Sep 02

Pixel Security: Better, Faster, Stronger

Posted by Paul Crowley, Senior Software Engineer and Paul Lawrence, Senior Software Engineer

Encryption protects your data if your phone falls into someone else’s hands. The
new Google Pixel and Pixel XL are encrypted by default to offer strong data
protection, while maintaining a great user experience with high I/O performance
and long battery life. In addition to encryption, the Pixel phones debuted
running the Android Nougat release, which has even more security
improvements.

This blog post covers the encryption implementation on Google Pixel devices and
how it improves the user experience, performance, and security of the device.

File-Based Encryption Direct Boot experience

One of the security features introduced in Android Nougat was file-based
encryption. File-based encryption (FBE) means different files are encrypted
with different keys that can be unlocked independently. FBE also separates data
into device encrypted (DE) data and credential encrypted (CE) data.

Direct
boot uses file-based encryption to allow a seamless user experience when a
device reboots by combining the unlock and decrypt screen. For users, this means
that applications like alarm clocks, accessibility settings, and phone calls are
available immediately after boot.

Enhanced with TrustZone® security

Modern processors provide a means to execute code in a mode that remains secure
even if the kernel is compromised. On ARM®-based processors this mode is known
as TrustZone. Starting in Android Nougat, all disk encryption keys are stored
encrypted with keys held by TrustZone software. This secures encrypted data in
two ways:

  • TrustZone enforces the Verified Boot
    process. If TrustZone detects that the operating system has been modified, it
    won’t decrypt disk encryption keys; this helps to secure device encrypted (DE)
    data.

  • TrustZone enforces a waiting period between guesses at the user credential,
    which gets longer after a sequence of wrong guesses. With 1624 valid four-point
    patterns and TrustZone’s ever-growing waiting period, trying all patterns would
    take more than four years. This improves security for all users, especially
    those who have a shorter and more easily guessed pattern, PIN, or
    password.

Encryption on Pixel phones

Protecting different folders with different keys required a distinct approach
from full-disk
encryption (FDE). The natural choice for Linux-based systems is the
industry-standard eCryptFS. However, eCryptFS didn’t meet our performance
requirements. Fortunately one of the eCryptFS creators, Michael Halcrow, worked
with the ext4 maintainer, Ted Ts’o, to add encryption natively to ext4, and
Android became the first consumer of this technology. ext4 encryption
performance is similar to full-disk encryption, which is as performant as a
software-only solution can be.

Additionally, Pixel phones have an inline hardware encryption engine, which
gives them the ability to write encrypted data at line speed to the flash
memory. To take advantage of this, we modified ext4 encryption to use this
hardware by adding a key reference to the bio structure, within the ext4 driver
before passing it to the block layer. (The bio structure is the basic container
for block I/O in the Linux kernel.) We then modified the inline encryption block
driver to pass this to the hardware. As with ext4 encryption, keys are managed
by the Linux keyring. To see our implementation, take a look at the source
code for the Pixel kernel.

While this specific implementation of file-based encryption using ext4 with
inline encryption benefits Pixel users, FBE is available in AOSP and ready to
use, along with the other features mentioned in this post.


Android Developers Blog

Aug 23

Evolution of Android Security Updates


Posted by Dave Kleidermacher, VP, Head of Security – Android, Chrome OS, Play

At Google I/O 2018, in our What’s New in Android Security session, we shared a brief update on the Android security updates program. With the official release of Android 9 Pie, we wanted to share a more comprehensive update on the state of security updates, including best practice guidance for manufacturers, how we’re making Android easier to update, and how we’re ensuring compliance to Android security update releases.

Commercial Best Practices around Android Security Updates

As we noted in our 2017 Android Security Year-in-Review, Android’s anti-exploitation strength now leads the mobile industry and has made it exceedingly difficult and expensive to leverage operating system bugs into compromises. Nevertheless, an important defense-in-depth strategy is to ensure critical security updates are delivered in a timely manner. Monthly security updates are the recommended best practice for Android smartphones. We deliver monthly Android source code patches to smartphone manufacturers so they may incorporate those patches into firmware updates. We also deliver firmware updates over-the-air to Pixel devices on a reliable monthly cadence and offer the free use of Google’s firmware over-the-air (FOTA) servers to manufacturers. Monthly security updates are also required for devices covered under the Android One program.

