Subreption awarded DARPA Cyber Fast Track funding for high assurance mobile computing R&D

September 2012.

Subreption LLC has been awarded a second DARPA Cyber Fast Track contract (under solicitation DARPA-RA-11-52).

Following successful completion of its first contract to develop a next-generation dynamic memory allocator protection set for Linux, FreeBSD and a hardened off-spawn of the jemalloc high performance user-land allocator, Subreption has now shifted focus towards deploying these and other protections in the Android operating system for mobile devices.

As a full spectrum research and development effort, development began in early August under the codename “SAFEDROID”

SAFEDROID aims to cover the gaps of projects such as SEAndroid, which are at this time centric to Mandatory Access Control (MAC) implementation. While policy based frameworks cover an essential area of Android security (information and process containment), other problems such as the integrity of the kernel-land security decision making logic, user-land applications, OS interface isolation and hardening of internals remain out of the scope of MAC. In short, MAC provides after-the-fact protection, limiting the scope of adversarial actions once process execution has been subverted already.

SAFEDROID aims to prevent reliable exploitation of not only user-land applications, but the internals of the kernel as well, leveraging technology developed as part of the DYMASEC project, vastly improving support for several mitigations in applications and developing new protections to transform Android into a high assurance mobile OS, not in terms of evaluation standards, but pragmatic security.

Subreption intends to cooperate with Google and contribute to the mainstream Android code-base over the course of the next seven months, to make essential modifications available to Android devices off-the-shelf.

At the moment, Subreption has implemented a heavily modified version of the PaX project (developed by the PaX Team) for OMAP based devices, which covers ARM platforms exclusively and accounts for several Android peculiarities. Despite several protections and toolchain modifications being work in progress, these changes already increased the effectiveness of mitigations such as Address Space Layout Randomization (ASLR) and memory protection semantics enforcement , by an order of magnitude. DYMASEC has been adapted for the kernel code bases of OMAP and other platforms, effectively mitigating known and unknown vulnerabilities in Android-specific kernel drivers involving the kernel heap allocator. Without DYMASEC, these vulnerabilities can be readily used to escalate privileges following a so-called “client-side exploit” against an user-land application, resulting in greater levels of compromise and complete violation of confidentiality for user and application data.

The motivation of Subreption in developing SAFEDROID is the impracticality of actively solving vulnerabilities in the heterogeneous landscape of Android mobile device vendors, kernel code bases and applications. The fundamental problem of mobile security has been mistakenly addressed similarly to security of desktop systems: the symptoms of the problem are individually addressed on a need-to-fix basis, while the root causes remain undisturbed. At unsophisticated abstraction levels, particular vulnerabilities can be considered the culprit of Android insecurity. However, in practice those vulnerabilities can be abused only because the operating system and the architecture underneath allow certain conditions to happen. Failure to properly enforce memory protections, permissive protection transitions of memory segments, process isolation, poorly segregated code regions and other issues are what Subreption strives to solve in the Android operating system.

We believe Android represents the first chance in well over a decade to see such proactive defense technologies achieve widespread adoption. As a self-contained operating system, Android is a good candidate to showcase security mitigations that address many problems that plague mobile devices today.

Subreption expresses its gratitude to DARPA and the Cyber Fast Track program, as well as those involved in its management and execution, for funding these efforts, improving the state of the art not only for the defense community, but the general public and Android community as well.

Furthermore, we would like to acknowledge the continuous altruistic work of the PaX Team and Brad Spengler (of grsecurity fame) in advancing OS security for over a decade.

Approved for Public Release, Distribution Unlimited.

The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.