America is hacking other countries with stealthy submarines – Washington Post Clues in DNC hacking point to Russia, despite Trump claims – Kansas City Star Exclusive: FBI probes hacking of Democratic congressional group – sources – Reuters Protecting Android with more Linux kernel defenses Dark Patterns are designed to trick you (and they’re all over the Web) Cyber Experts Draw Line Between Active Defense, Illegal Hacking Back – Wall Street Journal (blog) One paragraph that explains why Russia hacking the Democrats … – Vox Russian hacking: What we know and Trump doesn’t – Washington Post (blog) Doping and hacking – The Economist Security Bots Will Battle in Vegas for Darpa’s Hacking Crown – WIRED Security Bots Will Battle in Vegas for Darpa’s Hacking Crown – WIRED How DNC, Clinton campaign attacks fit into Russia’s cyber-war strategy Telegram app vuln recorded anything macOS users pasted—even in secret Tor inquiry: “Many people” reported being “humiliated” by Appelbaum Critics blast Trump calls for Russia to locate missing Hillary Clinton e-mails What Donald Trump Said About Russian Hacking and Hillary Clinton’s Emails – New York Times Hacking a Celebrity’s Phone in the 1930s Was Actually Similar to Today – Gizmodo Yes, You Should be Hacking Your Car’s Data System – Hackaday Channel your inner Mr. Robot with this bestselling ethical hacking training – BGR Phone hacking: What the FBI won’t reveal could hurt users, experts argue – PCWorld New attack bypasses HTTPS protection on Macs, Windows, and Linux Keys to Chimera crypto ransomware allegedly leaked by rival crime gang ‘Anything’s Possible’ _ Obama Points to Russia on DNC Hack – ABC News DNC email leak: Russian hackers Cozy Bear and Fancy Bear behind breach – The Guardian DNC emails: Cybersecurity experts see merit in claims of Russian hacking – Northwest Herald Cybersecurity Experts See Merit in Claims of Russian Hacking – ABC News How the Chinese Government Became the World’s Hacking Superpower – Motherboard How the Chinese Government Became the World’s Hacking Superpower – Motherboard How the Chinese Government Became the World’s Hacking Superpower – Motherboard How the Chinese Government Became the World’s Hacking Superpower – Motherboard New attack that cripples HTTPS crypto works on Macs, Windows, and Linux Apple hacking threat: Protect your device – WDIV Detroit DNC Hacker Unmasked: He Really Works for Russia, Researchers Say – Daily Beast Pop star tells fans to send their Twitter passwords, but it might be illegal TechCrunch falls victim to OurMine hacking group – The Guardian Hacking Game Quadrilateral Cowboy Is a Bit Messy, But You Won’t … – WIRED Hacking Game Quadrilateral Cowboy Is a Bit Messy, But You Won’t … – WIRED Hacking Game Quadrilateral Cowboy Is a Bit Messy, But You Won’t Forget It – WIRED Hacking Game Quadrilateral Cowboy Is a Bit Messy, But You Won’t Forget It – WIRED Hacking Game Quadrilateral Cowboy Is a Bit Messy, But You Won’t Forget It – WIRED Developer Sandbox Secures Apps Early in the Software Lifecycle, Speeding Time to Market Russia denies it was behind the hacking of DNC emails – Daily Mail New evidence suggests DNC hackers penetrated deeper than previously thought FBI investigating hacking of Democratic e-mails – The Boston Globe Sources: US officials warned DNC of hack months before the party acted – CNN Why Hacking The Democrats’ Emails Harms Our Democracy – Huffington Post Helping webmasters re-secure