While monthly security updates are best, at minimum, Android manufacturers should deliver regular security updates in advance of coordinated disclosure of high severity vulnerabilities, published in our Android bulletins. Since the common vulnerability disclosure window is 90 days, updates on a 90-day frequency represents a minimum security hygiene requirement.

Enterprise Best Practices

Product security factors into purchase decisions of enterprises, who often consider device security update cadence, flexibility of policy controls, and authentication features. Earlier this year, we introduced the Android Enterprise Recommended program to help businesses make these decisions. To be listed, Android devices must satisfy numerous requirements, including regular security updates: at least every 90 days, with monthly updates strongly recommended. In addition to businesses, consumers interested in understanding security update practices and commitment may also refer to the Enterprise Recommended list.

Making Android Easier to Update

We’ve also been working to make Android easier to update, overall. A key pillar of that strategy is to improve modularity and clarity of interfaces, enabling operating system subsystems to be updated without adversely impacting others. Project Treble is one example of this strategy in action and has enabled devices to update to Android P more easily and efficiently than was possible in previous releases. The modularity strategy applies equally well for security updates, as a framework security update can be performed independently of device specific components.

Another part of the strategy involves the extraction of operating system services into user-mode applications that can be updated independently, and sometimes more rapidly, than the base operating system. For example, Google Play services, including secure networking components, and the Chrome browser can be updated individually, just like other Google Play apps.

Partner programs are a third key pillar of the updateability strategy. One example is the GMS Express program, in which Google is working closely with system-on-chip (SoC) suppliers to provide monthly pre-integrated and pre-tested Android security updates for SoC reference designs, reducing cost and time to market for delivering them to users.

Security Patch Level Compliance

Recently, researchers reported a handful of missing security bug fixes across some Android devices. Initial reports had several inaccuracies, which have since been corrected. We have been developing security update testing systems that are now making compliance failures less likely to occur. In particular, we recently delivered a new testing infrastructure that enables manufacturers to develop and deploy automated tests across lower levels of the firmware stack that were previously relegated to manual testing. In addition, the Android build approval process now includes scanning of device images for specific patterns, reducing the risk of omission.

Looking Forward

In 2017, about a billion Android devices received security updates, representing approximately 30% growth over the preceding year. We continue to work hard devising thoughtful strategies to make Android easier to update by introducing improved processes and programs for the ecosystem. In addition, we are also working to drive increased and more expedient partner adoption of our security update and compliance requirements. As a result, over coming quarters, we expect the largest ever growth in the number of Android devices receiving regular security updates.

Bugs are inevitable in all complex software systems, but exploitability of those bugs is not. We’re working hard to ensure that the incidence of potentially harmful exploitation of bugs continues to decline, such that the frequency for security updates will reduce, not increase, over time. While monthly security updates represents today’s best practice, we see a future in which security updates becomes easier and rarer, while maintaining the same goal to protect all users across all devices.


Android Developers Blog

Aug 21

Bitdefender Internet Security 2015 Serial Keys are Here ! [15/08/2015]

Bitdefender Internet Security 2015
Silent internet security software, enhanced with Firewall and Parental Control. Best Protection for three years straight. Imperceptible. Best for system speed (AV- TEST). Extremely easy to use.
It builds on technology awarded by AV-TEST Best Protection for three years straight, and Best Performance for system speed. Intuitive, it secures your device with just one click. It also prevents unauthorized access to your private information with a two-way Firewall and keeps children safe with Parental Control.

