Android 1.5

  • ProPolice to prevent stack buffer overruns (-fstack-protector),在缓冲区buffer与返回地址之间加入Canary(Windows上也叫cookies)
  • safe_iop to reduce integer overflows(safe_iop 是思科的安全API库,保证算术运算不会溢出)
  • Extensions to OpenBSD dlmalloc to prevent double free() vulnerabilities and to prevent chunk consolidation attacks. Chunk consolidation attacks are a common way to exploit heap corruption.(引入OpenBSD 的堆溢出保护,chunk consolidation attacks是使用已经释放的内存)
  • OpenBSD calloc to prevent integer overflows during memory allocation(引入OpenBSD 的calloc,缓解内存分配时的整数溢出,导致分配空间与期望不一致)

总结:堆栈溢出利用缓解,整数溢出缓解(需使用API)

Android 2.3

  • Format string vulnerability protections (-Wformat-security -Werror=format-security)(格式化串漏洞保护)
  • Hardware-based No eXecute (NX) to prevent code execution on the stack and heap(堆栈不可执行)
  • Linux mmap_min_addr to mitigate null pointer dereference privilege escalation (further enhanced in Android 4.1) (限制mmap映射的最低地址,空指针引用时不会造成代码执行)

总结:格式化串漏洞利用缓解,NX,空指针保护

Android 4.0

  • Address Space Layout Randomization (ASLR) to randomize key locations in memory(地址空间布局随机化)

总结:ASLR

Android 4.1

  • PIE (Position Independent Executable) support(程序加载地址随机化)
  • Read-only relocations / immediate binding (-Wl,-z,relro -Wl,-z,now)(relocations 只读)
  • dmesg_restrict enabled (avoid leaking kernel addresses) (dmesg日志中不打印敏感内核指针)
  • kptr_restrict enabled (avoid leaking kernel addresses)(/proc/kallsyms中不显示符号地址)

总结:增强ASLR(PIE),GOT只读(去掉延迟绑定机制,so加载时间增加),内核地址保护(dmesg_restrict,kptr_restrict,一般漏洞利用,都需要一些内核符号地址)

Android 4.2

  • Application verification - Users can choose to enable “Verify Apps" and have applications screened by an application verifier, prior to installation. App verification can alert the user if they try to install an app that might be harmful; if an application is especially bad, it can block installation.
  • More control of premium SMS - Android will provide a notification if an application attempts to send SMS to a short code that uses premium services which might cause additional charges. The user can choose whether to allow the application to send the message or block it.
  • Always-on VPN - VPN can be configured so that applications will not have access to the network until a VPN connection is established. This prevents applications from sending data across other networks.
  • Certificate Pinning - The Android core libraries now support certificate pinning. Pinned domains will receive a certificate validation failure if the certificate does not chain to a set of expected certificates. This protects against possible compromise of Certificate Authorities.
  • Improved display of Android permissions - Permissions have been organized into groups that are more easily understood by users. During review of the permissions, the user can click on the permission to see more detailed information about the permission.
  • installd hardening - The installd daemon does not run as the root user, reducing potential attack surface for root privilege escalation.(installd进程运行权限改为非root,减小root提权攻击面)
  • init script hardening - init scripts now apply O_NOFOLLOW semantics to prevent symlink related attacks.(启动脚本加固,防符号链接攻击)
  • FORTIFY_SOURCE - Android now implements FORTIFY_SOURCE. This is used by system libraries and applications to prevent memory corruption.(FORTIFY_SOURCE 在***编译和运行***时检查程序溢出。

其检查到溢出时,提示错误:

*** buffer overflow detected ***: ./foobar terminated
======= Backtrace: =========
/lib64/libc.so.6[0x382d875cff]
/lib64/libc.so.6(__fortify_fail+0x37)[0x382d906b17]
...

目前可以保护的函数有:

memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat,
strncat, sprintf, vsprintf, snprintf, vsnprintf, gets.

