Google Reports Decline In Android Memory Safety Vulnerabilities As Rust Usage Grows
'Last year, Google announced Android Open Source Project (AOSP) support for Rust, and today the company provided an update, while highlighting the decline in memory safety vulnerabilities. 9to5Google reports: Google says the "number of memory safety vulnerabilities have dropped considerably over the past few years/releases."; Specifically, the number of annual memory safety vulnerabilities fell from 223 to 85 between 2019 and 2022. They are now 35% of Android's total vulnerabilities versus 76% four years ago. In fact, "2022 is the first year where memory safety vulnerabilities do not represent a majority of Android's vulnerabilities." That count is for "vulnerabilities reported in the Android security bulletin, which includes critical/high severity vulnerabilities reported through our vulnerability rewards program (VRP) and vulnerabilities reported internally." During that period, the amount of new memory-unsafe code entering Android has decreased: "Android 13 is the first Android release where a majority of new code added to the release is in a memory safe language. " Rust makes up 21% of all new native code in Android 13, including the Ultra-wideband (UWB) stack, DNS-over-HTTP3, Keystore2, Android's Virtualization framework (AVF), and "various other components and their open source dependencies." Google considers it significant that there have been "zero memory safety vulnerabilities discovered in Android's Rust code" so far across Android 12 and 13. Google's blog post today also talks about non-memory-safety vulnerabilities, and its future plans: "... We're implementing userspace HALs in Rust. We're adding support for Rust in Trusted Applications. We've migrated VM firmware in the Android Virtualization Framework to Rust. With support for Rust landing in Linux 6.1 we're excited to bring memory-safety to the kernel, starting with kernel drivers.' -- source: https://tech.slashdot.org/story/22/12/01/2124259 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ Mobile +64 22 190 2375 https://www.cs.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/
On Fri, 2 Dec 2022 15:41:48 +1300, Peter Reutemann quoted:
'[Memory-safety vulnerabilities] are now 35% of Android's total vulnerabilities versus 76% four years ago.'
Looking at the blog post in question <https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.html>, it admits that the _total_ number of vulnerabilities is not coming down. However, what they say is “Memory safety vulnerabilities tend to be much more versatile” in terms of exploitability. So therefore, “With the decrease in our most severe vulnerabilities, we’re seeing increased reports of less severe vulnerability types”, and that overall is still an improvement in security.
participants (2)
-
Lawrence D'Oliveiro -
Peter Reutemann