In a move to make exploits harder to leverage and to prevent specific types of issues from becoming vulnerabilities, Google expanded compiler-based mitigations in its latest smartphone OS, Android P.
One mitigation is a Control Flow Integrity (CFI), which represents a set of mitigations meant to “confine a program’s control flow to a call graph of valid targets determined at compile-time.” Android already supports CFI implementation in select components, but the next platform release will expand that support, Google officials said.
“This implementation focuses on preventing control flow manipulation via indirect branches, such as function pointers and virtual functions,” Ivan Lozano, Information Security Engineer at Google said in a post.
The idea is to use valid branch targets to reduce the set of allowable destinations an attacker can call, while indirect branches are used to detect runtime violations of the statically determined set of allowable targets, in which case the process aborts.
By restricting control flow to a small set of legitimate targets, Google attempts to make code-reuse attacks much harder to execute, while also making memory corruption vulnerabilities more difficult or even impossible to exploit.
CFI requires compiling with Link-Time Optimization (LTO), which also results in reduced binary size and improved performance, although compile time increases.
Testing found “negligible overhead to code size and performance,” Google said.
In Android P, CFI will be enabled by default widely within the media frameworks and other security-critical components, including NFC and Bluetooth.
Android P also expands the number of libraries that will benefit from Integer Overflow Sanitization, which was meant to safely abort process execution when an overflow is detected. Thus, an entire class of memory corruption and information disclosure vulnerabilities are mitigated.
Google has expanded the use of these sanitizers in the media framework with each release and also improved them to reduce performance impact.