Google Using Clang Sanitizers to Protect Android Against Cellular Baseband Vulnerabilities
Google is highlighting the role played by Clang sanitizers in hardening the security of the cellular baseband in the Android operating system and preventing specific kinds of vulnerabilities.
This comprises Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan), both of which are part of UndefinedBehaviorSanitizer (UBSan), a tool designed to catch various kinds of undefined behavior during program execution.
“They are architecture agnostic, suitable for bare-metal deployment, and should be enabled in existing C/C++ code bases to mitigate unknown vulnerabilities,” Ivan Lozano and Roger Piqueras Jover said in a Tuesday post.
The development comes months after the tech giant said it’s working with ecosystem partners to increase the security of firmware that interacts with Android, thereby making it difficult for threat actors to achieve remote code execution within the Wi-Fi SoC or the cellular baseband.
IntSan and BoundSan are two of the compiler-based sanitizers that Google has enabled as an exploit mitigation measure to detect arithmetic overflows and perform bounds checks around array accesses, respectively.
Google acknowledged that while both BoundSan and IntSan incur a substantial performance overhead, it has enabled it in security-critical attack surfaces ahead of a full-fledged rollout over the entire codebase. This covers –
- Functions parsing messages delivered over the air in 2G, 3G, 4G, and 5G
- Libraries encoding/decoding complex formats (e.g., ASN.1, XML, DNS, etc.)
- IMS, TCP, and IP stacks, and
- Messaging functions (SMS, MMS)
“In the particular case of 2G, the best strategy is to disable the stack altogether by supporting Android’s ‘2G toggle,'” the researchers said. “However, 2G is still a necessary mobile access technology in certain parts of the world and some users might need to have this legacy protocol enabled.”
It’s worth noting that the “tangible” benefits arising out of deploying sanitizers notwithstanding, they do not address other classes of vulnerabilities, such as those related to memory safety, necessitating a transition of the codebase to a memory-safe language like Rust.
In early October 2023, Google announced that it had rewritten the Android Virtualization Framework’s (AVF) protected VM (pVM) firmware in Rust to provide a memory-safe foundation for the pVM root of trust.
“As the high-level operating system becomes a more difficult target for attackers to successfully exploit, we expect that lower level components such as the baseband will attract more attention,” the researchers concluded.
“By using modern toolchains and deploying exploit mitigation technologies, the bar for attacking the baseband can be raised as well.”