Serious Security Bugs Found In Android Kernel 230
geek4 writes with this excerpt from eWeek Europe: "An analysis of Google Android Froyo's open source kernel has uncovered 88 critical flaws that could expose users' personal information. An analysis of the kernel used in Google's Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users' personal information, security firm Coverity said in a report published on Tuesday. The results, published in the 2010 edition of the Coverity Scan Open Source Integrity Report, are based on an analysis of the Froyo kernel used in HTC's Droid Incredible handset. ... While Android implementations vary from device to device, Coverity said the same flaws were likely to exist in other handsets as well. Coverity uncovered a total of 359 bugs, about one-quarter of which were classified as high-risk."
88 critical flaws (Score:5, Funny)
88 Critical flaws on the wall... 88 critical flaws... You take one down, pass it around...
Re:88 critical flaws (Score:5, Funny)
You take one down, pass it around...
...89 critical flaws on the wall! ...shit, wait. My bad. These bugs are harder to fix than I thought they would be.
Re: (Score:2)
If only bottles of beer worked that way. Maybe if I try and grab 255 at a time ...
Re:88 critical flaws (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
This article sure looks suspect coming from someone at a place with a name like PageOnePR?
Going to their site it is clear the business is about promoting branding on social web sites.
This isn't a group of coders working on improving quality. It's about PR and headlines.
It's obviously not Android or open source that they're promoting.
My money is on MS-funded FUD just as the MS phone is about to ship...
Re:88 critical flaws (Score:5, Insightful)
Number of new bugs we know about in Android: 88. Number of new bugs we know about in Windows for the phone? Note the process at work.
Re:88 critical flaws (Score:4, Insightful)
Well yes, they were found. How else would we be reading an article about them having been found if they hadn't been found?
Does it also cause sentences to duplicate? (Score:5, Funny)
An analysis of Google Android Froyo's open source kernel has uncovered 88 critical flaws that could expose users' personal information. An analysis of the kernel used in Google's Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users' personal information
Does it also cause words in sentences to duplicate? Does it also cause sentences to duplicate? Also, was this submission done on an Android phone?
Re: (Score:2)
No, No... And well sort of, the submission was done using a series of LightBrights using the colours as different values in Hexadecimal, taken from a picture with an Android Phone - and then ran through an image processor to turn those light values into Hex. Then some open source Hex to String converter for the submission - so while the duplicate sentences might have been one of the other 271 bugs they found in the Android phone, there's a lot of other places this bug might have taken place.
Android or Linux (Score:5, Interesting)
Apparently no word on whether these are flaws in the vanilla kernel which Google has inherited, or flaws in the code that Google wrote.
Re: (Score:2)
Or flaws in the code that HTC wrote...
score one for open source (Score:3, Insightful)
As for Windows Phone 7, what we don't know won't hurt us, right?
Re:score one for open source (Score:4, Funny)
What we don't use surely?
Re: (Score:2)
Doesn't it remain to be seen if these patched versions are actually pushed to handsets?
Re: (Score:2)
Ignorance is bliss... until it happens to you.
88 bugs... (Score:3, Funny)
...about 44 women?
Re: (Score:3)
Android is an open System, open to the whole wide world.
Window is a bitter pill, security is a joke,
iOS is a controlling freak, locked down app to unfurl.
Linux lays the code right out, guarded by bearded blokes.
Re: (Score:2)
Linux lays the code right out, guarded by bearded blokes.
Not just any bearded blokes, but bearded blokes with swords. [xkcd.com]
Re: (Score:2)
Very nice "Nails" reference MrEricSir.
coverity's mindless drivel (Score:5, Interesting)
Those "critical" and "serious" label are largely meaningless; Coverity allows you to configure classes of "problems" as being one of several different severity. It is what the sysadmin of Coverity wants it to be. If so desired, buffer overflow could be configured to the severity of "minor."
this is a Success for open-source! (Score:2, Insightful)
They are outed, and so get fixed even faster.
Good luck with the iOS/Wimpy7s bugs that are never announced/found due to this type of peer-review, and so there's no priority to fix them.
Re:this is a Success for open-source! (Score:5, Interesting)
They are outed, and so get fixed even faster.
