Mitigations are attack surface, too (opens in new tab)

(googleprojectzero.blogspot.com)

104 pointsarchimag06y ago22 comments

22 comments

The irony of Google security blog giving advice to a problem that the company is responsible for it happening in first place.

Had they placed update requirements as part of the Play Store contract, vendors would be more keen in providing the said updates.

CiPHPerCoder6y ago

The irony is real, but I appreciate P0's transparency here.

CiPHPerCoder6y ago

> On Android, it is normal for vendors to add device-specific code to the kernel.

https://i.imgur.com/DnRNrZe.png

Normal for Android : Normal in general :: Madness : Sanity

> This code is a frequent source of security vulnerabilities.

If the first sentence was the shot, that's the chaser.

izacus6y ago

Your snark is very welcome, but do you have any proposal of how do you add support for a new Qualcomm SoC, GPU and it's camera modules without modifying the kernel? Or for their basebands?

Linux still has pretty much no path of adding these in userspace, neither it's interested in a stable ABI.

And no, forcing the only big SoC manufacturer in the world to opensource their drivers isn't really going to work.

wtallis6y ago

If forced to choose between open-sourcing and upstreaming their drivers, or supporting them for 5+ years and forcing their customers to actually deliver those updates to end users, then Qualcomm absolutely would choose the open-source route. QC's taking the path of least resistance, but if we take "ship it and forget it" off the menu of choices, they'll change.

1 more reply

chalst6y ago

Eric Raymond argued for mandating suppliers provide source to firmware; this problem is harder, but somewhat similar.

http://esr.ibiblio.org/?p=6860 (from 2015; excuse the grandiose tone, but the idea is interesting)

Of course, no chance.

tasogare6y ago

Why Linux doesn't have a driver framework? That's seems the problem here. It exists in Windows, FreeBSD and probably elsewhere too.

2 more replies

zxcmx6y ago

I don't get it; if I'm shipping my own SOC, with my own wizzy latest hardware how else do I get drivers for all my stuff, without adding them myself?

Like, I expect the results to have all the expected "quality" of software written by hardware vendors, but I'm not sure what the alternative is?

EDIT: oh right, userspace drivers for everything. Leaving the comment here anyway...

tedunangst6y ago

Apertif: But in the Android ecosystem, that doesn't mean that it actually makes its way into device kernels.

j / k navigate · click thread line to collapse

22 comments

pjmlp6y ago

The irony of Google security blog giving advice to a problem that the company is responsible for it happening in first place.

Had they placed update requirements as part of the Play Store contract, vendors would be more keen in providing the said updates.

CiPHPerCoder6y ago

The irony is real, but I appreciate P0's transparency here.

CiPHPerCoder6y ago

> On Android, it is normal for vendors to add device-specific code to the kernel.

https://i.imgur.com/DnRNrZe.png

Normal for Android : Normal in general :: Madness : Sanity

> This code is a frequent source of security vulnerabilities.

If the first sentence was the shot, that's the chaser.

izacus6y ago

Your snark is very welcome, but do you have any proposal of how do you add support for a new Qualcomm SoC, GPU and it's camera modules without modifying the kernel? Or for their basebands?

Linux still has pretty much no path of adding these in userspace, neither it's interested in a stable ABI.

And no, forcing the only big SoC manufacturer in the world to opensource their drivers isn't really going to work.

wtallis6y ago

1 more reply

chalst6y ago

Eric Raymond argued for mandating suppliers provide source to firmware; this problem is harder, but somewhat similar.

http://esr.ibiblio.org/?p=6860 (from 2015; excuse the grandiose tone, but the idea is interesting)

Of course, no chance.

tasogare6y ago

Why Linux doesn't have a driver framework? That's seems the problem here. It exists in Windows, FreeBSD and probably elsewhere too.

2 more replies

zxcmx6y ago

I don't get it; if I'm shipping my own SOC, with my own wizzy latest hardware how else do I get drivers for all my stuff, without adding them myself?

Like, I expect the results to have all the expected "quality" of software written by hardware vendors, but I'm not sure what the alternative is?

EDIT: oh right, userspace drivers for everything. Leaving the comment here anyway...

tedunangst6y ago

Apertif: But in the Android ecosystem, that doesn't mean that it actually makes its way into device kernels.

j / k navigate · click thread line to collapse