Language Selection

English French German Italian Portuguese Spanish

Google to Samsung: Stop messing with Linux kernel code. It's hurting Android security

Filed under
Android
Linux
Google
Security

Samsung's attempt to prevent attacks on Galaxy phones by modifying kernel code ended up exposing it to more security bugs, according to Google Project Zero (GPZ).

Not only are smartphone makers like Samsung creating more vulnerabilities by adding downstream custom drivers for direct hardware access to Android's Linux kernel, vendors would be better off using security features that already exist in the Linux kernel, according to GPZ researcher Jann Horn.

[...]

Incidentally, the February update also includes a patch for critical flaw in "TEEGRIS devices", referring to Trusted Execution Environment (TEE) on newer Galaxy phones that contain Samsung's proprietary TEE operating system. The Galaxy S10 is among TEEGRIS devices.

But Horn's new blogpost is focused on efforts in Android to reduce the security impact of vendors adding unique code to the kernel.

"Android has been reducing the security impact of such code by locking down which processes have access to device drivers, which are often vendor-specific," explains Horn.

An example is that newer Android phones access hardware through dedicated helper processes, collectively known as the Hardware Abstraction Layer (HAL) in Android. But Horn says vendors modifying how core parts of the Linux kernel work undermines efforts to "lock down the attack surface".

Read more

Google slams Samsung for making unnecessary changes to Linux

  • Google slams Samsung for making unnecessary changes to Linux kernel code

    We all know that Samsung makes an extra effort in strengthening the security of its smartphones with initiatives such as Knox. However, sometimes those extra efforts hurt more than they help. Now, Google has slammed the South Korean smartphone brand for making unnecessary changes to the Linux kernel code and exposing it to more security bugs.

    According to Google Project Zero researcher Jann Horn, Samsung is creating more vulnerabilities by adding downstream custom drivers for direct hardware access to Android’s Linux kernel. These changes are implemented without being reviewed by upstream kernel developers. Horn found a similar mistake in the Android kernel of the Galaxy A50, and the unreviewed custom driver added security bugs related to memory corruption.

Google Scolds Samsung For Making Linux Kernel In Android

  • Google Scolds Samsung For Making Linux Kernel In Android More Hackable

    Google is accustomed to seeing smartphone vendors making changes to the Linux kernel in Android. It is essential, at times, for some device-specific drivers to function properly.

    However, it was “unnecessary” to make such changes in Samsung Galaxy A50’s Android kernel, writes Google’s Jann Horn in a blog post. Horn is part of Google’s Project Zero (GPZ) team that is responsible for finding bugs and security exploits.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Second Shortwave Beta

Today I can finally announce the second Shortwave Beta release! I planned to release it earlier, but unfortunately the last few weeks were a bit busy for me. Read more

Thanks to Linux, I just installed a pro-level video editor on my Chromebook

We’re constantly looking around for new tricks to make our Chromebooks even more capable than they’ve already become over the past couple of years. Every day, there are fewer use-cases where a Windows or Mac device is a necessity and we truly believe that Chrome OS will eventually offer comparable alternatives to that narrowing space. If there is one product, in particular, that Chrome OS will need to figure out, it’s video editing. Sure, there are great online products like WeVideo for lightweight projects and you can even find some pretty good video editing platforms in the Google Play Store but what we’re talking about is serious, high-octane editing that’s worthy of a Hollywood studio. (Well, a low-budget studio maybe.) Read more

This $200 Laptop Is Like a Chromebook You Can Hack

For some reason, despite the fact that our devices can seemingly do anything with an impressive level of polish, there are folks who want to learn from the tech they use. They want a challenge—and an adventure. I think I’ve learned over the last year or two that I’m one of those people. I primarily like using Hackintoshes despite the fact that the machines are intended for Windows, and I will mess with old pieces of computing history just to see if they uncover new ways of thinking about things. So when I heard about the Pinebook Pro, I was in. Here was a laptop built on the same ARM architecture primarily used for smartphones and internet-of-things devices, and designed to run Linux. Is it for everyone? Maybe not. But, if you love an adventure, you should be excited about what it represents. Read more

GNU/Linux Devices and Open Hardware

  • Jetson Nano carriers take on Nvidia’s official Dev Kit

    Aetina unveiled a rugged, 87 x 67mm “AN110” carrier for the Jetson Nano, and on KS there’s a 4x PoE “AeyeQ” carrier for the Nano and Xavier NX. The boards join other recent Nano carriers including AntMicro’s “Nano Baseboard,” Auvidea’s “JN30A/B,” and two carriers from AverMedia. Nvidia broke with tradition by introducing a maker-oriented development kit for its compact, Linux-driven Jetson Nano module priced at only $99. Nvidia supported its previous Jetson modules with more expensive and feature rich development kits, leaving third party partners to provide more affordable carrier options.

  • Wind River Launches CI/CD Model For Linux Customers

    Wind River has rolled out a continuous integration and continuous delivery (CI/CD) model for Wind River Linux customers. Wind River Linux follows a CI/CD process that allows customers to access new releases every few weeks. With this new cadence, teams can begin to build their own continuous integration and delivery systems for their customers, get a head start on building new platforms sooner, and enjoy similar benefits of Common Vulnerabilities and Exposures (CVE) management, technical support, and quality typically found in annual and Long Term Support (LTS) releases.

  • Open-Source Hardware in the Modern Era

    Arduino is an open-source electronics platform based on a simplified hardware and software management system. Probably the best known Italian brand in the digital world, Arduino has become an icon for its pioneering open-source boards. With Arduino, it is possible, in an extremely fast way, to develop devices that integrate not only classic electronic components but also sensors, servomechanisms, and communication devices. Arduino, therefore, breaks down the barriers to entry that the world of electronics experienced with information technology and opens up a universe of possibilities to the world of modern makers who like to experiment and prototype electronic devices at economically advantageous prices. Arduino Uno arrived in 2005. The technology par excellence in Italy has become one of the pillars of the maker movement. Many things have changed in recent years, and the best way to know Arduino better is to interview its CEO, Fabio Violante.