android_mitigations.md
August 31, 2021 ยท View on GitHub
We list mitigations added in all Android versions.
| Version (and date) | Mitigation | References |
|---|---|---|
| 2.3 | Binaries compiled with non-executable stack and heap | 26 |
| 2.3 | Stack ramdomized | ? |
| 4.0 | Libraries randomized | ? |
| 4.0.2 | Heap randomized | ? |
| unknown | Executables randomized | 24 |
| 4.1 | default umask 0077 | ? |
| 4.1 | Linker randomised | ? |
| 4.1 | isolatedProcess introduction | ? |
| 4.1.1 | mmap_min_addr increased to 32768 | ? |
| 4.1.1 | /proc/kallsyms not available. kptr_restrict to control it. | 9 10 11 |
| 4.3 | SELinux in permissive mode | ? |
| 4.3 | deletion of setuid/setgid binaries | ? |
| 4.3 | deletion of Linux capabilities in dans zygote/adbd | ? |
| 4.4 | SELinux in enforcing mode to crucial domains | ? |
| 5.0 | SELinux in enforcing mode to all domains | 12 |
| 6.x? | isolatedApplicationData | 13 |
| 6.x? | preventAppDataExecution | 1 |
| N | UndefinedBehaviorSanitizer (UBSan) allowing Integer Overflow Sanitization (IntSan) in media stack | 2 3 |
| N | mediaserver containment / some media services are in their individual service processes (sandboxed) | 4 5 |
| ? | trustzone | 6 |
| O | Privileged Access Never (PAN) emulation | 7 8 |
| O | Hardened usercopy (w/o whitelist) | 7 8 |
| O | Post-init read-only memory (__ro_after_init) | 7 8 |
| O | Kernel Address Space Layout Randomization (KASLR) | 8 |
| O | media service processes converted into HALs | 5 15 |
| O | SECURE_DELETE on SQLite databases | 16 |
| O | Control Flow Integrity (CFI) in select components | 3 |
| P | Control Flow Integrity (CFI) in more components by default (media framework, NFC, Bluetooth) | 3 17 5 |
| P | Kernel Control Flow Integrity (kCFI) into Android common kernel | 3 14 |
| P | Integer Overflow Sanitization (IntSan) in more libraries (libui, libnl, libmediaplayerservice, libexif, libdrmclearkeyplugin, libreverbwrapper) and reduced performance overhead by 75% | 3 |
| 10 | software media codecs moved into constrained sandbox in system service (mediaswcodec sandbox, based on SELinux and seccomp, no access to device drivers) | 5 |
| 10 | LLVM's bound sanitizer (BoundSan) to fail safely when array's overflow, at compile time, enabled on 11 media codecs and Bluetooth's stack | 5 |
| 10 | Integer Overflow Sanitization (IntSan) to fail safely when integer overflow, at compile time in all media framework | 5 |
| 10 | LLVM's Shadow Call Stack (SCS) to protect return addresses (x18 register) in Bluetooth stack and some parts of the kernel | 5 |
| 10 | eXecute-Only Memory (XOM) makes code unreadable for Aarch64, ARMv8.2+ and Linux 4.9+ devices | 5 |
| 10 | Scudo Hardened Allocator (resilience against UAF, double-frees, BOF, heap sprays) enabled in media extractors and codecs | 5 |
| unknown | Stack Protector Strong | 18 |
| unknown | RELRO/NOW | 19 22 23 |
| unknown | -Wl,--fatal-warnings and -Wl,--warn-shared-textrel | 20 |
| unknown | -D_FORTIFY_SOURCE | 21 |
| unknown | -Werror=format-security | 25 |
| 11 | DebugFS not present in kernel config | 27 28 |