Well, sort of. Even if they get fixed quickly by developers, the time it takes them to actually get fixes to consumer devices is huge. That deployment process relies on device manufacturers who often customize the OS a bit per-device and cell carriers who have to push out the updates. For them it's just an expense/loss of resources, so unless it's something really serious they don't even seem to put much effort into it.
Re: (Score:2)
This is an issue I have with this kind of consumer electronics that use open source software as the base. They have to be able to let me patch my own device. Maybe not everyone can do it, but personally I don't want to wait for my phone company to push an update to me (which might be never). It's the reason I won't buy an Android device unless I can get root and can flash my own roms. If I can't do that it might as well be closed, proprietary software.
Re: (Score:3, Interesting)
Thats why manufacturers should be in control of updates and not carriers.
Manufacturers should be the ones to release updates (though a manufacturer provided update system). Apple did it and it works GREAT (and Apple doesnt have to delay updates waiting for "carrier acceptance" or whatever BS the carriers want to do)
Then we wont have situations like the Telstra branded HTC Desire where the manufacturer has released an update for the phone but the carrier is deliberatly holding up the release of the update.
Re: (Score:2)
Re: (Score:2)
Whilst I do mostly agree...there's also a part of me that is trying to be realistic.
The great thing about open source is that everyone has the code so bugs are found quicker.
The not so great thing is trying to find someone to fix them.
Then there's another layer of pain with android because if the manufacturers and carriers take 6 months to release an update, do you really think they'll fix these flaws? Google really should've stuck to the Windows model, requiring a standard android base so that updates cou
Re: (Score:2)
[citation needed]
details? (Score:2, Insightful)
Re: (Score:2)
They studied froyo. RTFA already.
coverity is a great tool. (Score:5, Interesting)
we use it at .
Coverity is the commercial offshoot of the old Stanford Checker that found something like 2500 critical bugs in the linux kernel back when it (the checker) was just a grad school project. the bugs got fixed very quickly and linux was better for it.
that said, Coverity's definition of serious or critical is not necessarily what most developers could call critical (haven't read the bug list, but from personal experience.....)
in any case, this is a win. these bugs are now known, and google/community will fix them within days if they haven't already been fixed (I hope Coverity had the decency to inform google prior to their press release)
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
I must admit to not RTFA, but usually Coverity provides the results for free to free software projects. I haven't heard of them holding anyone for ransom like that before, so I'm a bit sceptic of your claim.
Re: (Score:3)
OTOH you seem to have had positive experiences with them, so perhaps they deserve the benefit (I also automatically cave to
coverity is a code review tool (Score:2)
Coverity is really a code review tool. From your code, it tries to construct a model that shows your code is correct (static analysis + type inference). If it can't, the code is flagged, and it should be reviewed by a human. The flagged code may or may not be a bug, only that Coverity couldn't prove its correctness. If anything, I would advocate that the code should be rewritten in order to pass Coverity check, in the same spirit that if another competent person doesn't understand your code, you should prob
Re:coverity is a code review tool (Score:4, Informative)
However, I've not seen any formal soundness proof of Coverity itself. As a result, Coverity may very well accept buggy programs as correct. This would certainly limit the tool's usefulness.
Oh, it definitely does. And in some sense it limits its utility, but it also is what lets it be as successful as it is.
Rice's theorem says that the ultimate goal -- determine whether a program is buggy -- is literally impossible to be guaranteed to do completely accurately. Because of this, there are three possibilities that you can take when making a tool that attempts to do that; you must pick at least one.
1. You can say a program is (or may be) buggy when it isn't.
2. You can say a program is free of bugs when it is actually buggy.
3. You can accept the possibility that your tool will run forever.
Each of these occurs in practice. A familiar example of #1 is the type system of a statically-typed language: if x has type int and y has type SomeClass, the type system will say that a program containing the expression x = y is not legal even if it is impossible for that statement to actually execute (and thus the actual failure type systems are designed to prevent can't actually happen). I'm actually having a hard time thinking of a tool that picks just #2, but I'm sure there are some out there. #3 is the hallmark of some techniques such as concolic execution and some recent work on program verification. (I'm involved in one of the last tools.)