Features

  • Easy to Use. Simple to Understand. Handle Security with a Single Click.
  • Prevent Unauthorized Access to your Private Data. Two-Way Firewall.
  • Keep your Kids Safe. Monitor Their Activity. Discrete Parental Control.
  • Make online transactions from a unique, dedicated browser, that secured your accounts from fraud. Bitdefender Safepay™ can now also automatically fill credit card details in billing fields.
  • The two-way firewall continuously monitors your Internet connections and prevents unauthorized access, even over a Wi-Fi network.
  • Stops unwanted e-mail from reaching your Inbox, now fully based on Cloud technology.
  • Active Virus Control is a proactive, dynamic detection technology. It monitors processes’ behavior in real time, as they are running, and tags suspicious activities.
  • If e-threats, such as rootkits, cannot be removed from within the Windows operating system, the computer is re-booted in Rescue mode — a trusted environment which is then used for cleanup and restoration.
  • With a single click, the vulnerability scanner automatically warns of vulnerable or outdated software, missing Windows security patches, and potentially unsafe system settings.
  • Displays your overall security status for the past week, as well as the total issues fixed by Bitdefender since installation. Includes freed up space, optimized apps and remaining available storage.
  • Enables you to keep track of all of your security-related tasks, plus lets you quickly and easily drag-and-drop files for quick scanning for viruses — right from your desktop!
  • MyBitdefender offers quick online access to your local Bitdefender software, allowing you to run scans, check security statuses for each device, extend your services or easily access support.
  • Remotely scan and fix security issues on all of your Bitdefender-protected devices from anywhere, using MyBitdefender.
  • Immunizes any Flash Drive from viruses when they’re connected to your computer so you never worry again about USBs infecting you or your friends.
  • Bitdefender Internet Security 2015 automatically blocks popups and notifications when you Work, Play or Watch movies.
  • Provides a hassle-free experience by making optimal security-related decisions with no input from you. This means no pop-ups, no alerts, nothing to configure.
  • Bitdefender blocks malicious links or e-threats you receive from your friends on Facebook, Twitter, Pinterest or any other social network.
  • Bitdefender Internet Security 2015 tells you if a link is safe even before you click it in Google and Bing search results. Furthermore, it blocks access to infected links that you have already clicked.
  • Innovative, exclusive technology that visibly improves speed and performance in a matter of hours by gradually adapting to each PC.
  • Your internet security software isn’t slowing down your computer. So what is? Bitdefender OneClick Optimizer is a new feature in Bitdefender Internet Security 2015 that automatically speeds up your system and frees up disk space by running every known optimization. All in one click.
  • And Many More …
What’s New in v19.2.0.142
  • Windows 10 compatible
How To Activate ?
  1. Download and Install Bitdefender Internet Security 2015 From The Links Given Below
  2. Download and Use any serial key from BISserial.txt File to Register
  3. Done, Enjoy :)
Screenshot




Downloads
Bitdefender Internet Security 2015 32-BIT Trial Setup (324 MB) / Mirror
Bitdefender Internet Security 2015 64-BIT Trial Setup (362 MB) / Mirror
Bitdefender Internet Security 2015 Serial Keys (1 MB) / Mirror

Cracked Software

Jul 14

Pixel Security: Better, Faster, Stronger

Posted by Paul Crowley, Senior Software Engineer and Paul Lawrence, Senior Software Engineer

Encryption protects your data if your phone falls into someone else’s hands. The
new Google Pixel and Pixel XL are encrypted by default to offer strong data
protection, while maintaining a great user experience with high I/O performance
and long battery life. In addition to encryption, the Pixel phones debuted
running the Android Nougat release, which has even more security
improvements.

This blog post covers the encryption implementation on Google Pixel devices and
how it improves the user experience, performance, and security of the device.

File-Based Encryption Direct Boot experience

One of the security features introduced in Android Nougat was file-based
encryption. File-based encryption (FBE) means different files are encrypted
with different keys that can be unlocked independently. FBE also separates data
into device encrypted (DE) data and credential encrypted (CE) data.

Direct
boot uses file-based encryption to allow a seamless user experience when a
device reboots by combining the unlock and decrypt screen. For users, this means
that applications like alarm clocks, accessibility settings, and phone calls are
available immediately after boot.

Enhanced with TrustZone® security

Modern processors provide a means to execute code in a mode that remains secure
even if the kernel is compromised. On ARM®-based processors this mode is known
as TrustZone. Starting in Android Nougat, all disk encryption keys are stored
encrypted with keys held by TrustZone software. This secures encrypted data in
two ways:

  • TrustZone enforces the Verified Boot
    process. If TrustZone detects that the operating system has been modified, it
    won’t decrypt disk encryption keys; this helps to secure device encrypted (DE)
    data.

  • TrustZone enforces a waiting period between guesses at the user credential,
    which gets longer after a sequence of wrong guesses. With 1624 valid four-point
    patterns and TrustZone’s ever-growing waiting period, trying all patterns would
    take more than four years. This improves security for all users, especially
    those who have a shorter and more easily guessed pattern, PIN, or
    password.

Encryption on Pixel phones

Protecting different folders with different keys required a distinct approach
from full-disk
encryption (FDE). The natural choice for Linux-based systems is the
industry-standard eCryptFS. However, eCryptFS didn’t meet our performance
requirements. Fortunately one of the eCryptFS creators, Michael Halcrow, worked
with the ext4 maintainer, Ted Ts’o, to add encryption natively to ext4, and
Android became the first consumer of this technology. ext4 encryption
performance is similar to full-disk encryption, which is as performant as a
software-only solution can be.

