Android 1.5-7.0（持续更新）安全机制一览

Android 1.5

• ProPolice to prevent stack buffer overruns (-fstack-protector)，在缓冲区buffer与返回地址之间加入Canary（Windows上也叫cookies）
• safe_iop to reduce integer overflows（safe_iop 是思科的安全API库，保证算术运算不会溢出）
• Extensions to OpenBSD dlmalloc to prevent double free() vulnerabilities and to prevent chunk consolidation attacks. Chunk consolidation attacks are a common way to exploit heap corruption.（引入OpenBSD 的堆溢出保护，chunk consolidation attacks是使用已经释放的内存）
• OpenBSD calloc to prevent integer overflows during memory allocation（引入OpenBSD 的calloc，缓解内存分配时的整数溢出，导致分配空间与期望不一致）

总结：堆栈溢出利用缓解，整数溢出缓解（需使用API）

Android 2.3

• Format string vulnerability protections (-Wformat-security -Werror=format-security)（格式化串漏洞保护）
• Hardware-based No eXecute (NX) to prevent code execution on the stack and heap（堆栈不可执行）
• Linux mmap_min_addr to mitigate null pointer dereference privilege escalation (further enhanced in Android 4.1) （限制mmap映射的最低地址，空指针引用时不会造成代码执行）

总结：格式化串漏洞利用缓解，NX，空指针保护

Android 4.0

• Address Space Layout Randomization (ASLR) to randomize key locations in memory（地址空间布局随机化）

总结：ASLR

Android 4.1

• PIE (Position Independent Executable) support（程序加载地址随机化）
• Read-only relocations / immediate binding (-Wl,-z,relro -Wl,-z,now)（relocations 只读）
• dmesg_restrict enabled (avoid leaking kernel addresses) （dmesg日志中不打印敏感内核指针）
• kptr_restrict enabled (avoid leaking kernel addresses)（/proc/kallsyms中不显示符号地址）

总结：增强ASLR（PIE），GOT只读（去掉延迟绑定机制，so加载时间增加），内核地址保护（dmesg_restrict,kptr_restrict，一般漏洞利用，都需要一些内核符号地址）

Android 4.2

• Application verification - Users can choose to enable “Verify Apps" and have applications screened by an application verifier, prior to installation. App verification can alert the user if they try to install an app that might be harmful; if an application is especially bad, it can block installation.

• More control of premium SMS - Android will provide a notification if an application attempts to send SMS to a short code that uses premium services which might cause additional charges. The user can choose whether to allow the application to send the message or block it.

• Always-on VPN - VPN can be configured so that applications will not have access to the network until a VPN connection is established. This prevents applications from sending data across other networks.

• Certificate Pinning - The Android core libraries now support certificate pinning. Pinned domains will receive a certificate validation failure if the certificate does not chain to a set of expected certificates. This protects against possible compromise of Certificate Authorities.

• Improved display of Android permissions - Permissions have been organized into groups that are more easily understood by users. During review of the permissions, the user can click on the permission to see more detailed information about the permission.

• installd hardening - The installd daemon does not run as the root user, reducing potential attack surface for root privilege escalation.（installd进程运行权限改为非root，减小root提权攻击面）

• init script hardening - init scripts now apply O_NOFOLLOW semantics to prevent symlink related attacks.（启动脚本加固，防符号链接攻击）

• FORTIFY_SOURCE - Android now implements FORTIFY_SOURCE. This is used by system libraries and applications to prevent memory corruption.（FORTIFY_SOURCE 在***编译和运行***时检查程序溢出。

其检查到溢出时，提示错误：

*** buffer overflow detected ***: ./foobar terminated
======= Backtrace: =========
/lib64/libc.so.6[0x382d875cff]
/lib64/libc.so.6(__fortify_fail+0x37)[0x382d906b17]
...

目前可以保护的函数有：

memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat,
strncat, sprintf, vsprintf, snprintf, vsnprintf, gets.

）

• ContentProvider default configuration - Applications which target API level 17 will have “export” set to “false” by default for each Content Provider, reducing default attack surface for applications.

• Cryptography - Modified the default implementations of SecureRandom and Cipher.RSA to use OpenSSL. Added SSL Socket support for TLSv1.1 and TLSv1.2 using OpenSSL 1.0.1

• Security Fixes - Upgraded open source libraries with security fixes include WebKit, libpng, OpenSSL, and LibXML. Android 4.2 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

总结：引入FORTIFY_SOURCE，开始关注缩小攻击面

Android 4.3

• Android sandbox reinforced with SELinux. This release strengthens the Android sandbox using the SELinux mandatory access control system (MAC) in the Linux kernel. SELinux reinforcement is invisible to users and developers, and adds robustness to the existing Android security model while maintaining compatibility with existing applications. To ensure continued compatibility this release allows the use of SELinux in a permissive mode. This mode logs any policy violations, but will not break applications or affect system behavior.（!! 引入SELinux）

• No setuid/setgid programs. Added support for filesystem capabilities to Android system files and removed all setuid/setguid programs. This reduces root attack surface and the likelihood of potential security vulnerabilities.（移除所有setuid/setguid程序）

• ADB Authentication. Since Android 4.2.2, connections to ADB are authenticated with an RSA keypair. This prevents unauthorized use of ADB where the attacker has physical access to a device.