  • ContentProvider default configuration - Applications which target API level 17 will have “export” set to “false” by default for each Content Provider, reducing default attack surface for applications.
  • Cryptography - Modified the default implementations of SecureRandom and Cipher.RSA to use OpenSSL. Added SSL Socket support for TLSv1.1 and TLSv1.2 using OpenSSL 1.0.1
  • Security Fixes - Upgraded open source libraries with security fixes include WebKit, libpng, OpenSSL, and LibXML. Android 4.2 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

总结:引入FORTIFY_SOURCE,开始关注缩小攻击面

Android 4.3

  • Android sandbox reinforced with SELinux. This release strengthens the Android sandbox using the SELinux mandatory access control system (MAC) in the Linux kernel. SELinux reinforcement is invisible to users and developers, and adds robustness to the existing Android security model while maintaining compatibility with existing applications. To ensure continued compatibility this release allows the use of SELinux in a permissive mode. This mode logs any policy violations, but will not break applications or affect system behavior.(!! 引入SELinux)

  • No setuid/setgid programs. Added support for filesystem capabilities to Android system files and removed all setuid/setguid programs. This reduces root attack surface and the likelihood of potential security vulnerabilities.(移除所有setuid/setguid程序)

  • ADB Authentication. Since Android 4.2.2, connections to ADB are authenticated with an RSA keypair. This prevents unauthorized use of ADB where the attacker has physical access to a device.

  • Restrict Setuid from Android Apps. The /system partition is now mounted nosuid for zygote-spawned processes, preventing Android applications from executing setuid programs. This reduces root attack surface and the likelihood of potential security vulnerabilities.(Apps中不能调用 setuid()函数,减小root提权攻击面)

  • Capability bounding. Android zygote and ADB now use prctl(PR_CAPBSET_DROP) to drop unnecessary capabilities prior to executing applications. This prevents Android applications and applications launched from the shell from acquiring privileged capabilities.(减少zygote与ADB权限,减小攻击面)

  • AndroidKeyStore Provider. Android now has a keystore provider that allows applications to create exclusive use keys. This provides applications with an API to create or store private keys that cannot be used by other applications.

  • KeyChain isBoundKeyAlgorithm. Keychain API now provides a method (isBoundKeyType) that allows applications to confirm that system-wide keys are bound to a hardware root of trust for the device. This provides a place to create or store private keys that cannot be exported off the device, even in the event of a root compromise.

  • NO_NEW_PRIVS. Android zygote now uses prctl(PR_SET_NO_NEW_PRIVS) to block addition of new privileges prior to execution application code. This prevents Android applications from performing operations which can elevate privileges via execve. (This requires Linux kernel version 3.5 or greater).(减小zygote权限,Apps权限,减小root提权攻击面)

  • FORTIFY_SOURCE enhancements. Enabled FORTIFY_SOURCE on Android x86 and MIPS and fortified strchr(), strrchr(), strlen(), and umask() calls. This can detect potential memory corruption vulnerabilities or unterminated string constants.(增强FORTIFY_SOURCE)

  • Relocation protections. Enabled read only relocations (relro) for statically linked executables and removed all text relocations in Android code. This provides defense in depth against potential memory corruption vulnerabilities.(只读relro,移除所有text重定位)

  • Improved EntropyMixer. EntropyMixer now writes entropy at shutdown / reboot, in addition to periodic mixing. This allows retention of all entropy generated while devices are powered on, and is especially useful for devices that are rebooted immediately after provisioning.

  • Security Fixes. Android 4.3 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

总结:引入SELinux(但未强制开启),进一小减小攻击面

Android 4.4

  • Android sandbox reinforced with SELinux. Android now uses SELinux in enforcing mode. SELinux is a mandatory access control (MAC) system in the Linux kernel used to augment the existing discretionary access control (DAC) based security model. This provides additional protection against potential security vulnerabilities.(强制SELinux)

  • Per User VPN. On multi-user devices, VPNs are now applied per user. This can allow a user to route all network traffic through a VPN without affecting other users on the device.

  • ECDSA Provider support in AndroidKeyStore. Android now has a keystore provider that allows use of ECDSA and DSA algorithms.

