Google On-line Safety Weblog: Google & Arm

Google On-line Safety Weblog: Google & Arm
Google On-line Safety Weblog: Google & Arm


Who cares about GPUs?

You, me, and the whole ecosystem! GPUs (graphics processing items) are important in delivering wealthy visible experiences on cell gadgets. Nevertheless, the GPU software program and firmware stack has change into a means for attackers to realize permissions and entitlements (privilege escalation) to Android-based gadgets. There are many points on this class that may have an effect on all main GPU manufacturers, for instance, CVE-2023-4295, CVE-2023-21106, CVE-2021-0884, and extra. Most exploitable GPU vulnerabilities are within the implementation of the GPU kernel mode modules. These modules are items of code that load/unload throughout runtime, extending performance with out the necessity to reboot the system.

Proactive testing is sweet hygiene as it might result in the detection and backbone of recent vulnerabilities earlier than they’re exploited. It’s additionally one of the vital advanced investigations to do as you don’t essentially know the place the vulnerability will seem (that’s the purpose!). By combining the experience of Google’s engineers with IP homeowners and OEMs, we will make sure the Android ecosystem retains a powerful measure of integrity.

Why examine GPUs?

When researching vulnerabilities, GPUs are a well-liked goal on account of:

  1. Performance vs. Safety Tradeoffs

    No one needs a gradual, unresponsive system; any hits to GPU efficiency may end in a noticeably degraded consumer expertise. As such, the GPU software program stack in Android depends on an in-process HAL mannequin the place the API & consumer area drivers speaking with the GPU kernel mode module are working immediately throughout the context of apps, thus avoiding IPC (interprocess communication). This opens the door for doubtlessly untrusted code from a 3rd celebration app having the ability to immediately entry the interface uncovered by the GPU kernel module. If there are any vulnerabilities within the module, the third celebration app has an avenue to use them. In consequence, a doubtlessly untrusted code working within the context of the third celebration software is ready to immediately entry the interface uncovered by the GPU kernel module and exploit potential vulnerabilities within the kernel module.

  2. Selection & Reminiscence Security

    Moreover, the implementation of GPU subsystems (and kernel modules particularly) from main OEMs are more and more advanced. Kernel modules for many GPUs are usually written in reminiscence unsafe languages corresponding to C, that are inclined to reminiscence corruption vulnerabilities like buffer overflow.

Can somebody do one thing about this?

Nice information, we have already got! Who’s we? The Android Purple Workforce and Arm! We’ve labored collectively to run an engagement on the Mali GPU (extra on that under), however first, a short introduction:

Android Purple Workforce

The Android Purple Workforce performs time-bound safety evaluation engagements on all facets of the Android open supply codebase and conducts common safety opinions and assessments of inside Android elements. All through these engagements, the Android Purple Workforce recurrently collaborates with third celebration software program and {hardware} suppliers to research and perceive proprietary and “closed supply” code repositories and related supply code which are utilized by Android merchandise with the only real goal to establish safety dangers and potential vulnerabilities earlier than they are often exploited by adversaries exterior of Android. This yr, the Android Purple Workforce collaborated immediately with our business companion, Arm, to conduct the Mali GPU engagement and additional safe thousands and thousands of Android gadgets.

Arm Product Safety and GPU Groups

Arm has a central product safety group that units the coverage and observe throughout the corporate. In addition they have devoted product safety specialists embedded in engineering groups. Arm operates a scientific strategy which is designed to forestall, uncover, and eradicate safety vulnerabilities. This features a Safety Improvement Lifecycle (SDL), a Monitoring functionality, and Incident Response. For this collaboration the Android Purple Groups have been supported by the embedded safety specialists based mostly in Arm’s GPU engineering group.

Working collectively to safe Android gadgets

Google’s Android Safety groups and Arm have been working collectively for a very long time. Safety necessities are by no means static, and challenges exist with all GPU distributors. By incessantly sharing experience, the Android Purple Workforce and Arm have been in a position to speed up detection and backbone. Investigations of recognized vulnerabilities, potential remediation methods, and hardening measures drove detailed analyses and the implementation of fixes the place related.

Latest analysis targeted on the Mali GPU as a result of it’s the most well-liked GPU in as we speak’s Android gadgets. Collaborating on GPU safety allowed us to:

  1. Assess the impression on the broadest section of the Android Ecosystem: The Arm Mali GPU is without doubt one of the most used GPUs by authentic gear producers (OEMs) and is discovered in lots of widespread cell gadgets. By specializing in the Arm Mali GPU, the Android Purple Workforce may assess the safety of a GPU implementation working on thousands and thousands of Android gadgets worldwide.
  2. Consider the reference implementation and vendor-specific modifications: Cellphone producers typically modify the upstream implementation of GPUs. This tailors the GPU to the producer’s particular system(s). These modifications and enhancements are all the time difficult to make, and might typically introduce safety vulnerabilities that aren’t current within the authentic model of the GPU upstream. On this particular occasion, the Google Pixel group actively labored with the Android Purple Workforce to raised perceive and safe the modifications they made for Pixel gadgets.

