Google has outlined four key kernel hardening features its engineers have backported from upstream Linux to Android kernels on devices that ship with Android 8.0 Oreo.
They will benefit "all Android kernels supported in devices that first ship with this release", according to Sami Tolvanen, a senior software engineer on the Android Security team.
The new kernel protections should also help developers who are responsible for building Android hardware drivers detect kernel security bugs before shipping them to users.
According to Google, 85 percent of the kernel vulnerabilities in Android were due to bugs in vendor drivers. Kernel bugs themselves made up more than a third of Android security bugs last year.
Android Oreo is the first time Android's kernel has the added protection of Kernel Address Space Layout Randomization (KASLR), which makes it harder for attackers to remotely exploit the kernel. KASLR is available in Android kernels 4.4 and later.
"KASLR helps mitigate kernel vulnerabilities by randomizing the location where kernel code is loaded on each boot. On ARM64, for example, it adds 13-25 bits of entropy depending on the memory configuration of the device, which makes code reuse attacks more difficult," explains Tolvanen.
Google has also backported Linux 4.8's 'hardened usercopy' feature to protect usercopy functions, which the kernel uses to transfer data between user space to kernel space memory. The security feature adds bounds checking to user copy functions. This has been backported to Android kernels 3.18 and above: according to Tolvanen, nearly half of Android kernel vulnerabilities since 2014 have been due to missing or invalid bounds checking.
Android Oreo has also introduced 'Privileged Access Never emulation', a software version of ARM v8.1's hardware-based PAN, which helps prevent the kernel from accessing user space memory directly and forces developers to go through user copy functions.
"Upstream Linux introduced software emulation for PAN in kernel version 4.3 for ARM and 4.10 in ARM64. We have backported both features to Android kernels starting from 3.18," notes Tolvanen.
The fourth hardening measure restricts a memory region to read-only after the kernel has been initialized in order to reduce the internal attack surface of the kernel. This was introduced in Linux 4.6 and has been backported to Android kernels 3.18.
PREVIOUS AND RELATED COVERAGE
Android 8.0 Oreo: Google says it's looking into buggy Bluetooth audio problems
Google is trying to get to the bottom of a Bluetooth connectivity bug affecting Pixel and Nexus owners.
Android 8.0 Oreo: Rollout begins for Pixel, Nexus in Android beta
The long road to rolling out Android 8.0 to handsets has started.
Android Oreo: Google has just made app installs from unknown sources a lot safer
Android Oreo ditches 'Allow unknown sources' installs and instead introduces per-app permissions.
Google reveals official name of Android O
Months of sweet suspense have come to an end. Android O has a name.
More on Android