December 13, 2023 at 09:12AM
Google is promoting the use of Clang sanitizers for enhancing the security of Android’s cellular baseband. The sanitizers, such as IntSan and BoundSan, help detect vulnerabilities and prevent remote code execution. Despite performance overhead, Google has enabled them in critical attack surfaces. The move complements the transition to memory-safe languages like Rust.
From the meeting notes, the key takeaways are:
– Google is emphasizing the role of Clang sanitizers in strengthening the security of the cellular baseband in the Android operating system and preventing specific vulnerabilities.
– The Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan) are part of UndefinedBehaviorSanitizer (UBSan) and are designed to catch various kinds of undefined behavior during program execution.
– Both IntSan and BoundSan are being enabled in security-critical attack surfaces to detect arithmetic overflows and perform bounds checks around array accesses.
– Google has also rewritten the Android Virtualization Framework’s (AVF) protected VM (pVM) firmware in Rust to provide a memory-safe foundation for the pVM root of trust.
– The use of modern toolchains and exploit mitigation technologies can raise the bar for attacking the baseband.
Is there anything else you would like to know?