Additionally, Pixel phones have an inline hardware encryption engine, which
gives them the ability to write encrypted data at line speed to the flash
memory. To take advantage of this, we modified ext4 encryption to use this
hardware by adding a key reference to the bio structure, within the ext4 driver
before passing it to the block layer. (The bio structure is the basic container
for block I/O in the Linux kernel.) We then modified the inline encryption block
driver to pass this to the hardware. As with ext4 encryption, keys are managed
by the Linux keyring. To see our implementation, take a look at the source
code for the Pixel kernel.

While this specific implementation of file-based encryption using ext4 with
inline encryption benefits Pixel users, FBE is available in AOSP and ready to
use, along with the other features mentioned in this post.


Android Developers Blog

Jun 30

Download Kaspersky Anti-Virus + Internet Security 2016 v16.0.0.614 [Direct Link]

Kaspersky Anti-Virus and Kaspersky Internet Security without a doubt the most versatile and popular software security among users, the company nearly 20 years in the field of security software is active, has a large share of the market to its security allocate. The software uses an extensive database that can detect the latest malicious files and advanced tool cleans your operating system from any virus and wreak clear. To be sure, Kaspersky products can be very good option for full security of your system.
Key features of software of Kaspersky Anti-Virus and Kaspersky Internet Security: 

- Has one of the infected files Bhrvztryn databases 

- Identify a range of malicious files such as viruses, Trojans, rootkits, spam, etc. 

- An advanced tool for cleaning infected system files 

- Securing the moment (Real-time) through the consideration of all system activity 

- Immunization types of networks such as LAN and WiFi built 

- The use of search behavior (Behavioral Scan) even without access to the Internet 

- Blocking ads and spam you suspect infection (Anti-Banner & Anti-Spam) 

- Blocking of spoof sites (Anti-Phishing) 

- Secure electronic banking systems and online purchases (Safe Money) 

- Optimization program to reduce the loss of system performance 

- Elegant and simple user interface 

- Compatible with the latest versions of Windows 


The difference between the two software Kaspersky Anti-Virus and Kaspersky Internet Security What? 

Generally in the form of two software company Kaspersky Anti-Virus products and Internet Security reported that many aspects are different from each other. 

In 1997, the first anti-virus software company Kaspersky Anti-Virus with the market, and then due to low Internet penetration among users, the software is very well acted, but gradually with the development of the World Wide Web and pandemic It is no longer a simple anti-virus could infect the system of keeping it clean Internet environment, despite its good parts, the largest of malicious files and infected player and very serious threat to the security of the system and personal information considered . That’s why the company’s new product Kaspersky and more up to date in the name of Kaspersky Internet Security report that the main task is to control the content of the input to the system from the Internet. 

In summary, Kaspersky Anti-Virus is a powerful antivirus that provides good security systems so that the systems Offline and isolation is the best option, but in addition to all the features of Kaspersky Internet Security Kaspersky Anti-Virus with the Mac impulsivity and advanced tools to deal with cyber attacks is more useful for systems connected to the Internet all the time and a large amount of information they receive daily. 

Brief introduction of unique features security software company Kaspersky: 

- Ability to Automatic Exploit Prevention: Take one of the new ways of working and spying, attacking through daily programs and applied to the search for weaknesses that hackers can penetrate and applications (Vulnerability) such as browsers provide an opportunity to under the name of a familiar and trusted software and systems to infect user logged in, the advanced capabilities of persistent Kaspersky monitoring programs show behavior that can detect the slightest suspicious behavior and user information to front Login taken before, this feature allows the software to be infected can spread in the system. 

- Ability Safe Networking: networks where a large number of systems are linked together, such as local area networks LAN and WiFi, an excellent platform for the dissemination of infected files so that the infected system in the complex can also infect all systems connected to the network a. Safe Networking feature that is found only in versions of Internet Security not only monitor the incoming data to your system, but is constantly in search of WiFi and LAN network, and blocking any malicious file and the publication of the network. 

- The System Watcher and Anti-Blocker: to continue to wreak some malicious files and interrupting user access to the system, large parts of the control system of the user can not put any effort to rescue the system and its data. Anti-Blocker functionality due to higher access levels can also re-enable all disabled parts and malicious operating system while it is possible to remove all the broken previous Karyhay returned. 

