ASLR is a security feature used in many operating systems. From Windows XP through to OSX or iOS6 and for a while Android has been avoiding using it. Android 4.0 Ice Cream Sandwich partially used it and now with the release of Android 4.1 Jelly Bean it uses it fully. Although it should be noted that the implementation still lags behind the security of the upcoming iOS6. But lets not get into that here.
You may be wondering what ASLR is. Well here is what Wikipedia defines it as.
Address space layout randomization (ASLR) is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process’s address space.
Address space randomization hinders some types of security attacks by making it more difficult for an attacker to predict target addresses. For example, attackers trying to execute return-to-libc attacks must locate the code to be executed, while other attackers trying to execute shellcode injected on the stack have to find the stack first. In both cases, the related memory addresses are obscured from the attackers. These values have to be guessed, and a mistaken guess is not usually recoverable due to the application crashing.
So what does it all mean for the average user? Not much really, just that if you are lucky enough to either have a Jelly Bean device then great or if you plan to get a new device in the future, then you should think about a Jelly Bean device.
It all sounds a bit worrying as to why our devices running Gingerbread or Ice Cream Sandwich could be exploited. It is all down to what apps you install and where you get them from really.
So what do you do if you are using a device running Ginger Bread or Ice Cream Sandwich? Well first and foremost I would get into the habit of checking what permissions any apps you install need. I got my wife doing this recently and she regularly asks me “why does this game need access to all of my contacts”, my reply “don’t install it”.
So the only thing that remains is to sit and wait for some devices running Jelly Bean. Manufacturers still to this day release devices running Gingerbread and many of the current devices running Ice Cream Sandwich have no published upgrade schedule. Things like core level security updates really should be able to bypass all of the carrier stuff and all of the oem skins. This sort of stuff is actually important.
All I can say is that I’m glad I bought another Galaxy Nexus recently.
Sources
Wikipedia - The Unlockr - Threatpost
About James Pearce
I spend most of the day telling people to turn stuff off and back on again. Inbetween doing that I post news and reviews over here.
I am about to embark on a Windows Phone 8 and Windows RT self imposed restriction for a few months. Keep your eyes on the site for updates.