• Restrict Setuid from Android Apps. The /system partition is now mounted nosuid for zygote-spawned processes, preventing Android applications from executing setuid programs. This reduces root attack surface and the likelihood of potential security vulnerabilities.（Apps中不能调用 setuid()函数，减小root提权攻击面）

• Capability bounding. Android zygote and ADB now use prctl(PR_CAPBSET_DROP) to drop unnecessary capabilities prior to executing applications. This prevents Android applications and applications launched from the shell from acquiring privileged capabilities.（减少zygote与ADB权限，减小攻击面）

• AndroidKeyStore Provider. Android now has a keystore provider that allows applications to create exclusive use keys. This provides applications with an API to create or store private keys that cannot be used by other applications.

• KeyChain isBoundKeyAlgorithm. Keychain API now provides a method (isBoundKeyType) that allows applications to confirm that system-wide keys are bound to a hardware root of trust for the device. This provides a place to create or store private keys that cannot be exported off the device, even in the event of a root compromise.

• NO_NEW_PRIVS. Android zygote now uses prctl(PR_SET_NO_NEW_PRIVS) to block addition of new privileges prior to execution application code. This prevents Android applications from performing operations which can elevate privileges via execve. (This requires Linux kernel version 3.5 or greater).（减小zygote权限，Apps权限，减小root提权攻击面）

• FORTIFY_SOURCE enhancements. Enabled FORTIFY_SOURCE on Android x86 and MIPS and fortified strchr(), strrchr(), strlen(), and umask() calls. This can detect potential memory corruption vulnerabilities or unterminated string constants.（增强FORTIFY_SOURCE）

• Relocation protections. Enabled read only relocations (relro) for statically linked executables and removed all text relocations in Android code. This provides defense in depth against potential memory corruption vulnerabilities.（只读relro，移除所有text重定位）

• Improved EntropyMixer. EntropyMixer now writes entropy at shutdown / reboot, in addition to periodic mixing. This allows retention of all entropy generated while devices are powered on, and is especially useful for devices that are rebooted immediately after provisioning.

• Security Fixes. Android 4.3 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

总结：引入SELinux（但未强制开启），进一小减小攻击面

Android 4.4

• Android sandbox reinforced with SELinux. Android now uses SELinux in enforcing mode. SELinux is a mandatory access control (MAC) system in the Linux kernel used to augment the existing discretionary access control (DAC) based security model. This provides additional protection against potential security vulnerabilities.（强制SELinux）

• Per User VPN. On multi-user devices, VPNs are now applied per user. This can allow a user to route all network traffic through a VPN without affecting other users on the device.

• ECDSA Provider support in AndroidKeyStore. Android now has a keystore provider that allows use of ECDSA and DSA algorithms.

• Device Monitoring Warnings. Android provides users with a warning if any certificate has been added to the device certificate store that could allow monitoring of encrypted network traffic.

• FORTIFY_SOURCE. Android now supports FORTIFY_SOURCE level 2, and all code is compiled with these protections. FORTIFY_SOURCE has been enhanced to work with clang.（FORTIFY_SOURCE升级为level2，参考 https://access.redhat.com/blogs/766093/posts/1976213）

• Certificate Pinning. Android 4.4 detects and prevents the use of fraudulent Google certificates used in secure SSL/TLS communications.

• Security Fixes. Android 4.4 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

总结：强制SELinux

Android 5.0

• Encrypted by default. On devices that ship with L out-of-the-box, full disk encryption is enabled by default to improve protection of data on lost or stolen devices. Devices that update to L can be encrypted in Settings > Security.

• Improved full disk encryption. The user password is protected against brute-force attacks using scrypt and, where available, the key is bound to the hardware keystore to prevent off-device attacks. As always, the Android screen lock secret and the device encryption key are not sent off the device or exposed to any application.（全盘加密引入）

• Android sandbox reinforced with SELinux. Android now requires SELinux in enforcing mode for all domains. SELinux is a mandatory access control (MAC) system in the Linux kernel used to augment the existing discretionary access control (DAC) security model. This new layer provides additional protection against potential security vulnerabilities.（进一步扩大SELinux保护范围）

• Smart Lock. Android now includes trustlets that provide more flexibility for unlocking devices. For example, trustlets can allow devices to be unlocked automatically when close to another trusted device (via NFC, Bluetooth) or being used by someone with a trusted face.

