Google’s Pixel 3 is the first Android device to ship with new CFI kernel protections

Google’s new Pixel 3 handset is the first Android device to feature a new kernel code protection system, the company said today.

Named Control Flow Integrity (CFI), this technique works by preventing malware, exploits, or other malicious code from hijacking the execution flows of legitimate applications.

CFI prevents attackers from hijacking functions and pieces of code from legitimate apps and using those apps and their permissions to perform malicious operations.

CFI is not new per-se, being already used for more than a decade inside Linux, Windows (known as Control Flow Guard), and for the protection of individual application binaries (such as Chromium). It is generally considered the best way to defend against “code reuse attacks” and it has now also been added to the Android kernel as well.

Android 9.0 (also known as P or Pie), released at the end of August, was the first Android OS version to feature some CFI support.

For that version, CFI support was enabled by default “within the media frameworks and other security-critical components, such as NFC and Bluetooth,” Google said in June.

In a blog post today, Google said the entire Android kernel is now protected by CFI, and specifically, by “forward-edge Control Flow Integrity (CFI),” as implemented by the LLVM compiler, which Google uses to compile the Android OS kernel.

“Google’s Pixel 3 will be the first Android device to ship with these protections, and we have made the feature available to all device vendors through the Android common kernel,” said Sami Tolvanen, Staff Software Engineer, Android Security.

The company now hopes that Android OEM vendors will also integrate and activate this security feature inside future handsets or in OS updates they will ship to their users.

Since most OEMs generally tend to leave the kernel alone and only tinker with the operating system’s interface and later add device-specific drivers to their custom Android OS versions, CFI support is most likely to reach most users as they move to new devices or get an updated OS kernel.

Google says CFI support has been added to Android kernel versions 4.9 and 4.14, kernel versions usually seen with Android Pie handsets. Android phone owners can check their device’s kernel version in the Android OS settings, in the “About device” section.

RELATED AND PREVIOUS COVERAGE

Two weeks, too big: Goodbye Apple iPhone XS Max

The Apple iPhone XS Max has been out for a couple of weeks and, as expected, it is the best iPhone ever. However, although it may have the best of Apple inside, that doesn’t mean it is the best for everyone.

Samsung Galaxy Note 9 review: Big battery and superb S Pen experience power productivity

Some will say that the Note 9 doesn’t offer much over the Note 8, but those who use their phones to get work done with greatly appreciate the massive 4,000 mAh battery, Bluetooth S Pen, stunning display, virtually unlimited storage options, and more.

iPhone XS Max vs Samsung Galaxy Note 9: We compare the big phones

Apple and Samsung recently released large flagship smartphones priced at $1,000+. They are close to the same size and have the latest specs, but there are also some significant differences that will lead you to one over the other for your business needs.

What to expect: Pixel 3, OnePlus 6T, and other phones coming this fall

Most major flagship smartphones are now on a fairly regular release schedule and leaks are a part of this cycle. It is rare for a phone to be released today with any surprises, so let’s take a look at what is coming soon.

READ MORE HERE