Connect with us


Memory-safe languages ​​in Android 13


Posted by Jeffrey Vander Stoep

For over a decade, memory safety vulnerabilities have consistently accounted for over 65% of vulnerabilities across products and industries. Android has seen a significant reduction in memory safety vulnerabilities, and a corresponding decrease in severity.

Looking at vulnerabilities reported in Android security bulletins, including critical/high-severity vulnerabilities reported through the Vulnerability Rewards Program (VRP) and internally reported vulnerabilities, memory safety vulnerabilities From 2019 to 2022, the annual number of memory safety vulnerabilities decreased from 223 to 85.

This decline is consistent with programming language usage moving away from memory-unsafe languages. Android 13 is the first Android release where the majority of new code added to the release is in memory-safe languages.

As the amount of new memory-unsafe code appearing in Android has decreased, so has the number of memory-safety vulnerabilities. Decreased from 76% to 35% of all Android vulnerabilities from 2019 to 2022. 2022 will be the first year in which memory safety vulnerabilities do not make up the majority of Android vulnerabilities.

Correlation doesn’t necessarily imply causation, but interestingly, the proportion of vulnerabilities caused by memory safety issues seems to correlate fairly closely with the development language used for new code. is. This is consistent with the age of memory safety vulnerabilities and why we should focus on new code rather than rewriting existing components, which was published in a blog post two years ago. Of course, there may be other factors and alternative explanations. However, this shift is a significant departure from an industry-wide trend that has persisted for over a decade (and possibly more) despite significant investments in improving memory-unsafe languages.

We continue to invest in tools that make C/C++ safer. Over the past few releases, we have introduced the Scudo hardened allocator, HWASAN, GWP-ASAN, and KFENCE to Android devices. We also increased the fuzzing coverage of our existing code base. Vulnerabilities discovered using these tools contributed to the prevention of both vulnerabilities discovered in new code and vulnerabilities discovered in older code included in the above assessment. They are important tools and very important for C/C++ code. However, these alone do not explain the significant changes in vulnerabilities we are seeing, and other projects that have deployed these technologies have not seen significant changes in their vulnerability mix. We believe the main factor is that Android continues to move from a memory-unsafe language to a memory-safe language.

With Android 12, we announced support for the Rust programming language on the Android platform as a memory-safe alternative to C/C++. Since then, we’ve expanded our experience and use of Rust within the Android Open Source Project (AOSP).

As we said in our initial announcement, our goal is not to convert existing C/C++ to Rust, but to shift new code development to memory-safe languages ​​over time.

About 21% of all new native code (C/C++/Rust) in Android 13 is Rust. AOSP includes Keystore2, the new Ultra-wideband (UWB) stack, DNS-over-HTTP3, Android’s Virtualization Framework (AVF), and various other components and their open source dependencies. These are low-level components that require a system language that would otherwise be implemented in C++.

Security impact

So far, no memory safety vulnerabilities have been found in Rust code on Android.

We don’t expect this number to stay at zero forever, but given the amount of new Rust code spread across two Android releases and the security-sensitive components it’s used in, this is an important result. is. This demonstrates that Rust serves its intended purpose of preventing the most common sources of Android vulnerabilities. Historical vulnerability densities have exceeded 1/kLOC (1 vulnerability per 1,000 lines of code) in many of Android’s C/C++ components (media, Bluetooth, NFC, etc.). Based on this historical vulnerability density, Rust could have already prevented hundreds of vulnerabilities from reaching production.

What about insecure Rust?

Operating system development requires access to resources that the compiler cannot determine. For memory-safe languages, this means that escape hatches are required to do system programming. For Java, Android uses his JNI to access low level resources. Care must be taken when using JNI to avoid unsafe behavior. Fortunately, it has proven to be much easier to review small snippets of C/C++ for safety than whole programs. Android does not have pure Java processes. It’s all built on top of JNI. Nevertheless, memory safety vulnerabilities in Java code are extremely rare.

Rust similarly has unsafe escape hatches that allow interaction with system resources and non-Rust code. {} Just like Java + JNI, using this escape hatch requires extra scrutiny. But like Java, our Rust code has proven to be much more secure than pure C/C++ implementations. As an example, let’s look at the new UWB stack.

There are two uses of unsafe in UWB code. One for materializing references to Rust objects stored within Java objects, and one for deconstructing the same. Unsafe actively helped in this situation. By paying special attention to this code, I was able to discover and prevent a potential race condition.

