Latest Google’s Android mobile operating system has finally been properly fortified with an industry-standard defense. It’s designed to protect end users against hack attacks that install malware on handsets.
Security researcher Jon Oberheide said Android version 4.1, aka Jelly Bean, is the first version of the Google-developed OS to properly implement a protection known as address space layout randomization. This randomizes the memory locations for the library, stack, heap, and most other OS data structures. Consequently, hackers who exploit memory corruption bugs that inevitably crop up in complex pieces of code are unable to know in advance where their malicious payloads will be loaded. When combined with a separate defense known as data execution prevention, ASLR can effectively neutralize such attacks.
“As long as there’s anything that’s not randomized, then it (ASLR) doesn’t work, because as long as the attacker knows something is in the same spot, they can use that to break out of everything else,” Charlie Miller, a veteran smartphone hacker and principal research consultant at security firm Accuvant, told Ars. “Jelly Bean is going to be the first version of Android that has full ASLR and DEP, so it’s going to be pretty difficult to write exploits for that.”