Honey, I Shrunk the Attack Surface - Adventures in Android Security Hardening

Explore Android's attack surface reduction history and its role in the broader Android security landscape in this 51-minute Black Hat conference talk. Delve into the technical strategies employed for attack surface reduction, examining specific bugs rendered unreachable through hardening efforts over recent years. Gain insights into the overall impact of these security measures and identify areas for further improvement. Learn about layers of defense, key principles, and the evolution of Android security from Windows Vista to modern implementations. Discover how Project Trouble, Media Server Hardening, and other changes have contributed to enhanced security. Analyze the effects on vulnerability research, mitigation techniques, and the security community's recognition of these efforts. Conclude with a look at future directions, including better separation of vendor code, to further strengthen Android's security posture.

Introduction
Agenda
Layers of Defense
Moving Parts
Key Principles
History
Windows Vista
Android
Modern Android Security
Attack Surface Management
We dodged a bullet
Preventing other bugs
Pwned Ubuntu
Required Capnet
Security Policy
What is Project Trouble
What happened in Project Trouble
Media Server Hardening
Stage Fright
Extracter Service
SetComp
Other Changes
DM Verity
Security Hardening Results
Stage Fright Bugs
Project Treble
Webview
KitKat
Linux Kernel
Kernel Vulnerability Research
IOctals
IOctals Filtering
Effects on Android
Mitigation
Case Study
Impact on Security
Other Attack Surface Reduction
Security Community Recognition
John Sawyer
Security Research Communities
Vulnerability Purchase Community
Jailbreak Prices
Price Parity
Project Zero Prize
WikiLeaks
The Future
Better Separation of Vendor Code
Summary