Device implementations MUST ensure compliance with security features in both the kernel and platform as described below.
The Android Sandbox includes features that use the Security-Enhanced Linux (SELinux) mandatory access control (MAC) system, seccomp sandboxing, and other security features in the Linux kernel. Device implementations:
Kernel integrity and self-protection features are integral to Android security. Device implementations:
[C-0-7] MUST implement kernel stack buffer overflow protection mechanisms. Examples of such mechanisms are CC_STACKPROTECTOR_REGULAR
and CONFIG_CC_STACKPROTECTOR_STRONG
.
[C-0-8] MUST implement strict kernel memory protections where executable code is read-only, read-only data is non-executable and non-writable, and writable data is non-executable (e.g. CONFIG_DEBUG_RODATA
or CONFIG_STRICT_KERNEL_RWX
).
[C-0-9] MUST implement static and dynamic object size bounds checking of copies between user-space and kernel-space (e.g. CONFIG_HARDENED_USERCOPY
) on devices originally shipping with API level 28 or higher.
[C-0-10] MUST NOT execute user-space memory when executing in the kernel mode (e.g. hardware PXN, or emulated via CONFIG_CPU_SW_DOMAIN_PAN
or CONFIG_ARM64_SW_TTBR0_PAN
) on devices originally shipping with API level 28 or higher.
[C-0-11] MUST NOT read or write user-space memory in the kernel outside of normal usercopy access APIs (e.g. hardware PAN, or emulated via CONFIG_CPU_SW_DOMAIN_PAN
or CONFIG_ARM64_SW_TTBR0_PAN
) on devices originally shipping with API level 28 or higher.
[C-0-12] MUST implement kernel page table isolation if the hardware is vulnerable to CVE-2017-5754 on all devices originally shipping with API level 28 or higher (e.g. CONFIG_PAGE_TABLE_ISOLATION
or CONFIG_UNMAP_KERNEL_AT_EL0
).
[C-0-13] MUST implement branch prediction hardening if the hardware is vulnerable to CVE-2017-5715 on all devices originally shipping with API level 28 or higher (e.g. CONFIG_HARDEN_BRANCH_PREDICTOR
).
[SR] STRONGLY RECOMMENDED to keep kernel data which is written only during initialization marked read-only after initialization (e.g. __ro_after_init
).
[C-SR] Are STRONGLY RECOMMENDED to randomize the layout of the kernel code and memory, and to avoid exposures that would compromise the randomization (e.g. CONFIG_RANDOMIZE_BASE
with bootloader entropy via the /chosen/kaslr-seed Device Tree node
or EFI_RNG_PROTOCOL
).
[C-SR] Are STRONGLY RECOMMENDED to enable control flow integrity (CFI) in the kernel to provide additional protection against code-reuse attacks (e.g. CONFIG_CFI_CLANG
and CONFIG_SHADOW_CALL_STACK
).
[C-SR] Are STRONGLY RECOMMENDED not to disable Control-Flow Integrity (CFI), Shadow Call Stack (SCS) or Integer Overflow Sanitization (IntSan) on components that have it enabled.
[C-SR] Are STRONGLY RECOMMENDED to enable CFI, SCS, and IntSan for any additional security-sensitive userspace components as explained in CFI and IntSan.
[C-SR] Are STRONGLY RECOMMENDED to enable stack initialization in the kernel to prevent uses of uninitialized local variables (CONFIG_INIT_STACK_ALL
or CONFIG_INIT_STACK_ALL_ZERO
). Also, device implementations SHOULD NOT assume the value used by the compiler to initialize the locals.
[C-SR] Are STRONGLY RECOMMENDED to enable heap initialization in the kernel to prevent uses of uninitialized heap allocations (CONFIG_INIT_ON_ALLOC_DEFAULT_ON
) and they SHOULD NOT assume the value used by the kernel to initialize those allocations.
If device implementations use a Linux kernel, they:
If device implementations use kernel other than Linux, they:
Android contains multiple defense-in-depth features that are integral to device security.