Google's security researchers have found that an anti-exploitation feature in Android that should block Stagefright-based attacks can be bypassed.
In the aftermath of the Stagefright bug, Google told media that 90 percent of Android devices would have been protected from an attack using the bug because Google had implemented address space layout randomisation (ASLR) in Android. Google introduced ASLR to Android in 2012 with version 4.1.
Google made the point as neither it, nor other Android OEMs, had released Stagefright patches for some time - some were only delivered two months after the news of the bug came to light.
ASLR is implemented in most operating systems to make it more difficult for an attacker to, for example, exploit memory corruption weaknesses. Symantec describes ASLR as a "prophylactic security technology" that strengthens security by increasing the diversity of attack targets. It doesn't remove existing flaws, but will make them more difficult to exploit.
As Ars Technica noted, the problem with Google's claim that ASLR would have protected users from Stagefright is that it was only partly true. Google's own Project Zero security team -- which is tasked with finding holes in Google's and other vendors' software -- has devised brute force bypass for ASLR that would be practical in a real-world web attack, such as planting an exploit on an attack website.
"I did some extended testing on my Nexus 5; and results were pretty much as expected," wrote Mark Brand of Project Zero.
"In 4096 exploit attempts I got 15 successful callbacks; the shortest time-to-successful-exploit was lucky, at around 30 seconds, and the longest was over an hour. Given that the mediaserver process is throttled to launching once every 5 seconds, and the chance of success is 1/256 per attempt, this gives us a ~4% chance of a successful exploit each minute," he added.
Despite this, Brand noted that would be trivial to exploit the Stagefright bugs if ASLR was disabled.
Project Zero has provided the Android security team advice on how to harden ASLR to prevent bypasses, but Brand noted that even with these they won't prove non-exploitability of future memory corruption bugs on Android devices.