Google, ARM Join Hands In Fixing Android Bugs
Tech giant Google recently announced that it is boosting its fight against Android bugs. As part of this effort, Google confirmed that it is launching a partnership with mobile chipset maker ARM in order to tackle bugs in the Android platform.
Based on statistics, more than half of all discovered vulnerabilities in the Android platform have something to do with race conditions, buffer overflows, and use-after-free memory exploit. These vulnerabilities are usually traced back to a device's hardware. This is why Google is partnering with ARM in order to develop and implement a hardware-based bug detection tool. The two tech giants are designing these tools in order to detect these memory-safety vulnerabilities proactively.
This new technique is called memory-tagging extension or MTE. According to Google, this new technique aims to help mitigate hardware-based bugs through easy detection. The tech giant added that MTE would feature two execution modes.
First is the precise mode. Google described this as a mode that can provide a more detailed description and information about various memory violations that were detected within the system.
The second mode is the imprecise mode. This particular mode has far less CPU overhead. Due to its improved handling of processor overhead, this mode is well-suited to be a background application which can run all of the time.
Google's mobile platform Android, has a storied history of vulnerabilities that stem from memory hardware. This particular type of vulnerability targets memory access processes. Chief among these vulnerabilities are race conditions, bugger overflows, double-free flaws, use-after-free, heap exhaustion/corruption, null pointers, and page fault.
In a statement Google's security team wrote, "Memory-safety bugs, common in C and C++, remain one of the largest vulnerabilities in the Android platform and although there have been previous hardening efforts, memory-safety bugs comprised more than half of the high priority bugs in Android 9."
What the security team refers to is the fact that C/C++ usually allows arbitrary pointer arithmetic. It uses pointers that are implemented as direct memory addresses without clear regulations when it comes to bounds checking. This particular practice is considered not safe for a device's hardware, as it opens a lot of vulnerabilities that malicious users can exploit.
Google said that it would roll out this new MTE protocol to its entire Android ecosystem, not just to some of its latest mobile operating systems. A trial run conducted last year by Google has yielded close to 100 memory safety bugs on its Android platform.