Case study

SAFEDROID: Secure mobile computing platform

Funded under the DARPA Cyber Fast track (CFT) program, SAFEDROID enforced memory protections and reduced system predictability, altering core components of the operating system (OS), based off Android and the Linux kernel, to provide a defensive in-depth solution against zero-day attacks targeting smartphone users. The project leveraged Subreption’s DYMASEC (proactive defenses for memory allocators) extensively, providing a high level of deterrence against all vulnerability classes related to dynamic memory.

SAFEDROID: Secure mobile computing platform
  • Field of use

    Information Assurance

  • Initial Development

    2012

  • First Functional Milestone

    2012

  • EOL

    2017 (superseded)

  • Distribution

    US Government and Private Industry (limited)

  • Customer

    DARPA/US Government

  • Languages
    • Java
    • C
Problem

Android smartphones have become a staple among devices targeted with sophisticated zeroday attacks, and also older vulnerabilities that vendors fail to patch across the entire market. Outdated phones and systems based off Android represent a significant share of the total amount of users of the system. Offensive security research involving Android was already wildly popular circa 2012, while the track record of Android remained poor. DARPA created the Cyber Fast Track, thanks to the significant efforts of Peiter ‘Mudge’ Zatko, as an initiative to promote more agile cooperation between the information security industry talent and the US Government. A proposal for SAFEDROID was accepted to address the state of the art with Android security at the time.

Solution

SAFEDROID encompassed a system-wide effort to introduce significant hardening across all the components of the Android OS, including but not limited to the kernel, the libc and other toolchain elements. DYMASEC was implemented for the system to cover all dynamic memory-related vulnerability mitigations. Prototypes were built using the Google Galaxy Nexus as base, and custom JIGs had to be made for accessing kernel debugging functions. Inspiration was taken from well known projects like the Openwall patch by Alexander Peslyak (also an alumni of the CFT) aka Solar Designer, and PaX/grsecurity (responsible for motivating us to develop the earliest iteration of DYMASEC, KERNHEAP).

Result

As part of the CFT, a license was granted to the US Government for exploitation rights, while Subreption retained all intellectual property ownership. The project was represented during the DARPA I2O’s Demo Day at the Pentagon Center Courtyard in Arlington, VA (2014). As of 2022, products like Graphene OS (initially Copperhead OS) emulated what SAFEDROID did before everyone else, in some cases even plagiarizing our ideas or basing entire components off our early KERNHEAP and DYMASEC concepts (as well as providing absolutely zero credit to others that were also pioneers in building the foundations for many security mechanisms, such as the grsecurity project, also plagiarized by Daniel Micay in the aforementioned products, while readily soliciting funding and finally engaging in defamation and slander of his former business partner following a dispute when Mr. Micay’s financial demands were rejected, facts that are well documented both in public and private evidence Subreption had access to over the years). SAFEDROID saw limited distribution for the private industry and customized devices were built for individuals at high risk of being targeted.

Hardened kernel
  • The first Android kernel hardened against all forms of dynamic memory corruption vulnerabilities.
  • The first KERNEXEC (an original PaX concept, non-writable, non-executable pages for select kernel memory segments) implementation for OMAP on 32-bit ARM without LPAE.
  • Improved ASLR, despite the limitations of 32-bit ARM.
  • Hardened subsystems for IPC, ashmem, etc.
Hardened user-land
  • A completely hardened libc and DYMASEC's own allocator.
  • Modified UI to display hardening information.
  • Asynchronous alert handling watchdog, allowing developers to process security violations with their own integrations.
Hassle-free
  • Android application-tolerant, consumer applications and Google software suite supported for minimal usability impact.
  • Virtually configuration-free.
  • Tested on Google's flagship devices at the time.
Copyright and external trademarks

Trademarks, logos and brand names are the property of their respective owners. All company, product and service names referenced or mentioned in this page are for identification and fair-use purposes only, with no endorsement implied.