http://arstechnica.com/security/2012/07/android-jelly-bean-hard-to-exploit/ By Dan Goodin Ars Technica July 16, 2012 The latest release of Google's Android mobile operating system has finally been properly fortified with an industry-standard defense. It's designed to protect end users against hack attacks that install malware on handsets. In an analysis published Monday, security researcher Jon Oberheide said Android version 4.1, aka Jelly Bean, is the first version of the Google-developed OS to properly implement a protection known as address space layout randomization. ASLR, as it's more often referred to, randomizes the memory locations for the library, stack, heap, and most other OS data structures. As a result, hackers who exploit memory corruption bugs that inevitably crop up in complex pieces of code are unable to know in advance where their malicious payloads will be loaded. When combined with a separate defense known as data execution prevention, ASLR can effectively neutralize such attacks. Although Android 4.0, aka Ice Cream Sandwich, was the first Android release to offer ASLR, the implementation was largely ineffective at mitigating real-world attacks. One of the chief reasons for the deficiency was Android's executable region, heap, libraries, and linker were loaded at the same locations each time. This made it significantly easier for attackers designing exploits to predict where in memory their malicious code can be located. [...] -- Learn how to be a Pen Tester, CISSP, ISSMP, or ISSAP with Expanding Security online. Come to a free class and see how good and fun the program really is. http://www.expandingsecurity.com/PainPillReceived on Tue Jul 17 2012 - 03:23:10 PDT
This archive was generated by hypermail 2.2.0 : Tue Jul 17 2012 - 03:38:06 PDT