Docs: Update Android severity ratings
Bug: 27899153
Change-Id: If286fd571eaf0a9ed221f24724248dd238158624
diff --git a/src/security/overview/updates-resources.jd b/src/security/overview/updates-resources.jd
index 686ddf5..ebccb94 100644
--- a/src/security/overview/updates-resources.jd
+++ b/src/security/overview/updates-resources.jd
@@ -59,13 +59,53 @@
how the issue is prioritized, and the component determines who fixes the bug,
who is notified, and how the fix gets deployed to users.</p>
+<h3 id=process_types>Process types</h3>
+<p>This table covers the definitions of process types. The process type can be
+defined by the type of application or process or the area in which it runs.
+This table is ordered from least to most privileged.</p>
+<table>
+ <tr>
+ <th>Process type</th>
+ <th>Type definition</th>
+ </tr>
+ <tr>
+ <td>Constrained process</td>
+ <td>A process that runs in a highly limited SELinux domain.<br />
+ OR<br />
+ A process that is significantly more limited than a normal application.</td>
+ </tr>
+ <tr>
+ <td>Unprivileged process</td>
+ <td>A third-party application or process.<br />
+ OR<br />
+ An application or process that runs in the SELinux <code>untrusted_app</code> domain.</td>
+ </tr>
+ <tr>
+ <td>Privileged process</td>
+ <td>An application or process with capabilities that are restricted by SELinux
+ <code>untrusted_app</code> domain.<br />
+ OR<br />
+ An application or process with important privileges that a third-party
+ application cannot obtain.</td>
+ </tr>
+ <tr>
+ <td>Kernel</td>
+ <td>Functionality that is either part of the kernel or runs in the same CPU context
+ as the kernel (like device drivers).</td>
+ </tr>
+ <tr>
+ <td>Trusted Execution Environment (TEE)</td>
+ <td> A component that is designed to be protected from even a hostile kernel.</td>
+ </tr>
+</table>
+
+
<h3 id=severity>Severity</h3>
+
<p>The severity of a bug generally reflects the potential harm that could occur if
a bug was successfully exploited. Use the following criteria to determine the
severity:</p>
-<p class="table-caption" id="severity-criteria">
- <strong>Table 1.</strong> Severity ratings and associated consequences</p>
<table>
<tr>
<th>Rating</th>
@@ -74,68 +114,70 @@
<tr>
<td><strong>Critical</strong></td>
<td>
-<ul>
-<li>Remote privileged code execution (execution at a privilege level that
-third-party apps cannot obtain)
-<li>Local permanent device compromise (device cannot be repaired without
-re-flashing the entire operating system, such as a verified boot or Trusted
-Execution Environment/TEE compromise)
-<li>Remote permanent denial of service (inoperability, either completely permanent
-or requiring re-flashing the device)
-</ul>
-</td>
+ <ul>
+ <li> Remote arbitrary code execution in a privileged process
+ <li> Permanent device compromise (device cannot be repaired without re-flashing the
+ entire operating system)
+ <li> Unauthorized access to data secured by the TEE
+ <li> Remote permanent denial of service (device inoperability: completely permanent
+ or requiring re-flashing the entire operating system)
+ </ul>
+ </td>
</tr>
<tr>
- <td><strong>High</strong></td>
- <td>
-<ul>
-<li>Remote unprivileged code execution (execution at a privilege level that
-third-party apps can obtain through installation)
-<li>Local access to system/signature-level permission data or capabilities without
-permission
-<li>Local permanent denial-of-service (inoperability, either completely permanent
-or requiring re-flashing the device)
-<li>Remote temporary denial-of-service (remote hang or reboot)
-</ul>
-</td>
+ <td><strong>High</strong></td>
+ <td>
+ <ul>
+ <li> Remote arbitrary code execution in an unprivileged process
+ <li> Remote access to protected data (data normally accessible only to locally
+ installed apps that request permission, or that is limited to a privileged
+ process)
+ <li> Remote bypass of user interaction requirements (access to functionality that
+ would normally require either user initiation or user permission)
+ <li> Local arbitrary code execution in a privileged process
+ <li> Local permanent denial of service (device inoperability: completely permanent
+ or requiring re-flashing the entire operating system)
+ <li> A general bypass for a kernel level defense in depth or exploit mitigation
+ technology
+ <li> Remote temporary device denial of service (remote hang or reboot)
+ <li> Local bypass of user interaction requirements for any developer or security
+ settings modifications
+ <li> A general bypass for operating system protections that isolate application data