- Ability Safe Money: Unfortunately, a lot of users around the world because of carelessness, important information your bank and credit cards and bank accounts they lost stolen. When you are managing your bank account or shopping online, this program by adding another layer of security to the browser, ensuring your security and prevent theft of your important data lost. 

What is the difference between different versions of this program? 

Security software is usually updated every year and constantly improve and introduce new capabilities and tools, but the point to note is that this software is very heavy and after some time a substantial decrease in performance of the system are That’s why we all versions of the program in 2012 has been put on the site to which the right to install and use Windows and your hardware is. 

It is true that newer versions are more advanced and more secure supplies, but at the core they are not different because now all the previous versions and the latest database update are the ability to deal with with the latest f of malware. 

As a result, before downloading and installing this software, be sure to check the system requirements and if your system supports it, to install it. 

Activation of the software is in what way? 

In the past, older versions of the program, due to be published on the Internet Key that it was possible to fully activate the software, but the company Kaspersky measures against those thought to cause the old method does not work Leaders released in less than a few hours of work Byvftd Block and software, resulting in activation of this program is only through the purchase of the License is legal. 

But those who wish to test the features of the program are placed Trial Resetter can use this little tooldoes not enable the 30-day trial period, but it is extended. 

In addition, security software are of great importance in the event of failure may be a serious attacks threaten the user’s system, we recommend that you pay a small amount, all our systems are safe, and relieved, To do this, you can link this visit. 

Kaspersky Anti-Virus is the backbone of your PC’s antivirus security system, working behind-the-scenes to deliver the fastest and most trusted computer virus and spyware protection in the world.
- Real-time protection against computer viruses, spyware & more 
- Ensures the applications on your PC are safe 
- Fast & Efficient PC Performance 
- Rollback of harmful malware activity
Kaspersky Internet Security combines a vast array of easy-to-use, rigorous web security technologies that protect you against all types of malware and Internet-based threats - including cybercriminals that try to steal your money or your identity. Kaspersky Lab brings you hassle-free security that has minimal impact on your computer’s performance. Your PC and all the precious files and data stored on it are kept safe by: 
- Anti-Malware Protection – for real-time defences against computer viruses and Internet threats 
- Internet Protection – to secure your data and your money when you’re banking, shopping or surfing online 
- Identity Protection – via Kaspersky’s Virtual Keyboard and Secure Keyboard technologies 
- Anti-Phishing Protection – to prevent cybercriminals from collecting your personal information 
- Advanced Parental Control – that helps keep children safe when they’re online 
Kaspersky Internet Security provides all of the protection offered by Kaspersky Anti-Virus plus many innovative technologies that defend against sophisticated threats on the Internet.
Required system
General requirements: 
- CPU: Intel Pentium 1 GHz 32-bit or 64-bit 
- RAM: 512 MB ​​for Windows XP / 1 GB for Windows Vista / 7/8 / 8.1 (x86) / 2 GB for Windows Vista / 7/8 / 8.1 
- HDD: 480 MB free disk space on the hard drive 
- CD / DVD-ROM (for installation from the CD) 
- Internet connection (for activation and databases update) 
- Computer mouse 
- Microsoft Internet Explorer 8.0 or above (to update databases and application modules on the Internet) 
- Microsoft Windows Installer 3.0 
- Microsoft .NET Framework 4 

Requirements for netbooks: 
- Intel Atom 1.6 GHz processor or a compatible equivalent 
- Video adapter Intel GMA950 with at least 64 MB of video RAM (or a compatible equivalent) 
- Screen resolution no less than 1024×576 
Operating systems: 
- Microsoft Windows XP SP2 (x64) 
- Microsoft Windows XP SP3 (x86) 
- Microsoft Windows Vista SP2 (x86 or x64) 
- Microsoft Windows 7 (x86 or x64) 
- Microsoft Windows 8.0 / 8.1 / 8.1 with Update (x86 or x64)

