Hi Earlence, I think the approach has merit for certain cases. If, after an exploit is run and the device is "rooted" in the typical ways Android is currently rooted, then checking for the elevation could detect that something is wrong after the fact. I don't think this is the best way to do it mind you, but it is a data point. We developed a Kernel module in R&D which monitors and prevents various things, one of them is the elevation through standard setuid. It then has the ability to take action to protect the device.
Of course it is possible to get around these types of checks with sophisticated or targeted attacks, but if the point is to create a more paranoid Android, which will fend off generic malware, people stealing or finding the phone and so on, then it all helps. Also, there are mitigations which can help defend against Kernel exploitation, but currently they only address a small subset of vulnerability types, there is a long way to go. It is easy to say you should be finding and fixing all bugs, but should you not have the ability to find and fix all the 0-days first, including phones that are no longer responding on the network, then having an extra layer of security could certainly help. Cheers -- Thomas. On Tue, Aug 16, 2011 at 6:15 AM, Chris Palmer <[email protected]> wrote: > On Aug 15, 2011, at 7:27 PM, Earlence wrote: > > > Rodrigo: true. But this will be helpful in curbing malware. Even after > > the device has been rooted, setuid HAS to be called to elevate. > > Therefore, this should prevent that. > > No, this is not true. For example, if you exploit a bug in the kernel, your > payload executes in the kernel with kernel privileges. (And it is utterly > Game Over — no mitigation can help.) > > > Nathaniel: Race condition is true. However, the check is performed in > > setuid, that means, the system server is invoked before the escalation > > is complete, and hence, before the malware process becomes root. > > This does not make sense. > > > Generally, don't expect to survive after an attacker has elevated to > root/kernel. Instead, work on finding and fixing bugs. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
