fredag, juli 22, 2016

Verified boot förhindrar din telefon att starta om den har virus


Redan i Android 4.4 så bakade Google in dm-verity eller verified boot i en lekmans termer.
Detta var för att hindra skadlig mjukvara att få gömma sig någonstans i enheten. Många tänkte dock inte över det förrän Android 6.0 Marshmallow då Google började varna dess användare om att deras integritet hade blivit kränkt.

I nya Android 7.0 Nougat går man ett steg längre med verified boot: har din telefon skadlig mjukvara, så kommer Android inte att kunna starta upp av säkerhetsskäl. Man kommer dock kunna att starta upp sin telefon i begränsad funktionalitet, typ som Safe Mode i Windows.

"Android has alerted about system integrity since Marshmallow, but starting with devices first shipping with Android 7.0, we require verified boot to be strictly enforcing. This means that a device with a corrupt boot image or verified partition will not boot or will boot in a limited capacity with user consent. Such strict checking, though, means that non-malicious data corruption, which previously would be less visible, could now start affecting process functionality more."

"In the changes we made to dm-verity for Android 7.0, we used a technique called interleaving to allow us to recover not only from a loss of an entire 4 KiB source block, but several consecutive blocks, while significantly reducing the space overhead required to achieve usable error correction capabilities compared to the naive implementation."