on their device.

SHARE:
Charlie Miller: 'Difficult to write exploits' for Android 4.1

The latest version of Google's mobile operating system, Android 4.1 (Jelly Bean), significantly beefs up the platform's security. Jelly Bean includes several new exploit mitigations as well as full implementation of Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). At least one famous hacker thinks this will finally make Android much harder to attack.

"As long as there's anything that's not randomized, then it (ASLR) doesn't work, because as long as the attacker knows something is in the same spot, they can use that to break out of everything else," Charlie Miller, a security researcher famous for publicly hacking Apple products, told Ars Technica. "Jelly Bean is going to be the first version of Android that has full ASLR and DEP, so it's going to be pretty difficult to write exploits for that."

ASLR randomizes the memory locations of key data areas, including the base of the executable and position of libraries, heap, and stack, in a process's address space. DEP prevents an application or service from executing code from a non-executable memory region. The goal is to stop hackers who exploit memory corruption bugs. Since they don't know in advance where their malicious payloads will be loaded, they cannot be so easily executed, and since other parts of the memory can't be leveraged, exploits that store code via a buffer overflow can also be blocked.

Google first included ASLR support in Android 4.0 (Ice Cream Sandwich), but only partially. The ASLR support in Android 4.0 only randomized certain key locations, leaving other key parts of the Android operating system memory space as a predictable space to attackers.

Security researcher Jon Oberheide was the first to note the change between Android 4.0 and Android 4.1 over on The Duo Bulletin:

As we mentioned in our previous post on Android ASLR, the executable mapping in the process address space was not randomized in Ice Cream Sandwich, making ROP-style attacks possible using the whole executable as a source of gadgets. In Jelly Bean, most binaries are now compiled/linked with the PIE flag (commits for the linker, ARM and x86), which means the executable mapping will be properly randomized when executed.

The custom Android linker was the last piece of the ASLR puzzle that was not randomized in Ice Cream Sandwich. In Jelly Bean, the linker is now randomized in the process address space. This means that the deficiencies in ICS pointed out in our previous blog post have all been addressed in Jelly Bean, giving it full stack, heap/brk, lib/mmap, linker, and executable ASLR.

All in all, this is great news, but it comes with one massive gotcha. Google still hasn't shown any desire to get its massive userbase onto the latest version of Android. As such, until most Android users are running Jelly Bean or later, this won't be a new feature that most people will be able to enjoy.

See also:

Topics: Security, Android, Google, Mobile OS, Open Source, Operating Systems

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • False sense of security

    I do not think the current model of spreading malware depends on bypassing Android's security controls. Most malware seen today in the Google Market is social engineering - get the user to download some piece of software that looks like a game but really has malware embedded. Then ask for a bunch of permissions (that the user clicks through) and exploit for profit!
    myweirdopinion
    • Undeniably. Just as windows users almost always clicked to bypass dialogs

      warning them of consequences, to the point they skipped eve nreading what they said, so to do app downloaders unknowingly click right through permission/capability authorization prompts at install. Any system which relies largley on user descretion is already compromised.
      Johnny Vegas
      • You are missing the point

        Protection is important to any OS, but it is irrelevant if no-one is using that OS. That seems to be an important issue in the article - the fact that next to no Android users are using Jelly Bean and for the foreseeable future next to none will be using it. Slow upgrades and no upgrades to existing devices are part of the problem.
        Wakemewhentrollsgone
  • iOS had ASLR and DEP for years, Android is welcome to more secure space

    ASLR and DEP is what was made iOS hacking so interesting to Miller. Vulnerabilities there are really good finds and Miller was good at helping Apple to secure the OS further.

    Lets see if Miller will help Google with hacking their Android 4.1 OS which is finally matches iOS in terms of exploits resistance.
    DDERSSS
    • Did you mean

      which is finally matches iOS in terms of exploits?
      William Farrel
    • Bull!

      iOS is based off of OS X and it wasn't a complete implementation until LION...

      Basically, it hasn't truly had it for years.
      slickjim
      • Correct

        Linux and BSD had ASLR first way back in 2000. Then Windows got on board with Vista. Then Apple finally got around to putting it in for Lion.
        KodiacZiller
      • It had it for years, right

        Just the level of implementation was different.
        DDERSSS
        • Not true or just plain lying

          iOS didn't have ASLR until iOS 4.3.
          As a matter of fact, all untethering jailbreak started as address based exploit. So you're either don't know what you're talking about or just lying.
          Samic
          • When did iOS 4.3 out?

            So, how come I do not know or lying?
            DDERSSS
    • Prevaricating again as usual...

      Color me unsurprised.
      DonRupertBitByte
  • Simply false

    "Google still hasn't shown any desire to get its massive userbase onto the latest version of Android."

    This is completely false. Google makes the freaking source code of the OS available publicly, and they make it privately available to OEM's weeks earlier. They also ask manufacturers to support their devices with updates for 2 years. That is all Google can do! It's up to manufacturers to use the source, then it's up to carriers to bloat the ROM and finally to release it. To try and blame the problem on Google shows a lack of understanding of how the Android OS works.
    dorkistope
    • Google can do more

      Google can make it much more advantageous for its partners to use the latest and greatest version of Android. It can easily provide benefits for using 4.1 and no previous version, not to mention push them to upgrade the OS sooner for their customers.
      Empro
      • I think Google has less control than the IHV's and the carriers

        Besides, I remember reading about Jelly Bean and thought there was some good additions and refinements. Certainly as much as any other OS maker, mobile or desktop.

        Allowing the carriers to modify Android to their liking also means the carrier has to apply those changes to the new version (Jelly Bean in this case), and then release it to their customers. The carriers have no incentive to do that. They've already locked you in.
        Info Dave
  • ASLR randomizes the memory locations of key data areas,

    ASLR randomizes the memory locations of key data areas, including the base of the executable and position of libraries, heap, and stack, in a process's address space. DEP prevents an application or service from executing code from a non-executable memory region. The goal is to stop hackers who exploit gw2 gold www.gw2gold.net memory corruption bugs. Since they don't know in advance where their malicious payloads will be loaded, they cannot be so easily executed, and since other parts of the memory can't be leveraged, exploits that store code via a buffer overflow can also be blocked.
    Sseclub Young