But there are also a number of tools out there that admit the possibility of both false positives and false negatives: in other words both #1 and #2 can happen. The benefit you can get by doing that is that you can get an analysis that can find errors that are rather deeper than, say, your type system and yet it'll still scale to very large programs.
There's no one perfect analysis; there's a spectrum based on how much you value finding bugs, how much you value gaining assurance that a program is bug-free, how deep of bugs you want to find, and how large of a code base you have to run on. Saying that Coverity "limits its usefulness" based on the spot it choose in the design space is true, but slightly misleadingly so, because every program analysis limits its utility, just in different ways. IMO not having used it, Coverity found a spot which is quite useful.
Re: (Score:2)
in any case, this is a win. these bugs are now known, and google/community will fix them within days if they haven't already been fixed (I hope Coverity had the decency to inform google prior to their press release)
But don't the carriers have a history of taking their sweet time before pushing updates down to consumers? Or is that just for major releases... hopefully they are more prompt with security updates.
Re: (Score:2)
Personally, I'm using Gimpel PCLint.
It's a much more mature product than Coverity, and clearly less advertised !
High False Positive Rate (Score:5, Interesting)
Coverity uncovered a total of 359 bugs, about one-quarter of which were classified as high-risk.
Based on my experience using Coverity's tools, more than half are actually false positives and less than half of what's left are really as serious as rated.
ob. Futurama (Score:2)
http://www.youtube.com/watch?v=JYc05gZFly0 [youtube.com]
Fix it fix it fix it.
88 ways to root your phone... (Score:2)
88 problems? (Score:4, Funny)
If you're havin' 'droid problems i feel bad for you son,
I got 88 problems but a bug ain't one
Re: (Score:3, Funny)
If you're having girl problems I feel bad for you son,
I got 88 bugs but a bitch ain't one.
Comment removed (Score:3, Informative)
And the carriers are too slow to respond... (Score:2)
That really pisses me off to know that Google or whoever is driving the Android development didn't hire some security testers to find this critical stuff before it was released.
Fortunately, I believe the fixes will come out for me before the carriers get around to do. My Galaxy S is pretty good about being able to load new custom firmwares now. Feel bad for "regular" users who depend on updates from carriers.
Real Problem is Slow Carrier Updates (Score:5, Informative)
In truth, this is a strength, not a weakness of Android - this is the "many eyes" of open source in action. No doubt the important fixes among these will be addressed pretty quickly.
The problem, however, is with the carriers who keep insisting on pushing custom firmware on their devices. With many devices never receiving any updates at all they are wide open - how long until we have massive malware issues because of this?
What I hope is that this drives some consumer backlash which forces the carriers to stop the nonsense with customizing the core of android and instead just put their skins on the topmost UI layer. They should realize quick smart that they are not and should never be in the OS business and that updates need to come out within weeks of releases from Google, not years or never.
Re: (Score:2)
Most of these aren't really going to be an issue (Score:3, Interesting)
There's a function that helps avoid exploitation of the vulnerabilities in the API.
developer.android.com/reference/android/app/ActivityManager.html#isUserAMonkey%28%29
Just ensure that it's returning false and you should be safe.
expose users' personal information (Score:4, Insightful)
Exposes more than, say, a very simple app (game?) that requires Full Network Access, Fine Grained Location, and access to your System Settings?
The biggest threat to personal information leaking on an Android phone are overly permissive apps, and the people who install them.
Lets face facts... (Score:2)
In the world of O/S frameworks Android is pretty much still a toddler and it is trying to run like a 16 year old with a bright future in track so please don't act surprised, bugs happen. Although i gotta say a "use after Free" is pretty bush league.
Of course, the most important question is... (Score:2)
How did Apple manage to get these faults into the phone in the first place? They must have spies deeper than we originally thought!
For shame, to stoop to sabotage! Will Jobs stop at NOTHING?
If they found bugs, why not commit the fixes? (Score:2)
I'm trying to figure out why someone would analyze the source code to an open project, find defects, and NOT fix and commit the defects for code review. I mean, that's how the process is supposed to work. Unless this is just a publicity stunt.
