Android Oreo Adds Linux Kernel Requirements and New Hardening Features
The Linux kernel continues to add security protections so developers don’t have to build them on their own. As a result, one of the first steps security experts recommend for protecting against embedded Linux malware threats is to work with the latest possible kernel release and then regularly update field devices. Now that Android is getting long in the tooth -- it was nine years ago this month that Sergey Brin and Larry Page rollerbladed onto the stage to announce the debut of the flagship HTC G1 phone -- more and more Android devices are being attacked due to out-of-date Linux kernels. To address the problem before it adds to Android’s substantial challenge with malware generated from rogue or unprotected apps, Google has announced new requirements in Android 8.0 (“Oreo”) to build on Linux kernels no older than kernel 4.4.
These new requirements, which were revealed after last week’s launch of Android 8.0, are intended to support its Project Treble technology for speeding firmware updates. Oreo has also backported several kernel hardening features from upstream Linux kernels. In the coming years, Google may well be tapping security enhancements built into this week’s release of Linux 4.13 – the 13th version of the 4.x kernel – which updates its SMB support and adds Transport Layer Security support (see farther below).
Android Oreo kernel requirements and Project Treble
Google’s first minimum Linux kernel requirements for Android were posted last week on the Android Source page and revealed by Doug Lynch on XDA-Developers. Any new SoC that ships in 2017 or later that appears on an Android 8.0 device must have a Linux 4.4 or higher kernel, says Google. Oreo-based products with older SoCs must start with Linux 3.18 or higher, which is generous considering Kernel 3.18 is listed by kernel.org as EOL.
There are no requirements for recent Linux kernels on older devices that are upgrading to Oreo. In addition, Android Open Source Project (AOSP) code for Oreo is available without any requirements for those who don’t need Android branding and access to Google Services.
On its requirements page, Google notes: “Regardless of launch date, all SoCs with device launches on Android O remain subject to kernel changes required to enable Treble.” Here, Google is referring to Project Treble, which formally debuts in Oreo. This modularization of Android is intended add some separation between the lower-level, device specific firmware written by chip manufacturers and the main OS framework.
Project Treble is implemented via a new Vendor Interface that is validated with a Vendor Test Suite (VTS). These tools give silicon makers a more detailed requirement spec for booting a new Android release so they can speed testing.
More importantly, device vendors can now update the main part of the Android framework without waiting around for SoC vendors to update their lower-level code. This should lead to faster Android software updates for customers. The hitch is that Project Treble code involves restructuring low-level, hardware specific drivers, which include extensive SoC support, so it’s likely to take several years before it affects OS update times on most Android devices.
Android 8.0 adds Linux kernel hardening
Recent Linux kernels have added kernel hardening features to help keep up with increasingly sophisticated malware schemes. As revealed on the Android Developers Blog, Android 8.0 backports four of these features from upstream Linux kernels ranging from Linux 4.4 to 4.8.
The kernel protections should help developers building Android hardware drivers to more easily detect kernel security bugs. Some 85 percent of kernel vulnerabilities in Android are due to bugs in vendor drivers, which represented a third of Android security bugs in 2016, according to Google estimates.
The key improvement is Linux 4.4’s Kernel Address Space Layout Randomization (KASLR), which randomizes the location where kernel code is loaded on each boot. KASLR has been backported to Linux 4.4 or higher kernels running in Android, while the other three features are backported to Linux 3.18.
Oreo also implements Linux 4.8’s “hardened usercopy” scheme, which protects usercopy functions that help transfer data between user space and kernel space memory. A “Privileged Access Never” (PAN) emulation borrowed from Linux 4.10’s ARM64 code helps prevent 64-bit ARM kernels from accessing user space memory directly. Finally, there’s a Linux 4.6 hardening feature called “Post-init read-only memory” that restricts a memory region to read-only mode after the kernel has been initialized to reduce the kernel’s attack surface.
Aside from these kernel protections, Oreo app security will benefit from a Google Play Protect service that is rolling out to Android 8.0 and older builds. Google Play Protect scans incoming and installed apps for malware, and sends notifications if it sees anything suspicious.
Security enhancements aside, Android 8.0 offers performance improvements including 2.5 times faster boot-up and smoother background activity management. The new release has borrowed the picture-in-picture (PIP) video mode from Android TV, and has made enhancements to autofill functionality, emojis, battery life, and Bluetooth audio.
Oreo features a major redesign of notifications, including the addition of user-customizable notification channels for easier management. Other notification changes include a snooze mode to temporarily keep notifications at bay, as well as the addition of “dots” on app launcher icons to show which notifications have not been acted upon.
Linux 4.13 gets tough with SMB
This week’s Linux 4.13 kernel release extends the trend of adding security functionality. According to a Linux.com story by Paul Brown, the biggest change concerns the SMB (Server Message Block) network access protocol. Linux 4.13 switches its default to SMB3 instead of the aging, vulnerable SMB1. Earlier this year, widespread use of SMB1 in Linux servers helped fuel the expansion of the WannaCry ransomware.
Linux 4.13 also adds support for Transport Layer Security, (TLS) the successor to Secure Sockets Layer (SSL). TLS is far more secure than SSL, but it consumes more CPU resources, so adding it to the kernel should speed things up.
Other Linux 4.13 improvements include new support for HDMI Stereo 3D output, as well as support for non-blocking buffered I/O operations to improve asynchronous I/O. The EXT4 file system has been tweaked to allow an EXT4 directory to scale to 2 billion entries.
There’s also support for Intel's upcoming Coffee Lake (8th Gen Core) CPUs, which will succeed the current Kaby Lake while retaining the same 14nm foundation. Linux 4.13 also adds some prep for the next-gen, 10nm Intel Cannon Lake architecture due later in 2018. Finally, there’s new native support for several ARM hacker boards, including the BeagleBone Blue, NanoPi M1 Plus, NanoPi Neo2, LicheePi Zero dock board, Orange Pi Prime, Orange Pi Zero Plus 2, and SoPine SoM.