I-Android 13 yinguqulelo yokuqala ye-Android apho uninzi lwekhowudi entsha eyongezwe kwinguqulelo ikulwimi olukhuselekileyo kwimemori.
Ngeposti yebhlog, iinjineli zikaGoogle ikhuphe isishwankathelo seziphumo zokuqala yentshayelelo Inkxaso yophuhliso lomhlwa kwi-Android.
I-Android 13, malunga ne-21% yekhowudi entsha eqokelelweyo I-aggregate ibhalwe kwi-Rust kunye ne-79% kwi-C / C ++, ibe yi-AOSP (i-Android Open Source Project) yokugcina, ephuhlisa ikhowudi yomthombo weqonga le-Android, elimalunga ne-1,5 yemigca ye-Rust code.
Ikhowudi inikwe yi-AOSP inxulumene namacandelo amatsha afana ne-Keystore2 i-cryptographic keystore, i-stack ye-UWB (i-Ultra-Wideband) chips, ukuphunyezwa kwe-protocol ye-DNS phezu kwe-HTTP3, isakhelo se-AVF ye-virtualization (i-Android Virtualization Framework), i-stacks yovavanyo yeBluetooth kunye ne-Wi-Fi.
Kumgca kunye nesicwangciso esamkelwe ngasentla sokunciphisa umngcipheko wobuthathaka bempazamo yememori, Ukuza kuthi ga ngoku iRust isetyenziselwe ukuphuhliswa kwekhowudi entsha kunye nokomeleza ngokuthe ngcembe ukhuseleko lwawona macandelo asemngciphekweni kwaye abalulekileyo esoftware.
Njengoko inani lekhowudi entsha yememori-engakhuselekanga engena kwi-Android yehlile, inani leengozi zokhuseleko lwenkumbulo liye lehla. Ukusukela ngo-2019 ukuya ku-2022, yehle ukusuka kwi-76% ukuya kwi-35% yobuthathaka bubonke be-Android. Uwama-2022 uphawula unyaka wokuqala wokuba ubuthathaka bokhuseleko lwenkumbulo abubangeli uninzi lobuthathaka be-Android.
Injongo ngokubanzi yokudlulisa iqonga lilonke kwiRust alimiselwanga, kwaye ikhowudi endala ihleli kwiC/C++, kwaye umlo ochasene nebugs kuwo wenziwa ngokusebenzisa iimvavanyo eziphazamisayo, uhlalutyo olungatshintshiyo, kunye nokusetyenziswa kobuchule obufanayo. ukusetyenziswa kohlobo lwe-MiraclePtr (ukubopha phezu kwezikhombisi ezikrwada, ezenza iitshekhi ezongezelelweyo zokufikelela kwiindawo zememori ekhululekileyo), inkqubo yolwabiwo lwememori ye-Scudo (indawo ekhuselekileyo ye-malloc/free) kunye neendlela zokubona iimpazamo xa usebenza ne-HWAsan(i-Hardware Assisted AddressSanitizer) inkumbulo , GWP-ASAN kunye ne-KFENCE.
Ngokumalunga nezibalo ngobume be ukuba sesichengeni kwiqonga Android, kubonwa ukuba njengoko yehlisa inani lekhowudi entsha esebenza ngenkumbulo ngeendlela ezingakhuselekanga, ikwanciphisa inani lobuthathaka obubangelwa ziimpazamo xa usebenza ngenkumbulo.
Umzekelo, umyinge wobuthathaka obubangelwa yimiba yenkumbulo yehla ukusuka kwi-76% ngo-2019 ukuya kwi-35% ngo-2022. Ngamanani apheleleyo, ubuthathaka obunxulumene nenkumbulo obungama-223 bachongwa ngo-2019, 150 ngo-2020, 100 ngo-2021, kunye no-85. akafunyanwanga). Ngowama-2022 ibingunyaka wokuqala apho ukuba semngciphekweni okunxulumene nenkumbulo kuyeke ukulawula.
Ukuza kuthi ga ngoku, akukho bungozi bokhuseleko kwimemori bufunyenwe kwikhowudi ye-Android Rust.
Asilindelanga ukuba elo nani lihlale ku-zero ngonaphakade, kodwa xa sinikwa umthamo wekhowudi entsha yeRust kuzo zonke iinguqulelo ezimbini ze-Android kunye nezinto ezikhusela ukhuseleko apho isetyenziswa khona, sisiphumo esibalulekileyo. Ibonisa ukuba iRust isebenzela injongo yayo yokuthintela owona mthombo uxhaphakileyo wobuthathaka be-Android.
Ekubeni Ubuthathaka obunxulumene nenkumbulo buhlala bulelona buyingozi, izibalo zizonke zikwabonisa ukuhla kwinani lemiba ebalulekileyo kunye nemiba enokuthi isetyenziswe kude. Kwangaxeshanye, uguqulo lokubona ubuthathaka obungahambelani nokusebenza ngenkumbulo sele bukwinqanaba elifanayo kwiminyaka emi-4 edlulileyo - ubuthathaka abangama-20 ngenyanga.
Umlinganiselo wemiba enobungozi kubuthathaka obubangelwa yimpazamo yememori nayo iyafana (kodwa njengoko inani lobuthathaka liyancipha, inani leengxaki eziyingozi liyancipha kwakhona).
Izibalo zikwalandelela unxulumano phakathi komthamo wekhowudi entsha esebenza ngememori ngendlela engakhuselekanga kunye nenani leengozi ezinxulumene nenkumbulo (i-buffer overflows, ukufikelela kwimemori esele ikhululiwe, njl. njl.).
Olu qwalaselo qinisekisa ukucinga kwe ukuba ingqalelo ephambili kwi ukuphunyezwa kweendlela ezikhuselekileyo zokucwangcisa kufuneka inikwe ikhowudi entsha kwaye ingaphindi ibhale esele ikhona, kuba uninzi lobuthathaka obuchongiweyo bukwikhowudi entsha.
Umthombo: https://security.googleblog.com/