  • Device Monitoring Warnings. Android provides users with a warning if any certificate has been added to the device certificate store that could allow monitoring of encrypted network traffic.

  • FORTIFY_SOURCE. Android now supports FORTIFY_SOURCE level 2, and all code is compiled with these protections. FORTIFY_SOURCE has been enhanced to work with clang.(FORTIFY_SOURCE升级为level2,参考 https://access.redhat.com/blogs/766093/posts/1976213)

  • Certificate Pinning. Android 4.4 detects and prevents the use of fraudulent Google certificates used in secure SSL/TLS communications.

  • Security Fixes. Android 4.4 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

总结:强制SELinux

Android 5.0

  • Encrypted by default. On devices that ship with L out-of-the-box, full disk encryption is enabled by default to improve protection of data on lost or stolen devices. Devices that update to L can be encrypted in Settings > Security.

  • Improved full disk encryption. The user password is protected against brute-force attacks using scrypt and, where available, the key is bound to the hardware keystore to prevent off-device attacks. As always, the Android screen lock secret and the device encryption key are not sent off the device or exposed to any application.(全盘加密引入)

  • Android sandbox reinforced with SELinux. Android now requires SELinux in enforcing mode for all domains. SELinux is a mandatory access control (MAC) system in the Linux kernel used to augment the existing discretionary access control (DAC) security model. This new layer provides additional protection against potential security vulnerabilities.(进一步扩大SELinux保护范围)

  • Smart Lock. Android now includes trustlets that provide more flexibility for unlocking devices. For example, trustlets can allow devices to be unlocked automatically when close to another trusted device (via NFC, Bluetooth) or being used by someone with a trusted face.

  • Multi user, restricted profile, and guest modes for phones & tablets. Android now provides for multiple users on phones and includes a guest mode that can be used to provide easy temporary access to your device without granting access to your data and apps.(多用户支持)

  • Updates to WebView without OTA. WebView can now be updated independent of the framework and without a system OTA. This will allow for faster response to potential security issues in WebView.

  • Updated cryptography for HTTPS and TLS/SSL. TLSv1.2 and TLSv1.1 is now enabled, Forward Secrecy is now preferred, AES-GCM is now enabled, and weak cipher suites (MD5, 3DES, and export cipher suites) are now disabled. See https://developer.android.com/reference/javax/net/ssl/SSLSocket.html for more details.

  • non-PIE linker support removed. Android now requires all dynamically linked executables to support PIE (position-independent executables). This enhances Android’s address space layout randomization (ASLR) implementation.(增强随机化能力(之前只有动态库加载地址随机),可执行程序加载随机化,-fPIE)

  • FORTIFY_SOURCE improvements. The following libc functions now implement FORTIFY_SOURCE protections: stpcpy(), stpncpy(), read(), recvfrom(), FD_CLR(), FD_SET(), and FD_ISSET(). This provides protection against memory-corruption vulnerabilities involving those functions.(扩大FORTIFY_SOURCE保护范围,新增被保护的函数)

  • Security Fixes. Android 5.0 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members, and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

总结:-fPIE

Android 6.0

  • Runtime Permissions. Applications request permissions at runtime instead of being granted at App install time. Users can toggle permissions on and off for both M and pre-M applications.(运行时权限申请)

  • Verified Boot. A set of cryptographic checks of system software are conducted prior to execution to ensure the phone is healthy from the bootloader all the way up to the operating system.(可信启动,保证内核完整性)

  • Hardware-Isolated Security. New Hardware Abstraction Layer (HAL) used by Fingerprint API, Lockscreen, Device Encryption, and Client Certificates to protect keys against kernel compromise and/or local physical attacks

  • Fingerprints. Devices can now be unlocked with just a touch. Developers can also take advantage of new APIs to use fingerprints to lock and unlock encryption keys.

  • SD Card Adoption. Removable media can be adopted to a device and expand available storage for app local data, photos, videos, etc., but still be protected by block-level encryption.

  • Clear Text Traffic. Developers can use a new StrictMode to make sure their application doesn’t use cleartext.

