Android Jelly Bean Much Harder To Hack 184
A reader tips this quote from an article at Ars:
"The latest release of Google's Android mobile operating system has finally been properly fortified with an industry-standard defense. It's designed to protect end users against hack attacks that install malware on handsets. In an analysis published Monday, security researcher Jon Oberheide said Android version 4.1, aka Jelly Bean, is the first version of the Google-developed OS to properly implement a protection known as address space layout randomization. ASLR, as it's more often referred to, randomizes the memory locations for the library, stack, heap, and most other OS data structures. As a result, hackers who exploit memory corruption bugs that inevitably crop up in complex pieces of code are unable to know in advance where their malicious payloads will be loaded. When combined with a separate defense known as data execution prevention, ASLR can effectively neutralize such attacks."
Re:How stupid they think hackers are? (Score:2, Insightful)
Randomization doesn't make the attack impossible; It simply reduces the number of times it works to some fraction of the original. It's like using a salt on a crypto function: It increases the number of times the attack needs to be performed before it'll work. Although the locations in memory are random, there have to be API calls and such to pull those locations. If your bootstrap code calls those APIs... eventually it'll hit the right offset and your code will run in its entirety, you'll get the locations you need, and the payload can be delivered.
This is security through obscurity; It is not going to stop the attack, it'll just mean they need to do it N times before it's more likely than not to complete.
When you're writing malware, you don't have to get 100% of your target... 5% is valuable too. Or even 1%.
Re:unix permissions? (Score:4, Insightful)
It is a PHONE. Not a fucking workstation.
yes it is a phone but why take out functionality that is already built in.
Every process on Android is run under a different user respecting the permission system built into the Linux kernel.
yes and they have every permission they want not the permissions i want them to have.
Trying to turn your phone into a desktop is pointless.
its not pointless. i want a secure device. and apps that can't steal my data.
Just use the desktop when you need to go that far with it
do you have a desktop you can fit in you pants pocket with a capacitive touch screen, 3g blue tooth and wifi connections, a battery life measured in days and telephony stack?
And if you really want to use your phone, install Linux in a chroot and go to town with sudo.
android already has linux on it its just broken
Re:ASLR is a good thing but... (Score:5, Insightful)
What's going on here? (Score:5, Insightful)
I'm reading through this thread, and the standard response made by anyone who disagrees with a post is to either call them a moron, idiot, motherfucker, or to insinuate they are gay.
How about this? If you guys think that a post is inaccurate or simplistic - consider responding and explaining why the post is wrong. If you can't do that, then maybe your level of understanding on this topic is lower than you think it is.
I mean, come on. I realize this is Slashdot, and there are always a few people like that hanging around - but this story seems to be attracting an inordinate number of guys that have nothing to offer but anger and venom.