Android Nougat is bringing with it a slew of security improvements, many of them under the covers, and the one that likely will have the biggest long-term effect is the major rebuilding effort Google undertook on the media stack.
That component of the operating system is meant to process audio and video, and it’s been a weak spot in Android. The media stack includes the mediaserver process, which is used by a number of apps on Android devices. Researcher Josh Drake last year discovered a critical vulnerability in the libstagefright function in the media stack, which could allow an attacker to get complete control of a target device by sending a malicious MMS message. The Stagefright vulnerability is among the more widespread and dangerous flaws to affect Android, and though Google patched it last year, the company decided to take a more systemic approach to the problem in Nougat.
Rather than addressing vulnerabilities on a case by case basis, Google implemented technologies to prevent a large group of bugs.
“In Android Nougat, we’ve both hardened and re-architected mediaserver, one of the main system services that processes untrusted input. First, by incorporating integer overflow sanitization, part of Clang’s UndefinedBehaviorSanitizer, we prevent an entire class of vulnerabilities, which comprise the majority of reported libstagefright bugs. As soon as an integer overflow is detected, we shut down the process so an attack is stopped,” Xiaowen Xin of the Android security team said.
The rebuild of the media stack also brings a change that limits the damage that a compromise of a portion of the stack can do.
“Second, we’ve modularized the media stack to put different components into individual sandboxes and tightened the privileges of each sandbox to have the minimum privileges required to perform its job. With this containment technique, a compromise in many parts of the stack grants the attacker access to significantly fewer permissions and significantly reduced exposed kernel attack surface,” Xin said.
The kind of attacks that the Stagefright bug allowed are the ones that scare users and developers alike. The bug is buried inside Android and an attacker could exploit it by just sending a single malicious MMS message. On Tuesday, Google patched a similar vulnerability in the mediaserver component of Android, one that could lead to remote code execution if an attacker sent a malicious JPEG.
“A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process,” Google said in the September Android bulletin.