  • System Hardening. Hardening of the system via policies enforced by SELinux. This offers better isolation between users, IOCTL filtering, reduce threat of exposed services, further tightening of SELinux domains, and extremely limited /proc access.(SELinux扩大范围)

  • USB Access Control: Users must confirm to allow USB access to files, storage, or other functionality on the phone. Default is now charge only with access to storage requiring explicit approval from the user.

总结:可信启动(想着材料:KNOX,谷歌开发者博客)。6.0开始针对提权等的防护措施没有升级,针对缓冲区溢出,及其它内存破坏型漏洞提权,缓解技术已经相对完善,且攻击面变的很小。针对Android内核本身漏洞利用提权已经很难。

但仍有Vendor的驱动,代码质量较烂,且SELinux配置可能没那么高质量。

Android 7.0

  • File-based encryption. Encrypting at the file level, instead of encrypting the entire storage area as a single unit, better isolates and protects individual users and profiles (such as personal and work) on a device.

  • Direct Boot. Enabled by file-based encryption, Direct Boot allows certain apps such as alarm clock and accessibility features to run when device is powered on but not unlocked.

  • Verified Boot. Verified Boot is now strictly enforced to prevent compromised devices from booting; it supports error correction to improve reliability against non-malicious data corruption.

  • SELinux. Updated SELinux configuration and increased seccomp coverage further locks down the application sandbox and reduces attack surface.

  • Library load-order randomization and improved ASLR. Increased randomness makes some code-reuse attacks less reliable.(ASLR增强)

  • Kernel hardening. Added additional memory protection for newer kernels by marking portions of kernel memory as read-only, restricting kernel access to userspace addresses and further reducing the existing attack surface.(部分内核标记为只读,限制内核态 访问用户态地址,减小 攻击面)

  • APK signature scheme v2. Introduced a whole-file signature scheme that improves verification speed and strengthens integrity guarantees.

  • Trusted CA store. To make it easier for apps to control access to their secure network traffic, user-installed certificate authorities and those installed through Device Admin APIs are no longer trusted by default for apps targeting API Level 24+. Additionally, all new Android devices must ship with the same trusted CA store.

  • Network Security Config. Configure network security and TLS through a declarative configuration file.

总结:内核实现了类似 PXN功能,通过标记某些内核地址只读,进一步提高root提权难度。

堆栈溢出,整数溢出漏洞 -》 格式化漏洞,NX,mmap_min_addr -》 ASLR -》 PIE,G
OT只读,dmesg_restrict,kptr_restrict -》 FORTIFY_SOURCE -》 SELinux -》 PXN

Android 1.5-7.0(持续更新)安全机制一览的更多相关文章

  1. cocos2dx 3.0打包android遇到的错误(持续更新)

    1.编译时遇到找不到文件的错误:比如fatal error: cocos-ext.h: No such file or directory    , fatal error: CocosGUI.h: ...

  2. windows下adb(android调试桥)基本命令(持续更新。。。)

    前言:刚开始学习android(坚持每天1篇笔记哈^_^),比较实用的命令是adb,所以就先学习这些,主要用真机调试,模拟器用的是genymotion,所以emulator暂时不大需要哈,可以后续再补 ...

  3. Android开发问题汇总(持续更新)

    在Android开发中,总会有一些很小的问题.由于我们的不仔细,很容易忽略掉,从而导致在该问题上花费了很多的时间,造成工作进度的延迟. 为此,在这里做一下记录,避免再次浪费许多时间在这些问题上. 1. ...

  4. android开发常用组件【持续更新中。。。】

    UI相关 图片 Android-Universal-Image-Loader:com.nostra13.universalimageloader:异步加载.缓存.显示图片 ImageLoader:co ...

  5. Android周笔记(9.8-14)(持续更新)

    本笔记记录一周内的小知识点和一些心学习的Demo. 1.PopupWindow: new 一个activity_pop_window:id为popwindow的Button,id为hello123的T ...