• Multi user, restricted profile, and guest modes for phones & tablets. Android now provides for multiple users on phones and includes a guest mode that can be used to provide easy temporary access to your device without granting access to your data and apps.（多用户支持）

• Updates to WebView without OTA. WebView can now be updated independent of the framework and without a system OTA. This will allow for faster response to potential security issues in WebView.

• Updated cryptography for HTTPS and TLS/SSL. TLSv1.2 and TLSv1.1 is now enabled, Forward Secrecy is now preferred, AES-GCM is now enabled, and weak cipher suites (MD5, 3DES, and export cipher suites) are now disabled. See https://developer.android.com/reference/javax/net/ssl/SSLSocket.html for more details.

• non-PIE linker support removed. Android now requires all dynamically linked executables to support PIE (position-independent executables). This enhances Android’s address space layout randomization (ASLR) implementation.（增强随机化能力（之前只有动态库加载地址随机），可执行程序加载随机化，-fPIE）

• FORTIFY_SOURCE improvements. The following libc functions now implement FORTIFY_SOURCE protections: stpcpy(), stpncpy(), read(), recvfrom(), FD_CLR(), FD_SET(), and FD_ISSET(). This provides protection against memory-corruption vulnerabilities involving those functions.（扩大FORTIFY_SOURCE保护范围，新增被保护的函数）

• Security Fixes. Android 5.0 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members, and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

总结：-fPIE

Android 6.0

• Runtime Permissions. Applications request permissions at runtime instead of being granted at App install time. Users can toggle permissions on and off for both M and pre-M applications.（运行时权限申请）

• Verified Boot. A set of cryptographic checks of system software are conducted prior to execution to ensure the phone is healthy from the bootloader all the way up to the operating system.（可信启动，保证内核完整性）

• Hardware-Isolated Security. New Hardware Abstraction Layer (HAL) used by Fingerprint API, Lockscreen, Device Encryption, and Client Certificates to protect keys against kernel compromise and/or local physical attacks

• Fingerprints. Devices can now be unlocked with just a touch. Developers can also take advantage of new APIs to use fingerprints to lock and unlock encryption keys.

• SD Card Adoption. Removable media can be adopted to a device and expand available storage for app local data, photos, videos, etc., but still be protected by block-level encryption.

• Clear Text Traffic. Developers can use a new StrictMode to make sure their application doesn’t use cleartext.

• System Hardening. Hardening of the system via policies enforced by SELinux. This offers better isolation between users, IOCTL filtering, reduce threat of exposed services, further tightening of SELinux domains, and extremely limited /proc access.（SELinux扩大范围）

• USB Access Control: Users must confirm to allow USB access to files, storage, or other functionality on the phone. Default is now charge only with access to storage requiring explicit approval from the user.

总结：可信启动（想着材料：KNOX，谷歌开发者博客）。6.0开始针对提权等的防护措施没有升级，针对缓冲区溢出，及其它内存破坏型漏洞提权，缓解技术已经相对完善，且攻击面变的很小。针对Android内核本身漏洞利用提权已经很难。

但仍有Vendor的驱动，代码质量较烂，且SELinux配置可能没那么高质量。

Android 7.0

• File-based encryption. Encrypting at the file level, instead of encrypting the entire storage area as a single unit, better isolates and protects individual users and profiles (such as personal and work) on a device.

• Direct Boot. Enabled by file-based encryption, Direct Boot allows certain apps such as alarm clock and accessibility features to run when device is powered on but not unlocked.

• Verified Boot. Verified Boot is now strictly enforced to prevent compromised devices from booting; it supports error correction to improve reliability against non-malicious data corruption.

• SELinux. Updated SELinux configuration and increased seccomp coverage further locks down the application sandbox and reduces attack surface.

• Library load-order randomization and improved ASLR. Increased randomness makes some code-reuse attacks less reliable.（ASLR增强）

• Kernel hardening. Added additional memory protection for newer kernels by marking portions of kernel memory as read-only, restricting kernel access to userspace addresses and further reducing the existing attack surface.（部分内核标记为只读，限制内核态 访问用户态地址，减小 攻击面）

• APK signature scheme v2. Introduced a whole-file signature scheme that improves verification speed and strengthens integrity guarantees.

• Trusted CA store. To make it easier for apps to control access to their secure network traffic, user-installed certificate authorities and those installed through Device Admin APIs are no longer trusted by default for apps targeting API Level 24+. Additionally, all new Android devices must ship with the same trusted CA store.

• Network Security Config. Configure network security and TLS through a declarative configuration file.

总结：内核实现了类似 PXN功能，通过标记某些内核地址只读，进一步提高root提权难度。

堆栈溢出，整数溢出漏洞 -》 格式化漏洞，NX，mmap_min_addr -》 ASLR -》 PIE，G
    OT只读，dmesg_restrict,kptr_restrict -》 FORTIFY_SOURCE -》 SELinux -》 PXN