+ from other applications
+ <li> Lockscreen bypass
+ </ul>
+ </td>
</tr>
<tr>
- <td><strong>Moderate</strong></td>
- <td>
-<ul>
-<li>Access to "<a
-href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a>"
-level permission data or capabilities without permission with an app installed
-on the device
-<li>Local temporary denial-of-service (can be resolved only through a factory
-reset)
-</ul>
-</td>
+ <td><strong>Moderate</strong></td>
+ <td>
+ <ul>
+ <li> Remote arbitrary code execution in a constrained process
+ <li> Local bypass of user interaction requirements (access to functionality that
+ would normally require either user initiation or user permission)
+ <li> Local temporary denial of service (device requires a factory reset)
+ <li> A general bypass for a user level defense in depth or exploit mitigation
+ technology in a privileged process
+ <li> Remote access to unprotected data (data normally accessible to any locally
+ installed app)
+ <li> Bypass of Device Protection/ Factory Reset Protection
+ </ul>
+ </td>
</tr>
<tr>
- <td><strong>Low</strong></td>
- <td>
-<ul>
-<li>Access to "<a
-href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">normal</a>"
-level permission capabilities without permission with an app installed on the
-device
-<li>Local temporary denial-of-service (can be resolved by booting the device into
-Safe Mode and removing the problem application)
-</ul>
-</td>
+ <td><strong>Low</strong></td>
+ <td>
+ <ul>
+ <li> A general bypass for a user level defense in depth or exploit mitigation
+ technology in an unprivileged process
+ <li> Local temporary denial of service (can be resolved by booting the device into
+ Safe Mode and removing the problematic application, or by a factory reset if
+ the device does not support Safe Mode)
+ </ul>
+ </td>
</tr>
</table>
-<p>Though there are many types of software bugs outside of the security
-vulnerabilities detailed above, bugs reported are evaluated on a
-case-by-base basis to determine what security impact they have.</p>
-
-<p>The Android security team may also adjust the severity of a vulnerability if it
-is determined the risk to users is higher or lower than the guidelines suggest.
-For example, if a certain piece of data is available only to apps with "system"
-level access but the data itself is not sensitive, the Android security
-team may consider it only a low-severity vulnerability.</p>
<h4 id=local_vs_remote>Local vs. remote</h4>
@@ -155,30 +197,24 @@
requires plugging in a USB cable. The Android security team also considers
NFC-based attacks as local.</p>
-<h4 id=high_privilege_levels>Severity of vulnerabilities that affect high privilege levels</h4>
+<h3 id=rating_modifiers>Rating modifiers</h3>
+<p>While the severity of security vulnerabilities is often easy to identify,
+ratings may change based on circumstances. </p>
+<table>
+ <tr>
+ <th>Reason</th>
+ <th>Effect</th>
+ </tr>
+ <tr>
+ <td>Requires running as a privileged process to execute the attack</td>
+ <td>-1 Severity</td>
+ </tr>
+ <tr>
+ <td>Vulnerability-specific details limit the impact of the issue </td>
+ <td>-1 Severity</td>
+ </tr>
+</table>
-<p>The Android security team will usually drop the severity rating for a bug that
-already requires executing code at a high privilege level. For example, a bug
-in a kernel driver accessible only from a privileged service that
-requires first compromising the service. In this case, the Android security
-team may drop the severity from "high" to "moderate."</p>
-
-<h4 id=severity_of_kernel_compromises>Severity of kernel compromises</h4>
-
-<p>Whether a vulnerability that compromises the kernel is considered "high" or
-"critical" depends on the device and the version of Android. On devices with a
-TEE (or TrustZone) and <a
-href="{@docRoot}security/verifiedboot/index.html">verified
-boot</a>, a kernel compromise is considered "high" because exploiting it won't
-allow permanently affecting the operation of the device unless a vulnerability is
-discovered in the TEE or verified boot implementation. In general, if the
-result of a compromise can be remediated with a factory reset, it's "high" or
-lower.</p>
-
-<p>However, on older devices without verified boot, a kernel compromise can result
-in permanent device compromise if SELinux is disabled and the system partition
-is modified. On that device, a kernel compromise is considered "critical"
-because remediation requires re-flashing the device's firmware image.</p>
<h3 id=affected_component>Affected component</h3>