  6. Android开源之BaseRecyclerViewAdapterHelper(持续更新!)

    官方地址:http://www.recyclerview.org/ 文档 v1.9.8 English 中文 v2.0.0 English 中文 Extension library PinnedSec ...

  7. Telegram Android源码问题汇总 持续更新

    libtgvoip目录为空 git clone下来的工程中带有submodule时,submodule的内容没有下载下来,执行如下命令 cd Telegram git submodule update ...

  8. A+B Problem && OJ推荐【持续更新】

    目录 List 前言 长郡 Position: code 1. 2. 持续更新,么么哒 List 前言 有没有觉得写这篇文章很奇怪,这个还是有原因的.①很多OJ都有着道题,所以发个博客②这可以介绍很多 ...

  9. PTA|团体程序设计天梯赛-练习题目题解锦集(C/C++)(持续更新中……)

    PTA|团体程序设计天梯赛-练习题目题解锦集(持续更新中) 实现语言:C/C++:      欢迎各位看官交流讨论.指导题解错误:或者分享更快的方法!! 题目链接:https://pintia.cn/ ...

  10. android开发文档工具集(持续更新中...)

     http://www.androiddevtools.cn/ android 产品->交互->视觉->开发->测试各种工具地址下载, 各种文档下载应有尽有,强烈推荐.  ht ...

随机推荐

  1. FJUT16级第一周寒假作业题解G题

    题目链接:http://210.34.193.66:8080/vj/Contest.jsp?cid=160#P6 涨姿势题1 TimeLimit:1000MS  MemoryLimit:128000K ...

  2. iOS 时间校准解决方案

    背景 在 iOS 开发中,凡是用到系统时间的,都要考虑一个问题:对时.有些业务是无需对时,或可以以用户时间为准的,比如动画用到的时间.一些日程类应用等.但电商相关的业务大都不能直接使用设备上的时间,而 ...

  3. weblogic隐藏版本号教程(10.3.6为例)

    隐藏版本号,如同大多数中间件都是取消Server头的发送:weblogic而言其默认就是不发送Server头的(即下边的“发送服务器标头”默认就是没钩选的). 写此教程的原因,一是以防Server头被 ...

  4. laravel控制器方法中,用函数作为变量进行传递时的处理方法

    本人在做上传图片时,里面执行的方法时一致的,只是个别地方不同,这种情况下,就需要把公用的部分提取出来,把不同的地方放到回调函数种去. StudentController中的方法: public fun ...

  5. vue中的axios

    数据的获取最常用的就是用ajax,但在vue框架中,axios则更为方便.它是基于es6的promise 以下内容引用自[最骚的就是你] 不再继续维护vue-resource,并推荐大家使用 axio ...

  6. POJ 1035 Spell checker 字符串 难度:0

    题目 http://poj.org/problem?id=1035 题意 字典匹配,单词表共有1e4个单词,单词长度小于15,需要对最多50个单词进行匹配.在匹配时,如果直接匹配可以找到待匹配串,则直 ...

  7. U帮忙U盘启动盘制作

    第一步:制作U盘启动盘前的软.硬件准备 1.准备一个U盘或内存卡(尽量使用2G以上的) 2.进入 U帮忙官网 下载最新版U盘启动盘制作工具! 3.搜索并下载ghost版系统文件存放到电脑中. 第二步: ...

  8. 关于js的对象原型继承(一)

    javascript中,对象的继承是通过原型去继承. 可以这样理解:js中的对象,包含的除了属性和方法,还有一个最基本的原型__proto__对象.这个原型__proto__指向谁,这个对象就继承谁. ...

  9. mysql存储过程中使用游标

    用户变量一般以@开头,作用于全局范围 局部变量需用 declare 定义格式为 declare 变量名 数据类型 [default value]; mysql 数据类型有 int ,float,dat ...

  10. Eclipse几点常用设置+个人喜好

    1.代码自动提示 在我们忘记方法名或者想偷懒时,代码自动提示很管用.不过Eclipse默认是输入"."后才会出现包或类成员的提示,也就意味着我们必须先输入一个完整的类名,提示才能出 ...