Pixel 3 is the first smartphone that supports Control Flow Integrity in the Android kernel

Recently, Android security department software engineer Sami Tolvanen wrote an article on the developer blog, revealing that Pixel 3 is the first Android device to deploy “LLVM Frontier Control-Flow Integrity (CFI)”. This feature checks the application for a series of anomalous behaviours, indicating that an attacker is trying to exploit a vulnerability in the program or interfere with its control flow. The Android development team has been working hard to harden the system kernel and is now adopting compiler-based security mitigations to enhance new ways to deal with code reuse attacks.

CFI is an acronym for “Control-Flow Integrity,” which blocks execution flow redirection and blocks malware attacks. As explained in the Tolvanen statement, an attacker can exploit any part of the kernel code by overwriting the pointer stored in memory. To this end, CFI attempts to mitigate the impact of such attacks by adding additional checks to confirm that the kernel’s control flow remains in the pre-designed layout. “This doesn’t prevent an attacker from changing a function pointer if a bug provides write access to one, but it significantly restricts the valid call targets, which makes exploiting such a bug more difficult in practice.”

Google added support for LLVM’s CFI protection for the Android 4.9 and 4.14 kernels. Now all manufacturers can enable it on their own devices. 

Via: Softpedia