Security

Disclosing Proof-of-Concept (PoC) exploits for vulnerabilities: A defender's point of view

Responsible/coordinated/timed disclosure is continuously a topic of heated debate, even more so when PoC (proof of concept) exploit code is included in the release. This post gives arguments in favor of full PoC disclosure from a defender's point of view.

Android security trade-offs 1: Root access

Android security trade-offs: Rooting “Rooting” has been part of the Android ecosystem pretty much since its creation. Within the context of this blog post, I define rooting as a method to disable standard sandboxing mechanisms for particular processes, which is a superset of Nick Kralevich’s earlier definition because many posts mix up the intentional, user-driven root access with exploitation of vulnerabilities. In this post I mean granting select apps and their processes the “root” privilege, which entitles them to ignore access control mechanisms on the system and kernel levels.

Android security trade-offs 0: Ecosystem complexity

Android security trade-offs The Android ecosystem is highly diverse, complex, and has many different stakeholders typically not visible in the limelight. Consequently, making decisions about features in the platform itself — what we call AOSP (Android Open Source Project) — is hard, and often in surprising ways. Over a year and a half ago, I came to Google as the new Director of Android Platform Security. Even though my research group had been working on Android security for over 7 years, many of those complexities were completely new to me.