Enhancements

Investigations have led to vital enhancements, leveling up the safety of the GPU software program/firmware stack throughout a large section of the Android ecosystem.

Testing the kernel driver

One key part of the GPU subsystem is its kernel mode driver. Throughout this engagement, each the Android Purple Workforce and Arm invested vital effort wanting on the Mali kbase kernel driver. Attributable to its complexity, fuzzing was chosen as the first testing strategy for this space. Fuzzing automates and scales vulnerability discovery in a means not attainable by way of guide strategies. With assist from Arm, the Android Purple Workforce added extra syzkaller fuzzing descriptions to match the newest Mali kbase driver implementation.

The group constructed just a few customizations to allow fuzzing the Mali kbase driver within the cloud, with out bodily {hardware}. This supplied an enormous enchancment to fuzzing efficiency and scalability. With the Pixel group’s help, we additionally have been in a position to arrange fuzzing on precise Pixel gadgets. By way of the mix of cloud-based fuzzing, Pixel-based fuzzing, and guide evaluate, we have been in a position to uncover two reminiscence points in Pixel’s customization of driver code (CVE-2023-48409 and CVE-2023-48421).

Each points occurred within the gpu_pixel_handle_buffer_liveness_update_ioctl perform, which is carried out by the Pixel group as a part of system particular customization. These are each reminiscence points attributable to integer overflow issues. If exploited rigorously alongside different vulnerabilities, these points may result in kernel privilege escalation from consumer area. Each points have been mounted and the patch was launched to affected gadgets in Pixel security bulletin 2023-12-01.

Testing the firmware

Firmware is one other elementary constructing block of the GPU subsystem. It’s the middleman working with kernel drivers and GPU {hardware}. In lots of instances, firmware performance is immediately/not directly accessible from the appliance. So “software ⇒ kernel ⇒ firmware ⇒ kernel” is a identified assault stream on this space. Additionally, normally, firmware runs on embedded microcontrollers with restricted assets. Generally used safety kernel mitigations (ASLR, stack safety, heap safety, sure sanitizers, and so on.) won’t be relevant to firmware on account of useful resource constraints and efficiency impression. This could make compromising firmware simpler, in some instances, than immediately compromising kernel drivers from consumer area. To check the integrity of present firmware, the Android Purple Workforce and Arm labored collectively to carry out each fuzzing and formal verification together with guide evaluation. This multi-pronged strategy led to the invention of CVE-2024-0153, which had a patch launched in the July 2024 Android Security Bulletin.

CVE-2024-0153 occurs when GPU firmware handles sure directions. When dealing with such directions, the firmware copies register content material right into a buffer. There are dimension checks earlier than the copy operation. Nevertheless, underneath very particular circumstances, an out-of-bounds write occurs to the vacation spot buffer, resulting in a buffer overflow. When rigorously manipulated, this overflow will overwrite another necessary constructions following the buffer, inflicting code execution within the GPU firmware.

The circumstances mandatory to succeed in and doubtlessly exploit this situation are very advanced because it requires a deep understanding of how directions are executed. With collective experience, the Android Purple Workforce and Arm have been in a position to confirm the exploitation path and leverage the problem to realize restricted management of GPU firmware. This ultimately circled again to the kernel to acquire privilege escalation. Arm did a superb job to reply shortly and remediate the problem. Altogether, this highlights the power of collaboration between each groups to dive deeper.

Time to Patch

It’s identified that attackers exploit GPU vulnerabilities within the wild, and time to patch is essential to cut back danger of exploitation and defend customers. Because of this engagement, 9 new Safety Take a look at suite (STS) checks have been constructed to assist companions routinely test their builds for lacking Mali kbase patches. (Safety Take a look at Suite is software program supplied by Google to assist companions automate the method of checking their builds for lacking safety patches.)

What’s Subsequent?

The Arm Product Safety Workforce is actively concerned in security-focused business communities and collaborates carefully with its ecosystem companions. The engagement with the Android Purple Workforce, as an illustration, gives beneficial enablement that drives finest practices and product excellence. Constructing on this collaborative strategy, Arm is complementing its product safety assurance capabilities with a bug bounty program. This funding will increase Arm’s efforts to establish potential vulnerabilities. For extra data on Arm’s product safety initiatives, please go to this product security page.

The Android Purple Workforce and Arm proceed to work collectively to proactively elevate the bar on GPU safety. With thorough testing, speedy fixing, and updates to the safety take a look at suite, we’re bettering the ecosystem for Android customers. The Android Purple Workforce seems ahead to replicating this working relationship with different ecosystem companions to make gadgets safer.

Leave a Reply

Your email address will not be published. Required fields are marked *