their sites Android Security 2015 Annual Report Protecting against unintentional regressions to cleartext traffic in your Android apps Bringing HTTPS to all blogspot domain blogs Hardening the media stack Evolving the Safe Browsing API One Year of Android Security Rewards Experimenting with Post-Quantum Cryptography Changes to Trusted Certificate Authorities in Android Nougat HTTPS crypto’s days are numbered. Here’s how Google wants to save it CISSP certification: Are multiple choice tests the best way to hire infosec pros? HTTPS is not a magic bullet for Web security Now it’s easy to see if leaked passwords work on other sites iOS version of Pokémon Go is a possible privacy trainwreck [Updated] Nation-backed malware that infected energy firm is 1 of 2016’s sneakiest Posing as ransomware, Windows malware just deletes victims’ files Paint it black: Revisiting the Blackphone and its cloudy future 20-year-old Windows bug lets printers install malware—patch now Bug bounties and automotive firewalls: Dealing with the car hacker threat In wake of Appelbaum fiasco, Tor Project shakes up board of directors FDIC was hacked by China, and CIO covered it up Crypto flaw made it easy for attackers to snoop on Juniper customers Fake Pokémon Go app on Google Play infects phones with screenlocker Baseball exec gets 46 months in prison after guessing rival team’s password Criminals plant banking malware where victims least expect it Wave of business websites hijacked to deliver crypto-ransomware Software flaw puts mobile phones and networks at risk of complete takeover Snowden designs device to warn when an iPhone is ratting out users Malicious computers caught snooping on Tor-anonymized Dark Web sites Extradition ruling in Lauri Love hacking case set for September – Ars Technica Priebus: RNC better prepared for hacking – Politico FBI Investigates DNC Hacking; Clinton Campaign Blames Russia – U.S. News & World Report FBI Investigates DNC Hacking; Clinton Campaign Blames Russia – U.S. News & World Report FBI Investigates DNC Hacking; Clinton Campaign Blames Russia – U.S. News & World Report FBI investigates DNC email hacking; Clinton campaign blames Russia – Chicago Tribune FBI investigates DNC hacking; Clinton campaign blames Russia – WAVY-TV Police, cyber firms tackle ‘ransomware’ hacking threat – Phys.Org Police, cyber firms tackle ‘ransomware’ hacking threat – Phys.Org Police, cyber firms tackle ‘ransomware’ hacking threat – Phys.Org Police, cyber firms tackle ‘ransomware’ hacking threat – Phys.Org Priebus on DNC hacking: ‘The whole thing was a fraud’ – Politico Russians suspected of hacking Democratic National Committee emails – CNN TSA Safe Skies master key, blueprints released by hacking group – ZDNet Machete attack: Syrian refugee kills pregnant woman and injures others after hacking at passers-by in German street – Scottish Daily Record Clinton aide claims Russians hacked DNC to help Trump – Washington Examiner (blog) ​Carmakers Unite to Defend Against Auto Hacking – EverythingLubbock.com Linus Torvalds Aaron Swartz Before Hacking, The DNC Mocked A Report Questioning Its Cybersecurity – BuzzFeed News Kevin Roose’s Doc on Hackers Do corps care about security? An interview with a security tester SecurityTube: x86/64 Assembly & Shellcoding on Linux GM CEO: Car Hacking Will Become a Public Safety Issue – MIT Technology Review Hacking poverty through mobile tech and social entrepreneurship – TechCrunch

