For greater than a decade, reminiscence security vulnerabilities have constantly represented greater than 65% of vulnerabilities throughout merchandise, and throughout the {industry}. On Android, we’re now seeing one thing totally different – a major drop in reminiscence security vulnerabilities and an related drop within the severity of our vulnerabilities.
Looking at vulnerabilities reported within the Android safety bulletin, which incorporates critical/high severity vulnerabilities reported by way of our vulnerability rewards program (VRP) and vulnerabilities reported internally, we see that the variety of reminiscence security vulnerabilities have dropped significantly over the previous few years/releases. From 2019 to 2022 the annual variety of reminiscence security vulnerabilities dropped from 223 right down to 85.
This drop coincides with a shift in programming language utilization away from reminiscence unsafe languages. Android 13 is the primary Android launch the place a majority of latest code added to the discharge is in a reminiscence protected language.
As the quantity of latest memory-unsafe code coming into Android has decreased, so too has the variety of reminiscence security vulnerabilities. From 2019 to 2022 it has dropped from 76% right down to 35% of Android’s complete vulnerabilities. 2022 is the primary yr the place reminiscence security vulnerabilities don’t symbolize a majority of Android’s vulnerabilities.
While correlation doesn’t essentially imply causation, it’s attention-grabbing to notice that the p.c of vulnerabilities brought on by reminiscence issues of safety appears to correlate slightly intently with the event language that’s used for brand new code. This matches the expectations printed in our weblog publish 2 years in the past concerning the age of reminiscence security vulnerabilities and why our focus ought to be on new code, not rewriting present parts. Of course there could also be different contributing components or different explanations. However, the shift is a serious departure from industry-wide tendencies which have persevered for greater than a decade (and certain longer) regardless of substantial investments in enhancements to reminiscence unsafe languages.
We proceed to put money into instruments to enhance the security of our C/C++. Over the previous few releases we’ve launched the Scudo hardened allocator, HWASAN, GWP-ASAN, and KFENCE on manufacturing Android gadgets. We’ve additionally elevated our fuzzing protection on our present code base. Vulnerabilities discovered utilizing these instruments contributed each to prevention of vulnerabilities in new code in addition to vulnerabilities present in outdated code which might be included within the above analysis. These are vital instruments, and critically vital for our C/C++ code. However, these alone don’t account for the massive shift in vulnerabilities that we’re seeing, and different tasks which have deployed these applied sciences haven’t seen a serious shift of their vulnerability composition. We consider Android’s ongoing shift from memory-unsafe to memory-safe languages is a significant factor.
In Android 12 we introduced help for the Rust programming language within the Android platform as a memory-safe different to C/C++. Since then we’ve been scaling up our Rust expertise and utilization throughout the Android Open Source Project (AOSP).
As we famous within the unique announcement, our aim is to not convert present C/C++ to Rust, however slightly to shift improvement of latest code to reminiscence protected languages over time.
In Android 13, about 21% of all new native code (C/C++/Rust) is in Rust. There are roughly 1.5 million complete traces of Rust code in AOSP throughout new performance and parts resembling Keystore2, the brand new Ultra-wideband (UWB) stack, DNS-over-HTTP3, Android’s Virtualization framework (AVF), and varied different parts and their open supply dependencies. These are low-level parts that require a programs language which in any other case would have been applied in C++.
Security affect
To date, there have been zero reminiscence security vulnerabilities found in Android’s Rust code.
We don’t anticipate that quantity to remain zero ceaselessly, however given the quantity of latest Rust code throughout two Android releases, and the security-sensitive parts the place it’s getting used, it’s a major end result. It demonstrates that Rust is fulfilling its meant goal of stopping Android’s commonest supply of vulnerabilities. Historical vulnerability density is larger than 1/kLOC (1 vulnerability per thousand traces of code) in a lot of Android’s C/C++ parts (e.g. media, Bluetooth, NFC, and so forth). Based on this historic vulnerability density, it’s possible that utilizing Rust has already prevented a whole lot of vulnerabilities from reaching manufacturing.
What about unsafe Rust?
Operating system improvement requires accessing assets that the compiler can not motive about. For memory-safe languages which means that an escape hatch is required to do programs programming. For Java, Android makes use of JNI to entry low-level assets. When utilizing JNI, care should be taken to keep away from introducing unsafe conduct. Fortunately, it has confirmed considerably easier to evaluate small snippets of C/C++ for security than complete applications. There are not any pure Java processes in Android. It’s all constructed on high of JNI. Despite that, reminiscence security vulnerabilities are exceptionally uncommon in our Java code.
Rust likewise has the unsafe{} escape hatch which permits interacting with system assets and non-Rust code. Much like with Java + JNI, utilizing this escape hatch comes with extra scrutiny. But like Java, our Rust code is proving to be considerably safer than pure C/C++ implementations. Let’s have a look at the brand new UWB stack for instance.
There are precisely two makes use of of unsafe within the UWB code: one to materialize a reference to a Rust object saved inside a Java object, and one other for the teardown of the identical. Unsafe was actively useful on this scenario as a result of the additional consideration on this code allowed us to find a attainable race situation and guard towards it.
