Government Regulation Thwarts Recent Android Security Gains | Bit9 Blog

Android has made great strides recently in exploit mitigation by adopting ASLR and related stack and heap randomizations. These are important technologies that greatly mitigate the security holes introduced by ever-present software flaws. Great… well, almost. FIPS compliance is a fly in the ointment.

FIPS 140-2 certification is an information systems requirement that applies to a large swath of the government. Certifying certain Android implementations suddenly opens the door to its use by government organizations. But in typical bureaucratic fashion, this certification causes new security problems at the same time it tries to address others.

Back in April, I pointed out that FIPS compliance may actually make the OpenSSL library less secure. I had hoped that the library’s new FIPS compliance effort would address this issue. It hasn’t. The same issues still apply. To recap the issues I pointed out in the aforementioned post, FIPS 140 compliance thwarts ASLR and also prevents the fixing of bugs by requiring a year-long recertification process for changes. I can’t decide which is worse. Both are pretty bad.

The reason for this comes from the FIPS 140-2 requirements themselves:

Software/firmware integrity test. A software/firmware integrity test using an error detection code (EDC) or Approved authentication technique (e.g., an Approved message authentication code or digital signature algorithm) shall be applied to all validated software and firmware components within a cryptographic module when the module is powered up. The software/firmware integrity test is not required for any software and firmware components excluded from the security requirements of this standard (refer to Section 4.1). If the calculated result does not equal the previously generated result, the software/firmware test shall fail.

Several FIPS compliant modules for Android have now been implemented and certified. Plenty of Web buzz can be found on the topic that seems to imply that FIPS-certified Android implementations are “secure.”

Underlying this is the misapprehension by many at the edges of infosec who equate or conflate encryption with security. For a good exposition on this point, I would point you to Richard Bejtlich’s recent post.

It’s understandable that government wants to get a handle on and standardize its information security. However, these overly cumbersome processes and standards aren’t the answer since they cause as many problems as they solve.

Drop us a line for your free 5-day trial of the Bit9 Parity Suite and leverage the power of Advanced Threat Protection:

  • Advanced Threat Detection: Real-time cyber forensics isolates stealth, embedded malware
  • Advanced Threat Prevention: Never get malware again with Application Whitelisting

Government Regulation Thwarts Recent Android Security Gains | Bit9 Blog.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: