Language Selection

English French German Italian Portuguese Spanish

Google to Samsung: Stop messing with Linux kernel code. It's hurting Android security

Filed under
Android
Linux
Google
Security

Samsung's attempt to prevent attacks on Galaxy phones by modifying kernel code ended up exposing it to more security bugs, according to Google Project Zero (GPZ).

Not only are smartphone makers like Samsung creating more vulnerabilities by adding downstream custom drivers for direct hardware access to Android's Linux kernel, vendors would be better off using security features that already exist in the Linux kernel, according to GPZ researcher Jann Horn.

[...]

Incidentally, the February update also includes a patch for critical flaw in "TEEGRIS devices", referring to Trusted Execution Environment (TEE) on newer Galaxy phones that contain Samsung's proprietary TEE operating system. The Galaxy S10 is among TEEGRIS devices.

But Horn's new blogpost is focused on efforts in Android to reduce the security impact of vendors adding unique code to the kernel.

"Android has been reducing the security impact of such code by locking down which processes have access to device drivers, which are often vendor-specific," explains Horn.

An example is that newer Android phones access hardware through dedicated helper processes, collectively known as the Hardware Abstraction Layer (HAL) in Android. But Horn says vendors modifying how core parts of the Linux kernel work undermines efforts to "lock down the attack surface".

Read more

Google slams Samsung for making unnecessary changes to Linux

  • Google slams Samsung for making unnecessary changes to Linux kernel code

    We all know that Samsung makes an extra effort in strengthening the security of its smartphones with initiatives such as Knox. However, sometimes those extra efforts hurt more than they help. Now, Google has slammed the South Korean smartphone brand for making unnecessary changes to the Linux kernel code and exposing it to more security bugs.

    According to Google Project Zero researcher Jann Horn, Samsung is creating more vulnerabilities by adding downstream custom drivers for direct hardware access to Android’s Linux kernel. These changes are implemented without being reviewed by upstream kernel developers. Horn found a similar mistake in the Android kernel of the Galaxy A50, and the unreviewed custom driver added security bugs related to memory corruption.

Google Scolds Samsung For Making Linux Kernel In Android

  • Google Scolds Samsung For Making Linux Kernel In Android More Hackable

    Google is accustomed to seeing smartphone vendors making changes to the Linux kernel in Android. It is essential, at times, for some device-specific drivers to function properly.

    However, it was “unnecessary” to make such changes in Samsung Galaxy A50’s Android kernel, writes Google’s Jann Horn in a blog post. Horn is part of Google’s Project Zero (GPZ) team that is responsible for finding bugs and security exploits.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

today's howtos

Games: Anodyne, Streets of Rogue, Vendetta Online and More

  • Analgesic Productions have opened up the source for their Zelda-lite 'Anodyne'

    Anodyne, a Zelda-lite action adventure from Analgesic Productions from back in 2013 has today had the code opened up. Looking over the project, it's not open source as they have their own custom licensing with a number of restrictions on it. So by the definition of open source, it is not, it's more like "source open" but it's still a very nice gesture. It's similar in spirit to what Terry Cavanagh did with VVVVVV, in fact the licensing is actually an adaption of theirs. Hopefully with this move, someone can port it over to something more modern rather than Flash/Air—that certainly would be nice to see. Especially if the developer then pulled that back in to update it for everyone.

  • Looks like there's going to be a 'Streets of Rogue 2' and I'm definitely happy with that

    Streets of Rogue released in 2019 and it's one of my absolute favourites from last year (still is this year to be honest with you, it's just that good). The developer, Matt Dabrowski, recently outlined their future plans which will include a sequel. The 2019 release was after over six years of development, and at least half of that it was available in some form to the public. First as a free taster and later a full game. In an announcement on Steam about the latest update, Dabrowski mentioned how they would like to "take Streets of Rogue in some big new directions" and so they've "decided to begin work on a sequel".

  • Vendetta Online goes free to play until June 1 giving anyone full access

    Vendetta Online, something of a classic MMO space game is now free to play for everyone until June 1. Everyone will be treated as if they're a paying player during this time. Why are they doing this for so long? They said they wanted to offer a bit of sanctuary to players, somewhere "they can virtually go and be (politely) social, interact with others, and perhaps get a little respite from the chaos". They are of course referring to the Coronavirus situation. Read more on that here.

  • “Crunch”: Video Game Development’s Dirty Secret

    James Wood reported for Game Revolution that game director Masahiro Sakurai, who created Super Smash Bros Ultimate,  went “to work with an IV drip instead of taking a day off.” As Wood noted, Sakurai’s admission “have raised eyebrows, even in an industry where he is known as “notoriously hard-working.”

SparkyLinux 5.11 Released with Latest Debian Buster Updates

SparkyLinux 5.11 arrives almost two months after SparkyLinux 5.10.1 to bring all the latest updates and security fixes from the Debian GNU/Linux 10 “Buster” operating system series. Among some of the updated components included in this release, there’s the Mozilla Firefox 68.6.0 ESR web browser, Mozilla Thunderbird 68.6.0 email and news client, as well as the LibreOffice 6.1.5 office suite. Under the hood, SparkyLinux 5.11 is using the Linux 4.19.98 LTS kernel for 32-bit and 64-bit systems, and Linux kernel 4.19.97 LTS for ARMhf architectures. Read more

How I turned an old Chromebook Pixel into a native Linux laptop running Ubuntu

If you’ve visited the Chrome OS subReddit, you’ve surely seen posts by Mr. Chromebox there. For several years, he’s been the go-to authority for doing major operating system and firmware changes to dozens of Chromebook models so you can natively install Windows or Linux on your device. I haven’t delved into this type of esoteric but useful project in a while but a CompSci classmate is thinking about switching from Windows 10 to Linux. So I dug around the closet where good Chromebooks go to collect dust and found the 2013 Chromebook Pixel I bought new seven years ago. This is a perfect candidate for a Linux installation because the last software update pushed to it was Chrome OS 69. So it’s not the most secure device for browsing at the moment. Read more