Installation guide
1. Download and unzip the software. 
2. Run the Setup.exe file to start the installation. The software has a crack or a valid key is so far the only way to purchase a legal license or use Trial Reset tool, this tool allows the user to the end of the trial period of 30 days, then 30 days added to the software. Trial Reset to continue to pay for the installation guide. 
3. After installation, run software and Licensing Options window click on the Window Key in the series, click on the red X in the window that opens, and then click Click on Accept. 
4. In the window click on the Settings option in the window on the Additional tab and then click on the Self-Defense Click Options, uncheck Enable Self-Defense to remove, and then close the application window . 
5. The right of the taskbar, next to the system clock (the System Tray), right-click on the application icon and click on the option Exit Pause Protection and sauces. 
6. The file folders Trial Reset Trial Reset.exe run (note if you’re using to run Windows Vista or 7, right-click on it and select Trial Reset.exe must select Run as administrator ) and click the button to the left to the Russian language is written Reset Trial Click and at the end let you restart the system.
7. Run the application again and click on the option Activate trial version of the application and wait for a success message is displayed on the button and click Finish. 
8. Window and click on the Update button in the next window, click on Run Update button and wait until the software is updated.







Download
 Click Here - Kaspersky Internet Security ‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏ - 175.17 MB 
 Click Here - Kaspersky Anti-Virus ‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏‏ - 173.81 MB 
 Click Here- Crack Only

Cracked Software

Jun 28

Compiler-based security mitigations in Android P


Posted by Ivan Lozano, Information Security Engineer

Android’s switch to LLVM/Clang as the default platform compiler in Android 7.0 opened up more possibilities for improving our defense-in-depth security posture. In the past couple of releases, we’ve rolled out additional compiler-based mitigations to make bugs harder to exploit and prevent certain types of bugs from becoming vulnerabilities. In Android P, we’re expanding our existing compiler mitigations, which instrument runtime operations to fail safely when undefined behavior occurs. This post describes the new build system support for Control Flow Integrity and Integer Overflow Sanitization.

Control Flow Integrity

A key step in modern exploit chains is for an attacker to gain control of a program’s control flow by corrupting function pointers or return addresses. This opens the door to code-reuse attacks where an attacker executes arbitrary portions of existing program code to achieve their goals, such as counterfeit-object-oriented and return-oriented programming. Control Flow Integrity (CFI) describes a set of mitigation technologies that confine a program’s control flow to a call graph of valid targets determined at compile-time.

While we first supported LLVM’s CFI implementation in select components in Android O, we’re greatly expanding that support in P. This implementation focuses on preventing control flow manipulation via indirect branches, such as function pointers and virtual functions—the ‘forward-edges’ of a call graph. Valid branch targets are defined as function entry points for functions with the expected function signature, which drastically reduces the set of allowable destinations an attacker can call. Indirect branches are instrumented to detect runtime violations of the statically determined set of allowable targets. If a violation is detected because a branch points to an unexpected target, then the process safely aborts.

Assembly-level comparison of a virtual function call with and without CFI enabled.

Figure 1. Assembly-level comparison of a virtual function call with and without CFI enabled.

For example, Figure 1 illustrates how a function that takes an object and calls a virtual function gets translated into assembly with and without CFI. For simplicity, this was compiled with -O0 to prevent compiler optimization. Without CFI enabled, it loads the object’s vtable pointer and calls the function at the expected offset. With CFI enabled, it performs a fast-path first check to determine if the pointer falls within an expected range of addresses of compatible vtables. Failing that, execution falls through to a slow path that does a more extensive check for valid classes that are defined in other shared libraries. The slow path will abort execution if the vtable pointer points to an invalid target.

With control flow tightly restricted to a small set of legitimate targets, code-reuse attacks become harder to utilize and some memory corruption vulnerabilities become more difficult or even impossible to exploit.

In terms of performance impact, LLVM’s CFI requires compiling with Link-Time Optimization (LTO). LTO preserves the LLVM bitcode representation of object files until link-time, which allows the compiler to better reason about what optimizations can be performed. Enabling LTO reduces the size of the final binary and improves performance, but increases compile time. In testing on Android, the combination of LTO and CFI results in negligible overhead to code size and performance; in a few cases both improved.

For more technical details about CFI and how other forward-control checks are handled, see the LLVM design documentation.

For Android P, CFI is enabled by default widely within the media frameworks and other security-critical components, such as NFC and Bluetooth. CFI kernel support has also been introduced into the Android common kernel when building with LLVM, providing the option to further harden the trusted computing base. This can be tested today on the HiKey reference boards.

