Android's switch to LLVM/Clang every bit the default platform compiler inwards Android 7.0 opened upward to a greater extent than possibilities for improving our defense-in-depth safety posture. In the yesteryear couplet of releases, we've rolled out additional compiler-based mitigations to brand bugs harder to exploit too preclude for sure types of bugs from becoming vulnerabilities. In Android P, we're expanding our existing compiler mitigations, which musical instrument runtime operations to neglect safely when undefined demeanour occurs. This post service describes the novel construct arrangement back upward for Control Flow Integrity too Integer Overflow Sanitization.
Control Flow Integrity
Influenza A virus subtype H5N1 cardinal footstep inwards modern exploit chains is for an aggressor to gain command of a program's command period of time yesteryear corrupting business office pointers or supply addresses. This opens the door to code-reuse attacks where an aggressor executes arbitrary portions of existing computer programme code to attain their goals, such every bit counterfeit-object-oriented too return-oriented programming. Control Flow Integrity (CFI) describes a ready of mitigation technologies that confine a program's command period of time to a telephone outcry upward graph of valid targets determined at compile-time.
While nosotros outset supported LLVM's CFI implementation inwards select components inwards Android O, we're greatly expanding that back upward inwards P. This implementation focuses on preventing command period of time manipulation via indirect branches, such every bit business office pointers too virtual functions—the 'forward-edges' of a telephone outcry upward graph. Valid branch targets are defined every bit business office entry points for functions amongst the expected business office signature, which drastically reduces the ready of allowable destinations an aggressor tin call. Indirect branches are instrumented to notice runtime violations of the statically determined ready of allowable targets. If a violation is detected because a branch points to an unexpected target, hence the procedure safely aborts.
Figure 1. Assembly-level comparing of a virtual business office telephone outcry upward amongst too without CFI enabled.
For example, Figure 1 illustrates how a business office that takes an object too calls a virtual business office gets translated into assembly amongst too without CFI. For simplicity, this was compiled amongst -O0 to preclude compiler optimization. Without CFI enabled, it loads the object's vtable pointer too calls the business office at the expected offset. With CFI enabled, it performs a fast-path outset banking concern agree to decide if the pointer falls inside an expected attain of addresses of compatible vtables. Failing that, execution falls through to a deadening path that does a to a greater extent than extensive banking concern agree for valid classes that are defined inwards other shared libraries. The deadening path volition abort execution if the vtable pointer points to an invalid target.
With command period of time tightly restricted to a pocket-size ready of legitimate targets, code-reuse attacks larn harder to utilize too to a greater extent than or less retentiveness corruption vulnerabilities larn to a greater extent than hard or fifty-fifty impossible to exploit.
In damage of performance impact, LLVM's CFI requires compiling amongst Link-Time Optimization (LTO). LTO preserves the LLVM bitcode representation of object files until link-time, which allows the compiler to amend argue almost what optimizations tin hold upward performed. Enabling LTO reduces the size of the finally binary too improves performance, merely increases compile time. In testing on Android, the combination of LTO too CFI results inwards negligible overhead to code size too performance; inwards a few cases both improved.
For to a greater extent than technical details almost CFI too how other forward-control checks are handled, run into the LLVM pattern documentation.
For Android P, CFI is enabled yesteryear default widely inside the media frameworks too other security-critical components, such every bit NFC too Bluetooth. CFI gist support has also been introduced into the Android mutual gist when edifice amongst LLVM, providing the selection to farther harden the trusted computing base. This tin hold upward tested today on the HiKey reference boards.
Integer Overflow Sanitization
The UndefinedBehaviorSanitizer's (UBSan) signed too unsigned integer overflow sanitization was outset utilized when hardening the media stack inwards Android Nougat. This sanitization is designed to safely abort procedure execution if a signed or unsigned integer overflows yesteryear instrumenting arithmetics instructions which may overflow. The terminate lawsuit is the mitigation of an entire aeroplane of retentiveness corruption too information disclosure vulnerabilities where the root movement is an integer overflow, such every bit the master copy Stagefright vulnerability.
Because of their success, we've expanded usage of these sanitizers inwards the media framework amongst each release. Improvements own got been made to LLVM's integer overflow sanitizers to cut back the performance touching on yesteryear using fewer instructions inwards ARM 32-bit too removing unnecessary checks. In testing, these improvements reduced the sanitizers' performance overhead yesteryear over 75% inwards Android's 32-bit libstagefright library for to a greater extent than or less codecs. Improved Android construct arrangement support, such every bit amend diagnostics support, to a greater extent than sensible crashes, too globally sanitized integer overflow targets for testing own got also expedited the rollout of these sanitizers.
We've prioritized enabling integer overflow sanitization inwards libraries where complex untrusted input is processed or where at that topographic point own got been safety bulletin-level integer overflow vulnerabilities reported. As a result, inwards Android P the next libraries forthwith create goodness from this mitigation:
- libui
- libnl
- libmediaplayerservice
- libexif
- libdrmclearkeyplugin
- libreverbwrapper
Future Plans
Moving forward, we're expanding our usage of these mitigation technologies too nosotros strongly encourage vendors to create the same amongst their customizations. More information almost how to enable too seek out these options volition hold upward available shortly on the Android Open Source Project.
Acknowledgements: This post service was developed inwards articulation collaboration amongst Vishwath Mohan, Jeffrey Vander Stoep, Joel Galenson, too Sami Tolvanen
