For greater than a decade, reminiscence security vulnerabilities have constantly represented greater than 65% of vulnerabilities throughout merchandise, and throughout the {industry}. On Android, we’re now seeing one thing totally different – a big drop in reminiscence security vulnerabilities and an related drop within the severity of our vulnerabilities.
Taking a look at vulnerabilities reported within the Android safety bulletin, which incorporates vital/excessive severity vulnerabilities reported by our vulnerability rewards program (VRP) and vulnerabilities reported internally, we see that the variety of reminiscence security vulnerabilities have dropped significantly over the previous few years/releases. From 2019 to 2022 the annual variety of reminiscence security vulnerabilities dropped from 223 right down to 85.
This drop coincides with a shift in programming language utilization away from reminiscence unsafe languages. Android 13 is the primary Android launch the place a majority of latest code added to the discharge is in a reminiscence secure language.
As the quantity of latest memory-unsafe code coming into Android has decreased, so too has the variety of reminiscence security vulnerabilities. From 2019 to 2022 it has dropped from 76% right down to 35% of Android’s whole vulnerabilities. 2022 is the primary yr the place reminiscence security vulnerabilities don’t signify a majority of Android’s vulnerabilities.
Whereas correlation doesn’t essentially imply causation, it’s fascinating to notice that the p.c of vulnerabilities attributable to reminiscence questions of safety appears to correlate slightly intently with the event language that’s used for brand spanking new code. This matches the expectations printed in our weblog put up 2 years in the past concerning the age of reminiscence security vulnerabilities and why our focus ought to be on new code, not rewriting current parts. After all there could also be different contributing components or various explanations. Nevertheless, the shift is a significant departure from industry-wide traits which have continued for greater than a decade (and sure longer) regardless of substantial investments in enhancements to reminiscence unsafe languages.
We proceed to spend money on instruments to enhance the security of our C/C++. Over the previous few releases we’ve launched the Scudo hardened allocator, HWASAN, GWP-ASAN, and KFENCE on manufacturing Android gadgets. We’ve additionally elevated our fuzzing protection on our current code base. Vulnerabilities discovered utilizing these instruments contributed each to prevention of vulnerabilities in new code in addition to vulnerabilities present in previous code which are included within the above analysis. These are vital instruments, and critically vital for our C/C++ code. Nevertheless, these alone don’t account for the massive shift in vulnerabilities that we’re seeing, and different initiatives which have deployed these applied sciences haven’t seen a significant shift of their vulnerability composition. We imagine Android’s ongoing shift from memory-unsafe to memory-safe languages is a significant factor.
In Android 12 we introduced assist for the Rust programming language within the Android platform as a memory-safe various to C/C++. Since then we’ve been scaling up our Rust expertise and utilization throughout the Android Open Supply Venture (AOSP).
As we famous within the authentic announcement, our objective is to not convert current C/C++ to Rust, however slightly to shift growth of latest code to reminiscence secure languages over time.
In Android 13, about 21% of all new native code (C/C++/Rust) is in Rust. There are roughly 1.5 million whole strains of Rust code in AOSP throughout new performance and parts akin to Keystore2, the brand new Extremely-wideband (UWB) stack, DNS-over-HTTP3, Android’s Virtualization framework (AVF), and numerous different parts and their open supply dependencies. These are low-level parts that require a programs language which in any other case would have been applied in C++.
Safety influence
Thus far, there have been zero reminiscence security vulnerabilities found in Android’s Rust code.
We don’t count on that quantity to remain zero without end, however given the quantity of latest Rust code throughout two Android releases, and the security-sensitive parts the place it’s getting used, it’s a big end result. It demonstrates that Rust is fulfilling its meant goal of stopping Android’s commonest supply of vulnerabilities. Historic vulnerability density is larger than 1/kLOC (1 vulnerability per thousand strains of code) in a lot of Android’s C/C++ parts (e.g. media, Bluetooth, NFC, and many others). Based mostly on this historic vulnerability density, it’s possible that utilizing Rust has already prevented a whole lot of vulnerabilities from reaching manufacturing.
What about unsafe Rust?
Working system growth requires accessing assets that the compiler can’t motive about. For memory-safe languages which means an escape hatch is required to do programs programming. For Java, Android makes use of JNI to entry low-level assets. When utilizing JNI, care have to be taken to keep away from introducing unsafe habits. Thankfully, it has confirmed considerably less complicated to evaluation small snippets of C/C++ for security than total packages. There are not any pure Java processes in Android. It’s all constructed on prime of JNI. Regardless of that, reminiscence security vulnerabilities are exceptionally uncommon in our Java code.
Rust likewise has the unsafe{} escape hatch which permits interacting with system assets and non-Rust code. Very like with Java + JNI, utilizing this escape hatch comes with further scrutiny. However like Java, our Rust code is proving to be considerably safer than pure C/C++ implementations. Let’s have a look at the brand new UWB stack for instance.
There are precisely two makes use of of unsafe within the UWB code: one to materialize a reference to a Rust object saved inside a Java object, and one other for the teardown of the identical. Unsafe was actively useful on this state of affairs as a result of the additional consideration on this code allowed us to find a attainable race situation and guard in opposition to it.
