Security News > 2023 > February > Google will boost Android security through firmware hardening

Google has started working to harden the security of Android at the firmware level, a component of the software stack that interacts directly with the various processors of a system on a chip.

The plan is to expand the security in Android devices beyond the operating system, which runs on a multi-core CPU, to the other processors on the SoC for dedicated tasks like cellular communication, media processing, or security modules.

"Over the last decade, there have been numerous publications, talks, Pwn2Own contest winners, and CVEs targeting the exploitation of vulnerabilities in firmware running in these secondary processors." - Google.

Google mentions BoundSan and IntSan Exploit mitigations: Control Flow Integrity, Kernel Control Flow Integrity, ShadowCallStack, and Stack Canaries Memory safety features aimed to prevent memory errors such as buffer overflows, user-after-free attacks, and null pointer dereferences; Google mentions the 'zero-initialized' mechanism that zeros memory values before a program accesses the allocated space so it doesn't contain random data from previous uses.

One issue with incorporating the mitigations is that they may have a negative impact on the performance of the devices, an even more difficult challenge when it comes to secondary processors designed for a specific set of functions, since they don't come with the same resources as the main processor powering the Android operating system.

Google's effort to harden firmware security is part of a greater effort to improve the security of the Android platform.

News URL

https://www.bleepingcomputer.com/news/security/google-will-boost-android-security-through-firmware-hardening/