Google is focusing on strengthening the security of Android’s cellular baseband using Clang sanitizers, specifically the Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan). These sanitizers are part of the UndefinedBehaviorSanitizer (UBSan), designed to identify various types of undefined behavior during program execution. Google’s security experts recommend enabling these sanitizers in existing C/C++ code bases to mitigate unknown vulnerabilities. While both BoundSan and IntSan come with a notable performance overhead, Google has strategically enabled them in security-critical areas, such as functions parsing messages delivered over the air in 2G, 3G, 4G, and 5G, libraries encoding/decoding complex formats, IMS, TCP/IP stacks, and messaging functions.
The move to implement these sanitizers is part of Google’s broader effort to increase firmware security interacting with Android, making it challenging for threat actors to achieve remote code execution within the Wi-Fi SoC or the cellular baseband. The sanitizers play a crucial role in detecting arithmetic overflows and performing bounds checks around array accesses. Google acknowledges that despite the tangible benefits of deploying sanitizers, they do not address other vulnerability classes related to memory safety, suggesting the transition of the codebase to a memory-safe language like Rust. Earlier in October 2023, Google announced rewriting the Android Virtualization Framework’s protected VM firmware in Rust to establish a memory-safe foundation.
The researchers note that as high-level operating systems become more challenging for attackers to exploit, lower-level components like the baseband may attract more attention. By utilizing modern toolchains and deploying exploit mitigation technologies, Google aims to raise the bar for potential attacks on the baseband, contributing to overall Android security.