Usually, use of unsafe in Android’s Rust seems to be working as meant. It’s used not often, and when it’s used, it’s encapsulating habits that’s simpler to motive about and evaluation for security.
Security measures make memory-unsafe languages gradual
Cell gadgets have restricted assets and we’re at all times attempting to make higher use of them to offer customers with a greater expertise (for instance, by optimizing efficiency, bettering battery life, and lowering lag). Utilizing reminiscence unsafe code usually signifies that we’ve got to make tradeoffs between safety and efficiency, akin to including further sandboxing, sanitizers, runtime mitigations, and {hardware} protections. Sadly, these all negatively influence code measurement, reminiscence, and efficiency.
Utilizing Rust in Android permits us to optimize each safety and system well being with fewer compromises. For instance, with the brand new UWB stack we have been capable of save a number of megabytes of reminiscence and keep away from some IPC latency by working it inside an current course of. The brand new DNS-over-HTTP/3 implementation makes use of fewer threads to carry out the identical quantity of labor through the use of Rust’s async/await function to course of many duties on a single thread in a secure method.
The variety of vulnerabilities reported within the bulletin has stayed considerably regular over the previous 4 years at round 20 per thirty days, even because the variety of reminiscence security vulnerabilities has gone down considerably. So, what offers? A number of ideas on that.
A drop in severity
Reminiscence security vulnerabilities disproportionately signify our most extreme vulnerabilities. In 2022, regardless of solely representing 36% of vulnerabilities within the safety bulletin, memory-safety vulnerabilities accounted for 86% of our vital severity safety vulnerabilities, our highest ranking, and 89% of our remotely exploitable vulnerabilities. Over the previous few years, reminiscence security vulnerabilities have accounted for 78% of confirmed exploited “in-the-wild” vulnerabilities on Android gadgets.
Many vulnerabilities have a effectively outlined scope of influence. For instance, a permissions bypass vulnerability usually grants entry to a particular set of data or assets and is mostly solely reachable if code is already working on the gadget. Reminiscence security vulnerabilities are typically rather more versatile. Getting code execution in a course of grants entry not simply to a particular useful resource, however all the pieces that that course of has entry to, together with assault floor to different processes. Reminiscence security vulnerabilities are sometimes versatile sufficient to permit chaining a number of vulnerabilities collectively. The excessive versatility is probably one motive why the overwhelming majority of exploit chains that we’ve got seen use a number of reminiscence security vulnerabilities.
With the drop in reminiscence security vulnerabilities, we’re seeing a corresponding drop in vulnerability severity.
With the lower in our most extreme vulnerabilities, we’re seeing elevated studies of much less extreme vulnerability sorts. For instance, about 15% of vulnerabilities in 2022 are DoS vulnerabilities (requiring a manufacturing unit reset of the gadget). This represents a drop in safety threat.
Android appreciates our safety analysis neighborhood and all contributions made to the Android VRP. We apply increased payouts for extra extreme vulnerabilities to make sure that incentives are aligned with vulnerability threat. As we make it more durable to seek out and exploit reminiscence security vulnerabilities, safety researchers are pivoting their focus in the direction of different vulnerability sorts. Maybe the full variety of vulnerabilities discovered is primarily constrained by the full researcher time dedicated to discovering them. Or maybe there’s one other rationalization that we’ve got not thought-about. In any case, we hope that if our vulnerability researcher neighborhood is discovering fewer of those highly effective and versatile vulnerabilities, the identical applies to adversaries.
Assault floor
Regardless of many of the current code in Android being in C/C++, most of Android’s API floor is applied in Java. Which means Java is disproportionately represented within the OS’s assault floor that’s reachable by apps. This offers an vital safety property: many of the assault floor that’s reachable by apps isn’t vulnerable to reminiscence corruption bugs. It additionally signifies that we’d count on Java to be over-represented when non-memory security vulnerabilities. It’s vital to notice nonetheless that forms of vulnerabilities that we’re seeing in Java are largely logic bugs, and as talked about above, usually decrease in severity. Going ahead, we will probably be exploring how Rust’s richer sort system can assist stop widespread forms of logic bugs as effectively.
Google’s capacity to react
With the vulnerability sorts we’re seeing now, Google’s capacity to detect and stop misuse is significantly higher. Apps are scanned to assist detect misuse of APIs earlier than being printed on the Play retailer and Google Play Defend warns customers if they’ve abusive apps put in.
Migrating away from C/C++ is difficult, however we’re making progress. Rust use is rising within the Android platform, however that’s not the top of the story. To satisfy the targets of bettering safety, stability, and high quality Android-wide, we’d like to have the ability to use Rust wherever within the codebase that native code is required. We’re implementing userspace HALs in Rust. We’re including assist for Rust in Trusted Functions. We’ve migrated VM firmware within the Android Virtualization Framework to Rust. With assist for Rust touchdown in Linux 6.1 we’re excited to convey memory-safety to the kernel, beginning with kernel drivers.
As Android migrates away from C/C++ to Java/Kotlin/Rust, we count on the variety of reminiscence security vulnerabilities to proceed to fall. Right here’s to a future the place reminiscence corruption bugs on Android are uncommon!
