Language Selection

English French German Italian Portuguese Spanish

Google to Samsung: Stop messing with Linux kernel code. It's hurting Android security

Filed under
Android
Linux
Google
Security

Samsung's attempt to prevent attacks on Galaxy phones by modifying kernel code ended up exposing it to more security bugs, according to Google Project Zero (GPZ).

Not only are smartphone makers like Samsung creating more vulnerabilities by adding downstream custom drivers for direct hardware access to Android's Linux kernel, vendors would be better off using security features that already exist in the Linux kernel, according to GPZ researcher Jann Horn.

[...]

Incidentally, the February update also includes a patch for critical flaw in "TEEGRIS devices", referring to Trusted Execution Environment (TEE) on newer Galaxy phones that contain Samsung's proprietary TEE operating system. The Galaxy S10 is among TEEGRIS devices.

But Horn's new blogpost is focused on efforts in Android to reduce the security impact of vendors adding unique code to the kernel.

"Android has been reducing the security impact of such code by locking down which processes have access to device drivers, which are often vendor-specific," explains Horn.

An example is that newer Android phones access hardware through dedicated helper processes, collectively known as the Hardware Abstraction Layer (HAL) in Android. But Horn says vendors modifying how core parts of the Linux kernel work undermines efforts to "lock down the attack surface".

Read more

Google slams Samsung for making unnecessary changes to Linux

  • Google slams Samsung for making unnecessary changes to Linux kernel code

    We all know that Samsung makes an extra effort in strengthening the security of its smartphones with initiatives such as Knox. However, sometimes those extra efforts hurt more than they help. Now, Google has slammed the South Korean smartphone brand for making unnecessary changes to the Linux kernel code and exposing it to more security bugs.

    According to Google Project Zero researcher Jann Horn, Samsung is creating more vulnerabilities by adding downstream custom drivers for direct hardware access to Android’s Linux kernel. These changes are implemented without being reviewed by upstream kernel developers. Horn found a similar mistake in the Android kernel of the Galaxy A50, and the unreviewed custom driver added security bugs related to memory corruption.

Google Scolds Samsung For Making Linux Kernel In Android

  • Google Scolds Samsung For Making Linux Kernel In Android More Hackable

    Google is accustomed to seeing smartphone vendors making changes to the Linux kernel in Android. It is essential, at times, for some device-specific drivers to function properly.

    However, it was “unnecessary” to make such changes in Samsung Galaxy A50’s Android kernel, writes Google’s Jann Horn in a blog post. Horn is part of Google’s Project Zero (GPZ) team that is responsible for finding bugs and security exploits.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Rules for product managers at open source companies

Product management is an interesting career. It's immensely rewarding to be the interface between users, business strategy, engineering, and product design. And it's also a highly lucrative career with increasing demand for ambitious and empathetic practitioners. It's also a role with no single path. You might see various certifications and courses emerging to help address the serious skills shortage. The good news is that these are starting to contribute to the talent pipeline, but they struggle to address the wider demands of the role. This is especially the case where roles require direct experience across the enormous range of what it takes to build and ship successful products. Read more

How we decide when to release Fedora

Open source projects can use a variety of different models for deciding when to put out a release. Some projects release on a set schedule. Others decide on what the next release should contain and release whenever that is ready. Some just wake up one day and decide it’s time to release. And other projects go for a rolling release model, avoiding the question entirely. For Fedora, we go with a schedule-based approach. Releasing twice a year means we can give our contributors time to implement large changes while still keeping on the leading edge. Targeting releases for the end of April and the end of October gives everyone predictability: contributors, users, upstreams, and downstreams. But it’s not enough to release whatever’s ready on the scheduled date. We want to make sure that we’re releasing quality software. Over the years, the Fedora community has developed a set of processes to help ensure we can meet both our time and and quality targets. Read more

Raspberry Pi 4: Chronicling the Desktop Experience – Firefox Upgrade – Week 18

This is a weekly blog about the Raspberry Pi 4 (“RPI4”), the latest product in the popular Raspberry Pi range of computers. I’ve previously looked at web browsing on the RPI4 in Week 4 of my blog, recommending Chromium and Vivaldi on this tiny machine. Chromium offers the virtue of official Raspbian support on the RPI4 and it’s published under an open source license. On the other hand, Vivaldi is no-charge proprietary software. Both web browsers earned my recommendation. At the time, I was unable to recommend Firefox because the Raspbian repositories hosted a prehistoric version; version 60.9.0 ESR to be specific. Running a version of a web browser that’s 2 years behind the latest version is totally unacceptable, even from a security standpoint alone. Read more

Zorin OS For Windows Users

Dear former Microsoft users, after Windows 7 (W7) officially discontinued early this year, how about looking at alternative operating system called Zorin OS? Zorin is computer operating system for everybody that is user-friendly and familiar. You can get Zorin gratis and free, you and your family can use without learning much, prepare to live peacefully without virus & antivirus, and you will be happy you can revive old computers with it. This article gives you sights on Zorin from perspective of a W7 user and see if you find it interesting. Enjoy Zorin! Read more