In general, Android’s use of unsafe in Rust seems to work as intended. It’s rarely used, but when it is, it encapsulates behavior that can be easily reasoned about and checked for safety.

Safeguards slow down memory-unsafe languages

Mobile device resources are limited. By optimizing performance, improving battery life, reducing lag, and more, we’re constantly working to make better use of them to give our users a better experience. Using memory unsafe code often means making tradeoffs between security and performance, such as adding sandboxes, sanitizers, runtime mitigations, and hardware protections. Unfortunately, all of these negatively impact code size, memory, and performance.

Using Rust on Android optimizes both security and system state, reducing compromises. For example, with the new UWB stack, we were able to save several megabytes of memory and avoid IPC latency by running inside an existing process. The new DNS-over-HTTP/3 implementation uses Rust’s async/await feature to handle many tasks in a single thread in a safe way, allowing fewer threads to do the same amount of work. Run

The number of vulnerabilities reported in this bulletin has remained fairly stable at about 20 per month for the past four years, despite a significant decrease in the number of memory safety vulnerabilities. So what do you get? some thoughts on that.

Decreased severity

Memory safety vulnerabilities disproportionately represent the most severe vulnerabilities. In 2022, memory safety vulnerabilities accounted for only 36% of vulnerabilities in security bulletins, but memory safety vulnerabilities accounted for 86% of security vulnerabilities with Critical severity, the highest ratings, and remotely exploitable accounted for 89% of all vulnerabilities. Over the last few years, memory safety vulnerabilities accounted for 78% of the “common” exploited vulnerabilities found on Android devices.

Many vulnerabilities have a well-defined scope. For example, a permission bypass vulnerability typically allows access to a specific set of information or resources and is only reachable if the code is already running on the device. Memory safety vulnerabilities tend to be much more versatile. Running code in a process grants access not only to specific resources, but to everything that process can access, including attack surfaces to other processes. Memory safety vulnerabilities are often flexible, allowing multiple vulnerabilities to be chained together. Its versatility is one of the reasons why the vast majority of exploit chains seen to date utilize one or more memory safety vulnerabilities.

As the number of memory safety vulnerabilities has decreased, so has the severity of the vulnerability correspondingly.

Reports of less severe vulnerabilities are increasing as the most severe ones decrease. For example, about 15% of vulnerabilities in 2022 will be DoS vulnerabilities (requiring a factory reset of the device). This represents a reduction in security risk.

Android thanks the security research community and all contributions to the Android VRP. Apply higher payouts for more severe vulnerabilities to ensure that incentives are consistent with vulnerability risk. As memory safety vulnerabilities become harder to find and exploit, security researchers are focusing on other types of vulnerabilities. Presumably, the total number of discovered vulnerabilities is primarily constrained by the total amount of time researchers spend discovering vulnerabilities. Alternatively, there may be another explanation that we have not considered. Either way, if our vulnerability research community is finding less and less of these powerful and versatile vulnerabilities, we hope the same is true of attackers.

attack surface

Most of Android’s existing code is in C/C++, but most of Android’s API surface is implemented in Java. This means that Java is disproportionately represented in the OS attack surface reachable by apps. This provides important security properties. Most of the attack surface reachable from your app is immune to memory corruption bugs. This also means that Java is expected to be overrated when looking at vulnerabilities other than memory safety. However, it’s important to note that the types of vulnerabilities we’ve seen in Java are mostly logic bugs and, as mentioned above, generally low severity. Moving forward, we’ll explore how Rust’s richer type system can also help prevent common type logic bugs.

Google’s ability to respond

Google’s ability to detect and prevent exploitation has significantly improved for the types of vulnerabilities currently known. Apps are scanned for API abuse before they are published to the Play Store, and Google Play Protect warns users if unauthorized apps are installed.

The transition from C/C++ is difficult, but progress is being made. The Android platform is using Rust more and more, but the story doesn’t end there. To achieve our goal of improving security, stability, and quality across Android, we need to be able to use Rust anywhere in our codebase where native code is needed. I’m implementing a userspace HAL in Rust. We’re adding support for Rust in Trusted Applications. Moved Android Virtualization Framework’s VM firmware to Rust. With Rust support in Linux 6.1, we’re excited to bring memory safety to the kernel, starting with the kernel driver.

As Android moves from C/C++ to Java/Kotlin/Rust, we expect the number of memory safety vulnerabilities to continue to decline. Towards a future with few Android memory corruption bugs!




The mention sources can contact us to remove/changing this article

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos


to request, modification Contact us at Here or [email protected]