Re:The most interesting thing about that article.. (Score:5, Informative)
Probably not many. Android has a rather large application framework running on top of Linux. The flaws are most likely in it, and most likely allow you to get access to data that you don't have permission to (permissions are implemented in the same code layer). When people talk about android, android isn't really an OS- it's more like Gnome or KDE with a basic permission system hacked on (and a totally Android only API).
Re: (Score:3, Interesting)
I must be missing the link to the study results. Oh, won't be out until next year, to allow for patching.
So, maybe something, maybe nothing.
There are better release from Coverity's site, http://coverity.com/ [coverity.com]
Re: (Score:2)
I don't see how Android isn't an OS. Sure, it runs on top of the Linux kernel, but that's like saying Mac OS X isn't really an OS because it's just a window/desktop manager and accompanying API running on top of the XNU kernel (and theoretically, Apple could have forked their own Linux kernel and used that instead of XNU).
Re:The most interesting thing about that article.. (Score:5, Interesting)
Depends on your definition of OS. There's more than 1 definition, one of which translates to "the kernel" and another translates to "everything that comes with a computer", and a couple in between. When most technical people say OS, they mean the program that controls access to the hardware and provides system services- the kernel. By that definition Android is a framework on top of the OS. And in functionality it's far closer to a window manager than a kernel.
Re: (Score:2)
Who exactly are these "technical people" you speak of? I know of no technical person who refers to Mac OS X as XNU. I know of no technical person who refers to Windows 7 as whatever the Windows 7 kernel is called.
Re:The most interesting thing about that article.. (Score:4, Insightful)
A lot of people - myself included - refer to Darwin when talking about the OS, and Mac OS X when talking about all of the stuff that Apple bundles on the install CD (including Quartz, Cocoa, and so on).
Defining the OS as the kernel is problematic when you have microkernels, because the line between what is the kernel and what is userspace is blurred. With Symbian, for example, device drivers live in the kernel but they don't handle multiplexing between applications. When an application wants to access a hardware resource, it talks to a userspace server. Are these servers part of the OS?
The general working definition of an OS is the stuff that you need to boot the system and launch programs. With a UNIX-like system, this includes the init system (typically including a POSIX-compatible shell), and a set of libraries. Most importantly, it includes libc, because this is the public interface to the kernel's functionality. If you select a target when cross-compiling stuff for OS X, you select the Darwin target, not the OS X or XNU target (there isn't one), because the compiler needs to know things like the object format to use (Mach-O), the calling conventions (not defined by the kernel), and a few other things.
This is why people talk about GNU/Linux as a platform; because it's GNU libc, the GNU shell, and so on that their programs interact with. You can swap out the Linux kernel for something like a FreeBSD kernel much more easily than you can swap out the GNU stuff for BSD equivalents.
Some people use a slightly broader definition for UNIX-like systems, including everything needed for compliance with the Single UNIX Specification. Since this includes things like c99, c++, and vi, I think it's a little bit to broad, because the system can happily function without them.
Re: (Score:2)
A lot of people - myself included - refer to Darwin when talking about the OS, and Mac OS X when talking about all of the stuff that Apple bundles on the install CD (including Quartz, Cocoa, and so on).
They're you're being inconsistent, and making arbitrary distinctions to support your bias.
The general working definition of an OS is the stuff that you need to boot the system and launch programs.
It is a struggle to see how the full OS X (or Windows) would not meet this definition.
You have, however, d
Re: (Score:3, Informative)
The general working definition of an OS is the stuff that you need to boot the system and launch programs.
It is a struggle to see how the full OS X (or Windows) would not meet this definition.
The full OS X includes a load of apps, such as iCal, Address Book, and a load of frameworks that are not needed to launch apps. It contains a load of stuff that is not required to boot the system. It is a superset of Darwin, just as Darwin is a superset of XNU (but XNU can not boot on its own, while Darwin can). Any Darwin program will run on OS X, but not every OS X program will run on Darwin, because it may use some of the Apple frameworks or applications.
You have, however, demonstrated the one consistency I've seen with "technical people" when defining what an "OS" - they always go out of their way to ensure whatever set of rules they make up excludes any sort of "GUI" from being included
Not at all. The Quartz GUI is a separate pro
Re: (Score:2)
Re:The most interesting thing about that article.. (Score:4, Insightful)
Probably not many.