Protecting Android with more Linux kernel defenses

[Cross-posted from the Android Developers Blog]

Android relies heavily on the Linux kernel for enforcement of its security model. To better protect the kernel, we’ve enabled a number of mechanisms within Android. At a high level these protections are grouped into two categories—memory protections and attack surface reduction.
Memory Protections
One of the major security features provided by the kernel is memory protection for userspace processes in the form of address space separation. Unlike userspace processes, the kernel’s various tasks live within one address space and a vulnerability anywhere in the kernel can potentially impact unrelated portions of the system’s memory. Kernel memory protections are designed to maintain the integrity of the kernel in spite of vulnerabilities.
Mark Memory As Read-Only/No-Execute
This feature segments kernel memory into logical sections and sets restrictive page access permissions on each section. Code is marked as read only + execute. Data sections are marked as no-execute and further segmented into read-only and read-write sections. This feature is enabled with config option CONFIG_DEBUG_RODATA. It was put together by Kees Cook and is based on a subset of Grsecurity’s KERNEXEC feature by Brad Spengler and Qualcomm’s CONFIG_STRICT_MEMORY_RWX feature by Larry Bassel and Laura Abbott. CONFIG_DEBUG_RODATA landed in the upstream kernel for arm/arm64 and has been backported to Android’s 3.18+ arm/arm64 common kernel.
Restrict Kernel Access to User Space
This feature improves protection of the kernel by preventing it from directly accessing userspace memory. This can make a number of attacks more difficult because attackers have significantly less control over kernel memory that is executable, particularly with CONFIG_DEBUG_RODATA enabled. Similar features were already in existence, the earliest being Grsecurity’s UDEREF. This feature is enabled with config option CONFIG_CPU_SW_DOMAIN_PAN and was implemented by Russell King for ARMv7 and backported to Android’s 4.1 kernel by Kees Cook.
Improve Protection Against Stack Buffer Overflows
Much like its predecessor, stack-protector, stack-protector-strong protects against stack buffer overflows, but additionally provides coverage for more array types, as the original only protected character arrays. Stack-protector-strong was implemented by Han Shan and added to the gcc 4.9 compiler.

Attack Surface Reduction
Attack surface reduction attempts to expose fewer entry points to the kernel without breaking legitimate functionality. Reducing attack surface can include removing code, removing access to entry points, or selectively exposing features.
Remove Default Access to Debug Features
The kernel’s perf system provides infrastructure for performance measurement and can be used for analyzing both the kernel and userspace applications. Perf is a valuable tool for developers, but adds unnecessary attack surface for the vast majority of Android users. In Android Nougat, access to perf will be blocked by default. Developers may still access perf by enabling developer settings and using adb to set a property: “adb shell setprop security.perf_harden 0”.
The patchset for blocking access to perf may be broken down into kernel and userspace sections. The kernel patch is by Ben Hutchings and is derived from Grsecurity’s CONFIG_GRKERNSEC_PERF_HARDEN by Brad Spengler. The userspace changes were contributed by Daniel Micay. Thanks to Wish Wu and others for responsibly disclosing security vulnerabilities in perf.
Restrict App Access to IOCTL Commands
Much of Android security model is described and enforced by SELinux. The ioctl() syscall represented a major gap in the granularity of enforcement via SELinux. Ioctl command whitelisting with SELinux was added as a means to provide per-command control over the ioctl syscall by SELinux.
Most of the kernel vulnerabilities reported on Android occur in drivers and are reached using the ioctl syscall, for example CVE-2016-0820. Some ioctl commands are needed by third-party applications, however most are not and access can be restricted without breaking legitimate functionality. In Android Nougat, only a small whitelist of socket ioctl commands are available to applications. For select devices, applications’ access to GPU ioctls has been similarly restricted.
Require SECCOMP-BPF
Seccomp provides an additional sandboxing mechanism allowing a process to restrict the syscalls and syscall arguments available using a configurable filter. Restricting the availability of syscalls can dramatically cut down on the exposed attack surface of the kernel. Since seccomp was first introduced on Nexus devices in Lollipop, its availability across the Android ecosystem has steadily improved. With Android Nougat, seccomp support is a requirement for all devices. On Android Nougat we are using seccomp on the mediaextractor and mediacodec processes as part of the media hardening effort.

Ongoing Efforts
There are other projects underway aimed at protecting the kernel:

  • The Kernel Self Protection Project is developing runtime and compiler defenses for the upstream kernel.
  • Further sandbox tightening and attack surface reduction with SELinux is ongoing in AOSP.
  • Minijail provides a convenient mechanism for applying many containment and sandboxing features offered by the kernel, including seccomp filters and namespaces.
  • Projects like kasan and kcov help fuzzers discover the root cause of crashes and to intelligently construct test cases that increase code coverage—ultimately resulting in a more efficient bug hunting process.
Due to these efforts and others, we expect the security of the kernel to continue improving. As always, we appreciate feedback on our work and welcome suggestions for how we can improve Android. Contact us at security@android.com.