Integer Overflow Sanitization

The UndefinedBehaviorSanitizer’s (UBSan) signed and unsigned integer overflow sanitization was first utilized when hardening the media stack in Android Nougat. This sanitization is designed to safely abort process execution if a signed or unsigned integer overflows by instrumenting arithmetic instructions which may overflow. The end result is the mitigation of an entire class of memory corruption and information disclosure vulnerabilities where the root cause is an integer overflow, such as the original Stagefright vulnerability.

Because of their success, we’ve expanded usage of these sanitizers in the media framework with each release. Improvements have been made to LLVM’s integer overflow sanitizers to reduce the performance impact by using fewer instructions in ARM 32-bit and removing unnecessary checks. In testing, these improvements reduced the sanitizers’ performance overhead by over 75% in Android’s 32-bit libstagefright library for some codecs. Improved Android build system support, such as better diagnostics support, more sensible crashes, and globally sanitized integer overflow targets for testing have also expedited the rollout of these sanitizers.

We’ve prioritized enabling integer overflow sanitization in libraries where complex untrusted input is processed or where there have been security bulletin-level integer overflow vulnerabilities reported. As a result, in Android P the following libraries now benefit from this mitigation:

  • libui
  • libnl
  • libmediaplayerservice
  • libexif
  • libdrmclearkeyplugin
  • libreverbwrapper

Future Plans

Moving forward, we’re expanding our use of these mitigation technologies and we strongly encourage vendors to do the same with their customizations. More information about how to enable and test these options will be available soon on the Android Open Source Project.

Acknowledgements: This post was developed in joint collaboration with Vishwath Mohan, Jeffrey Vander Stoep, Joel Galenson, and Sami Tolvanen


Android Developers Blog

May 14

Bitdefender Total Security Giveaway Is Here! [GRAB IT]

Bitdefender Security Suite 2015
Bitdefender Security Suite 2015 edition, is a full security suite that keeps you safe online. The application has numerous integral services included, such as antivirus, firewall, a USB drive immuniser, strong browsing and privacy tools, social networking protection, parental controls and a spam filter. Bitdefender is award winning software, which protects every avenue of your system with secure features that are robust and have the lowest impact on your PC’s performance. In fact, One Click Security from Bitdefender is so simple to use, you only need one click to be safe.

How To Get?

  1. Go To Link Provided
  2. Put Your E-Mail
  3. And Click On The Green Button
  4. Done! :)
Registration Link
Official Giveaway Page
Bitdefender Total Security Setup x32  | X64

Software Lovers

Apr 21

Keeping Android safe: Security enhancements in Nougat

Posted by Xiaowen Xin, Android Security Team

Over the course of the summer, we previewed a variety of security enhancements in
Android 7.0 Nougat: an increased focus on security with our vulnerability
rewards program, a new Direct
Boot mode, re-architected mediaserver and hardened
media stack, apps that are protected from accidental
regressions to cleartext traffic, an update to the way Android handles trusted
certificate authorities, strict enforcement of verified
boot with error correction, and updates
to the Linux kernel to reduce the attack surface and increase memory
protection. Phew!

Now that Nougat has begun to roll out, we wanted to recap these updates in a
single overview and highlight a few new improvements.

Direct Boot and encryption

In previous versions of Android, users with encrypted devices would have to
enter their PIN/pattern/password by default during the boot process to decrypt
their storage area and finish booting. With Android 7.0 Nougat, we’ve updated
the underlying encryption scheme and streamlined the boot process to speed up
rebooting your phone. Now your phone’s main features, like the phone app and
your alarm clock, are ready right away before you even type your PIN, so people
can call you and your alarm clock can wake you up. We call this feature Direct
Boot.

Under the hood, file-based encryption enables this improved user experience.
With this new encryption scheme, the system storage area, as well as each user
profile storage area, are all encrypted separately. Unlike with full-disk
encryption, where all data was encrypted as a single unit, per-profile-based
encryption enables the system to reboot normally into a functional state using
just device keys. Essential apps can opt-in to run in a limited state after
reboot, and when you enter your lock screen credential, these apps then get
access your user data to provide full functionality.

File-based encryption better isolates and protects individual users and profiles
on a device by encrypting data at a finer granularity. Each profile is encrypted
using a unique key that can only be unlocked by your PIN or password, so that
your data can only be decrypted by you.

Encryption support is getting stronger across the Android ecosystem as well.
Starting with Marshmallow, all capable devices were required to support
encryption. Many devices, like Nexus 5X and 6P also use unique keys that are
accessible only with trusted hardware, such as the ARM TrustZone. Now with 7.0
Nougat, all new capable Android devices must also have this kind of hardware
support for key storage and provide brute force protection while verifying your
lock screen credential before these keys can be used. This way, all of your data
can only be decrypted on that exact device and only by you.