In basic, use of unsafe in Android’s Rust seems to be working as meant. It’s used hardly ever, and when it’s used, it’s encapsulating conduct that’s simpler to motive about and evaluate for security.
Safety measures make memory-unsafe languages sluggish
Mobile gadgets have restricted assets and we’re all the time attempting to make higher use of them to supply customers with a greater expertise (for instance, by optimizing efficiency, enhancing battery life, and decreasing lag). Using reminiscence unsafe code usually implies that we’ve to make tradeoffs between safety and efficiency, resembling including extra sandboxing, sanitizers, runtime mitigations, and {hardware} protections. Unfortunately, these all negatively affect code dimension, reminiscence, and efficiency.
Using Rust in Android permits us to optimize each safety and system well being with fewer compromises. For instance, with the brand new UWB stack we had been in a position to save a number of megabytes of reminiscence and keep away from some IPC latency by operating it inside an present course of. The new DNS-over-HTTP/3 implementation makes use of fewer threads to carry out the identical quantity of labor through the use of Rust’s async/await characteristic to course of many duties on a single thread in a protected method.
The variety of vulnerabilities reported within the bulletin has stayed considerably regular over the previous 4 years at round 20 per 30 days, even because the variety of reminiscence security vulnerabilities has gone down considerably. So, what provides? A number of ideas on that.
A drop in severity
Memory security vulnerabilities disproportionately symbolize our most extreme vulnerabilities. In 2022, regardless of solely representing 36% of vulnerabilities within the safety bulletin, memory-safety vulnerabilities accounted for 86% of our crucial severity safety vulnerabilities, our highest ranking, and 89% of our remotely exploitable vulnerabilities. Over the previous few years, reminiscence security vulnerabilities have accounted for 78% of confirmed exploited “in-the-wild” vulnerabilities on Android gadgets.
Many vulnerabilities have a effectively outlined scope of affect. For instance, a permissions bypass vulnerability usually grants entry to a particular set of data or assets and is mostly solely reachable if code is already operating on the system. Memory security vulnerabilities are typically far more versatile. Getting code execution in a course of grants entry not simply to a particular useful resource, however every part that that course of has entry to, together with assault floor to different processes. Memory security vulnerabilities are sometimes versatile sufficient to permit chaining a number of vulnerabilities collectively. The excessive versatility is maybe one motive why the overwhelming majority of exploit chains that we’ve seen use a number of reminiscence security vulnerabilities.
With the drop in reminiscence security vulnerabilities, we’re seeing a corresponding drop in vulnerability severity.
With the lower in our most extreme vulnerabilities, we’re seeing elevated experiences of much less extreme vulnerability sorts. For instance, about 15% of vulnerabilities in 2022 are DoS vulnerabilities (requiring a manufacturing facility reset of the system). This represents a drop in safety threat.
Android appreciates our safety analysis neighborhood and all contributions made to the Android VRP. We apply increased payouts for extra extreme vulnerabilities to make sure that incentives are aligned with vulnerability threat. As we make it more durable to search out and exploit reminiscence security vulnerabilities, safety researchers are pivoting their focus in the direction of different vulnerability sorts. Perhaps the full variety of vulnerabilities discovered is primarily constrained by the full researcher time dedicated to discovering them. Or maybe there’s one other clarification that we’ve not thought-about. In any case, we hope that if our vulnerability researcher neighborhood is discovering fewer of those highly effective and versatile vulnerabilities, the identical applies to adversaries.
Attack floor
Despite many of the present code in Android being in C/C++, most of Android’s API floor is applied in Java. This implies that Java is disproportionately represented within the OS’s assault floor that’s reachable by apps. This gives an vital safety property: many of the assault floor that’s reachable by apps isn’t vulnerable to reminiscence corruption bugs. It additionally implies that we might anticipate Java to be over-represented when non-memory security vulnerabilities. It’s vital to notice nevertheless that sorts of vulnerabilities that we’re seeing in Java are largely logic bugs, and as talked about above, usually decrease in severity. Going ahead, we will likely be exploring how Rust’s richer kind system can assist stop frequent sorts of logic bugs as effectively.
Google’s means to react
With the vulnerability sorts we’re seeing now, Google’s means to detect and forestall misuse is significantly higher. Apps are scanned to assist detect misuse of APIs earlier than being printed on the Play retailer and Google Play Protect warns customers if they’ve abusive apps put in.
Migrating away from C/C++ is difficult, however we’re making progress. Rust use is rising within the Android platform, however that’s not the top of the story. To meet the targets of enhancing safety, stability, and high quality Android-wide, we’d like to have the ability to use Rust anyplace within the codebase that native code is required. We’re implementing userspace HALs in Rust. We’re including help for Rust in Trusted Applications. We’ve migrated VM firmware within the Android Virtualization Framework to Rust. With help for Rust touchdown in Linux 6.1 we’re excited to convey memory-safety to the kernel, beginning with kernel drivers.
As Android migrates away from C/C++ to Java/Kotlin/Rust, we anticipate the variety of reminiscence security vulnerabilities to proceed to fall. Here’s to a future the place reminiscence corruption bugs on Android are uncommon!