Google to Samsung: Stop messing with Linux kernel code. It's hurting Android security
Samsung's attempt to prevent attacks on Galaxy phones by modifying kernel code ended up exposing it to more security bugs, according to Google Project Zero (GPZ).
Not only are smartphone makers like Samsung creating more vulnerabilities by adding downstream custom drivers for direct hardware access to Android's Linux kernel, vendors would be better off using security features that already exist in the Linux kernel, according to GPZ researcher Jann Horn.
Developer
It was this type of mistake that Horn found in the Android kernel on the Samsung Galaxy A50. But as he notes, what Samsung did is pretty common among all smartphone vendors. That is, adding code to the Linux kernel code downstream that upstream kernel developers haven't reviewed.
Even when these downstream customizations are meant to add security to a device, they also introduce security bugs. Samsung's intended kernel security mitigations introduced a memory corruption bug that Google reported to Samsung in November.
SEE: IT pro's guide to the evolution and impact of 5G technology (free PDF)
It was patched in Samsung's just-released February update for Galaxy phones. The issue affects Samsung's extra security subsystem called PROCA or Process Authenticator.
Samsung describes the bug, SVE-2019-16132, as a moderate issue consisting of use-after-free and double-free vulnerabilities in PROCA that allow "possible arbitrary code execution" on some Galaxy devices running Android 9.0 and 10.0.
Incidentally, the February update also includes a patch for a critical flaw in "TEEGRIS devices", referring to Trusted Execution Environment (TEE) on newer Galaxy phones that contain Samsung's proprietary TEE operating system. The Galaxy S10 is among TEEGRIS devices.
But Horn's new blogpost is focused on efforts in Android to reduce the security impact of vendors adding unique code to the kernel.
"Android has been reducing the security impact of such code by locking down which processes have access to device drivers, which are often vendor-specific," explains Horn.
An example is that newer Android phones access hardware through dedicated helper processes, collectively known as the Hardware Abstraction Layer (HAL) in Android. But Horn says vendors modifying how core parts of the Linux kernel work undermines efforts to "lock down the attack surface".
Instead, he suggests handset makers use direct hardware access features already supported in Linux, rather than customizing Linux kernel code.
SEE: Samsung Galaxy refresh: Huge camera sensors, 5G, folding screens, and huge prices
Horn says some of the custom features that Samsung added are "unnecessary" and wouldn't affect the device if they were removed.
He speculated that PROCA is meant to restrict an attacker who has already gained read and write access on the kernel. But he reckons Samsung could be more efficient by directing engineering resources to preventing an attacker from getting this access in the first place.
"I believe that device-specific kernel modifications would be better off either being upstreamed or moved into userspace drivers, where they can be implemented in safer programming languages and/or sandboxed, and at the same time won't complicate updates to newer kernel releases," explained Horn.