Last year’s particularly virulent Stragefright bug allowed attackers to perform a number of actions on an infected device through remote code execution. While Google has addressed those issues with monthly security patches, Android N will play a larger role in making sure a similar issue does not happen again.
The mediaserver — responsible for media-related tasks — has access to a device’s camera, microphone, graphics, phone, Bluetooth, internet, and more. While the component runs in a sandbox, it still has access to a lot of resources and capabilities, thus making an issue there particularly wide-ranging. According to the Android security team:
“A root cause analysis showed that the libstagefright bugs primarily occurred in code responsible for parsing file formats and media codecs. This is not surprising—parsing complex file formats and codecs while trying to optimize for speed is hard, and the large number of edge cases makes such code susceptible to both accidental and malicious malformed inputs.”
To make sure a similar vulnerability in the future doesn’t have such a wide impact, Android N has divided mediaserver and its permissions into several components and sandboxes. The re-architected mediaserver better adheres to the security principle of least privilege. For instance, “the cameraserver may access the camera, only the audioserver may access Bluetooth, and only the drmserver may access DRM resources.”
Under this new approach, vulnerabilities would only have access to a limited component rather than the entire device: “This means that compromising libstagefright would grant the attacker access to significantly fewer permissions and also mitigates privilege escalation by reducing the attack surface exposed by the kernel.”
In addition to containing possible vulnerabilities, Android N takes preventative measures like enabling signed and unsigned integer overflow detection on the entire media stack to make it harder to exploit integer overflows.