The media stack and platform hardening

In Android Nougat, we’ve both hardened and re-architected
mediaserver, one of the main system services that processes untrusted input.
First, by incorporating integer overflow sanitization, part of Clang’s UndefinedBehaviorSanitizer,
we prevent an entire class of vulnerabilities, which comprise the majority of
reported libstagefright bugs. As soon as an integer overflow is detected, we
shut down the process so an attack is stopped. Second, we’ve modularized the
media stack to put different components into individual sandboxes and tightened
the privileges of each sandbox to have the minimum privileges required to
perform its job. With this containment technique, a compromise in many parts of
the stack grants the attacker access to significantly fewer permissions and
significantly reduced exposed kernel attack surface.

In addition to hardening the mediaserver, we’ve added a large list of
protections for the platform, including:

  • Verified Boot: Verified Boot is now strictly enforced to
    prevent compromised devices from booting; it supports error
    correction to improve reliability against non-malicious data corruption.

  • SELinux: Updated SELinux configuration and increased
    Seccomp coverage further locks down the application sandbox and reduces attack
    surface.

  • Library load order randomization and improved ASLR:
    Increased randomness makes some code-reuse attacks less reliable.

  • Kernel
    hardening
    : Added additional memory protection for newer kernels by
    marking
    portions of kernel memory as read-only, restricting
    kernel access to userspace addresses, and further reducing the existing
    attack surface.

  • APK
    signature scheme v2
    : Introduced a whole-file signature scheme that
    improves verification
    speed and strengthens integrity guarantees.

App security improvements

Android Nougat is the safest and easiest version of Android for application
developers to use.

  • Apps that want to share data with other apps now must explicitly opt-in by
    offering their files through a Content
    Provider, like FileProvider.
    The application private directory (usually /data/data/) is now set to
    Linux permission 0700 for apps targeting API Level 24+.

  • To make it easier for apps to control access to their secure network
    traffic, user-installed certificate authorities and those installed through
    Device Admin APIs are no
    longer trusted by default for apps targeting API Level 24+. Additionally,
    all new Android devices must ship with the same
    trusted CA store.

  • With Network
    Security Config, developers can more easily configure network security
    policy through a declarative configuration file. This includes blocking
    cleartext traffic, configuring the set of trusted CAs and certificates, and
    setting up a separate debug configuration.

We’ve also continued to refine app permissions and capabilities to protect you
from potentially harmful apps.

  • To improve device privacy, we have further restricted and removed access to
    persistent device identifiers such as MAC addresses.

  • User interface overlays can no longer be displayed on top of permissions
    dialogs. This “clickjacking” technique was used by some apps to attempt to gain
    permissions improperly.

  • We’ve reduced the power of device admin applications so they can no longer
    change your lockscreen if you have a lockscreen set, and device admin will no
    longer be notified of impending disable via onDisableRequested().
    These were tactics used by some ransomware to gain control of a
    device.

System Updates

Lastly, we’ve made significant enhancements to the OTA update system to keep
your device up-to-date much more easily with the latest system software and
security patches. We’ve made the install time for OTAs faster, and the OTA size
smaller for security updates. You no longer have to wait for the optimizing apps
step, which was one of the slowest parts of the update process, because the new
JIT compiler has been optimized
to make installs and updates lightning fast.

The update experience is even faster for new Android devices running Nougat with
updated firmware. Like they do with Chromebooks, updates are applied in the
background while the device continues to run normally. These updates are applied
to a different system partition, and when you reboot, it will seamlessly switch
to that new partition running the new system software version.

We’re constantly working to improve Android security and Android Nougat brings
significant security improvements across all fronts. As always, we appreciate
feedback on our work and welcome suggestions for how we can improve Android.
Contact us at security@android.com.


Android Developers Blog

Apr 10

New Bitdefender Total Security 2014 Overview

If you’re searching for a program with ‘Total Security’ for your PC, expect Bitdefender to face up for your expectations with the additional features and gratifaction boosters added within the new 2014 version. Bitdefender Total Security 2014 won’t let you down by any means with regards to offering antivirus protection, firewall, browsing and also the social media protection.

Initially sight,
Antivirus and Security News