Well 88 were found in the kernel, which is a linux kernel. But who knows how many of those are in the actual linux kernel mainline.
Re: (Score:3, Insightful)
Re: (Score:2)
From the article and summary my own conclusion is that this is somewhat of an astroturf for Coverity and more than likely lacks any solid foundation. Certainly there may be bugs, but many are probably of the "Meh" kind.
I totally agree, the fact that they are announcing 'we found all these security bugs but we aren't going to tell you about them until google has a chance to fix them' rather than just speaking directly to google about them stinks of astroturfing.
Re: (Score:3, Informative)
It isn't astroturfing. No one is pretending to be from the "community" or "grass roots" or anything. It's plain marketing.
Coverity provides free code checks to many free software projects, in exchange for being able to make press releases like this one. The mainline Linux kernel has been through it at least a few times, but Coverity seems a bit confused or unhappy about the fact that Linus won't discuss bugs in secret. Many other large free software projects have a group of people who are willing to sign ND
Re: (Score:2)
Re: (Score:3, Informative)
When people talk about android, android isn't really an OS- it's more like Gnome or KDE with a basic permission system hacked on (and a totally Android only API).
Not quite - Android also includes a set of kernel patches [lwn.net].
Re:The most interesting thing about that article.. (Score:4, Insightful)
Re: (Score:2)
It will be soon time to upgrade. What do you think iPhone users will upgrade to? Apple just needs to stay slightly ahead of Android, Phone 7 and others, then throw-in some "wow" factor in order to keep selling millions of smartphones.
Re: (Score:2)
It will be soon time to upgrade. What do you think iPhone users will upgrade to? Apple just needs to stay slightly ahead of Android, Phone 7 and others, then throw-in some "wow" factor in order to keep selling millions of smartphones.
If they really go ahead, turn the Mac into a glorified iPod and turn OS X into a Java free zone I can tell you right now that I'll be upgrading to Ubuntu on my Mac. I'll have no choice since I do a lot of java development. I won't like switching very much but Linux is a damn sight better than Windows 7. Additionally, since Linux is an iTunes free zone I'll probably upgrade to an Android cell-phone.
Re: (Score:2, Informative)
The only reason Android is selling more phones in the US is because they are on more carriers. Which is about to change. Android will take a big hit when that happens just as happened in Europe.
Whoever the idiot is who thinks OS X uses Linux needs to get a clue. It's the mach Kernel, some BSD subsystems, Darwin, and a UI layer.
Re: (Score:2)
Since Android hit the market, there has been a lot of uninformed, suspicious Apple-bashing on Slashdot, often from anonymous posters.
Re: (Score:2)
Re: (Score:2, Funny)
Re: (Score:2)
XNU is the kernel. Darwin is the subsystem without the UI layer. It's almost akin to a Debian base installation.
Re: (Score:3, Informative)
Apple wants to sell lots of expensive smartphones
The device is only a mean to get people to pay for applications...
Re: (Score:3, Funny)
Why not? This year's model is EVEN MORE SHINY!!!
Re: (Score:2)
Why not? They're selling lots and lots of iPods, why wouldn't they eventually include phone functionality with lower-end iPods?
Re: (Score:3, Informative)
Huh? Dalvik is a Java-like virtual machine. Android is the API, UI and user tools, running on top of Linux.
Re: (Score:2)
It "dominates" in the same way Windows dominates PCs...a fractured mess controlled by the carriers,
One can always buy sim-free phones. Yuo have to pay up front, but it's your phone.
with their own unremovable junkware, their own app stores, and their own differing hardware features.
Junkware is annoying, but I'd count differing hardware as a fearture rather than a bug. It gives you choice.
Also, all "app stores" suck compared to a proper package manager.
Here's an article you won't see written about the iPhone:
Re:Should have waited (Score:5, Funny)
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
Give it a chance, I am sure people over at xda-developers are trying to figure out how to run code on the things as we speak (or if not, will begin doing so once the right people get hold of WP7 phones.
Re: (Score:2)
Should have waited and purchased a Windows 7 phone...
I think you can pick up a Kin on eBay ... I don't think they're too worried about security issues.
