Android P Will Expand its Use of Compiler-Based Security Mitigations

| by Sergio De Simone Follow 17 Followers on Jul 02, 2018. Estimated reading time: 1 minute |

The upcoming Android P, which was recently released in beta, will use more compiler-based security mitigations, writes Google engineer Ivan Lozano, including control flow integrity and integer overflow sanitization.

The basic idea behind compiler-based mitigations, a set of features provided by the LLVM/Clang compiler, is instrumenting runtime operations at compile-time to catch operations that trigger undefined behavior and make them fail safely. LLVM/Clang supports a number of sanitizers, including divide by zero, nullability violations, negative array bounds, and control flow integrity.

Google started to use LLVM/Clang sanitizations back in the days of Android Nougat (which was then released as Android 7), and has been later adding control flow integrity checks in Android O (Oreo, Android 8.0). With Android P, writes Lozano, Google has significantly extended support of both sanitizers and control flow integrity across a number of components of the OS, including the media frameworks and other security-critical components such as Bluetooth, NFC, and the kernel.

Control flow integrity addresses code-reuse attacks, where an attacker leverages existing code, for example by finding short code sequences ending in a ret instruction and executing them in arbitrary order. This allows the attacker to take control of the stack without the need to inject any code, which greatly increases the complexity of detecting such attacks. To counter such kind of attacks, control flow integrity aims to confine a program’s control flow to a reduced call graph determined at compile time. If the program tries to branch to an unexpected call target, then it is aborted in a safe way. Control flow integrity has a cost, both at compile and run time, but Google testing on Android showed it is negligible, says Lozano.

As to sanitizers, Google has extended the use of the integer overflow sanitizers to a number of libraries, including libui, libnl, and others. Integer overflow is a common means for attackers to take control of a program and was at the heart of the Stagefright vulnerability that affected previous versions of Android. Google’s contribution here has been improving LLVM integer overflow sanitizers to reduce their overhead by over 75% in a number of cases.

If you own a Pixel phone, or another supported device, you can access Android P beta by enrolling in the Android P beta program.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you