14 DAY TRIAL // Sami Tolvanen, Android Security Staff Software Engineer, reports on the Android Developers Blog that Google's Pixel 3 will be the first Android device featuring LLVM's forward-edge Control Flow Integrity (CFI) enforcement in the kernel.
CFI checks have been implemented by LLVM as a measure for detecting a range of unusual app behaviors which can be proof of attackers trying to exploit weaknesses in a program or to interfere in its control flow.
Because the Android development team has always strived to harden the Android kernel, they have now moved to add new means of fighting code reuse attacks in the form of compiler-based security mitigations.
As explained in Tolvanen's announcement, attackers are able to execute arbitrary parts of kernel code as part of their own exploit by overwriting pointers stored in memory.
"CFI attempts to mitigate these attacks by adding additional checks to confirm that the kernel's control flow stays within a precomputed graph," says Tolvanen.
The extra checks added by Control Flow Integrity will make sure that apps with undefined behavior will be automatically aborted
Moreover, Tolvanen also stated that "This doesn't prevent an attacker from changing a function pointer if a bug provides write access to one, but it significantly restricts the valid call targets, which makes exploiting such a bug more difficult in practice."
Google has also added support for support for LLVM's CFI protections within Android's 4.9 and 4.14 kernel versions, and all vendors can now enable it for their own devices using the common Android kernel.
Furthermore, the Android development team recommends to all device vendors to enable Control Flow Integrity in the kernel of all their new Android 9-based arm64 devices for extra kernel vulnerability protection.
"LLVM's CFI protects indirect branches against attackers who manage to gain access to a function pointer stored in kernel memory. This makes a common method of exploiting the kernel more difficult," also said Tolvanen.
The Android development team also plans to add protections against function return addresses attacks by also adding LLVM's Shadow Call Stack in a future release.