Re: (Score:3, Funny)
Re:Bug bounties? (Score:4, Insightful)
How much are these worth in bug bounty money?
To Google or to exploit writers? I'm sure they're both offering bounties but I don't think they pay the same.
Re:Ok... (Score:5, Interesting)
Odd, I don't know why you're picking on me, but I assume "Android Kernel" is marketing-speak for "Linux", in which I've reported found and fixes dozens of flaws over the years.
As you're so interested, here are some from the last month or two that you can take a look at.
CVE-2010-3080, A use-after-free in snd_seq_oss_open
CVE-2010-2960, A to-userspace dereference in keyctl_session_to_parent.
CVE-2010-2954, Kernel panic and to-userspace dereference in AF_IRDA sockets.
CVE-2010-3067, Various problems with aio (things like aio_submit())
The coverity results I've seen in the past are generally very low quality with a high density of chaff. I haven't seen the report they're talking about, but would be surprised if there were any noteworthy findings with any significant security impact. The only report I've seen them publish that had any convincing vulnerabilities was in 2006, where they found a verifiable privilege escalation in XFree86 (due to a pretty horrendous typo).
I'm a little saddened that you so readily associate me with Windows security, where as I consider myself primarily a Linux security developer, but I guess I'm flattered that where I spend my time is so important to you.
(perhaps a little creepy, though).
Re: (Score:2)
his point was that just because coverity finds bugs doesn't mean the bugs are automatically critical and representing actual useful security flaws.
they _may_ be, but we'll need to wait for the full report to know...so this is just a 'hype' headline for now...you know...like we've seen every few days since android was first released.
Re:Ok... (Score:5, Interesting)
Odd question.
I don't know about three days, but certainly under a week, which is completely normal in free software. Proprietary vendors generally want between six months and two years, but free software vendors and projects very rarely ask for more than a week or two delay before publication.
In fact, Linus famously tells people not to tell him about any security issue you want kept secret for more than a week, as he will just go ahead and fix it.
Re: (Score:2)
No in this case it's just a study that's potentially flawed.
They used automated code checking software, the problem is that this might flag some block of code as an exploit which would normally be if it weren't properly trapped. The problem with automated software like this is that it can flag things up that are correctly handled because it's smart enough to spot an exploit, but not smart enough to deal with the various different ways of handling potential exploits. It's also worth noting that classificatio
Re:Is it just me? (Score:4, Interesting)
Android uses outdated kernels in every release. Those issues are like "Hey grab a bugfix list from the latest kernel and write a study in which you supposedly hunted down these bugs yourself".
It's like an unpatched Vista Service Pack Zero and then reporting about bugs that have already been fixed...
Re: (Score:3, Insightful)
Yeah, because IOS is so much more secure than Android. New phones are churning out every 6 months. If you want to be ahead that's the price you have to pay. A new iphone is released every year. I don't really see what you are bitching about. If upgrading your firmware to the latest and shiniest is so damned important, buy a phone that isn't locked down, like a galaxy s or nexus one or htc desire or etc, etc, etc and install from the multitudes of roms floating out there. My "ancient" G1 is running froyo rig
Re: (Score:2)
wait, so you assume google is the only folks with a flaw?
wow.
I'm not saying google is infallible, but neither is, well, every company that exists. I dont' even need to mention names on that.
Re: (Score:2)
I don't claim that.
But these BrotherPluckers start with a known Linux sourcecode base, fork it, and introduce this number of exploits in ring-0?
They suck.
Re: (Score:3, Funny)
This is Google, you know: a privacy flaw exposed in the kernel of their device isn't a FLAW! It's a business-enabling FEATURE..
God damn Google for stealing Apple's business practices.
Re: (Score:2)
Re: (Score:3, Informative)
I mean after search, what have they delivered besides betas and hype? Collapsible threads in webmail?
Google Maps
Google Earth/Moon/Mars
Google Skymaps
Google Translate
Google Docs
Google Calendar
Google Desktop Search
Google Image Search
Google Code
Google Talk
Plus they run/own:
Blogger
Youtube
Picasa
Sketchup
But apart from that, nothing...
I'm not saying they're perfect but saying that they've done nothing but search is just plain wrong.