Profile

Cover photo
Kevin O'Quinn
2,098 followers|1,104,874 views
AboutPostsPhotosYouTube+1's

Stream

Kevin O'Quinn

Shared publicly  - 
 
 
There’s common, mistaken assumption that any software bug can be turned into a security exploit.  In fact, most bugs aren’t exploitable and there are many things Android has done to improve those odds. We’ve spent the last 4 years investing heavily in technologies focused on one type of bug -- memory corruption bugs -- and trying to make those bugs more difficult to exploit. 

A list of some of those technologies that have been introduced since since Ice Cream Sandwich (Android 4.0) are listed here: https://source.android.com/devices/tech/security/enhancements/index.html  The most well known of these is called Address Space Layout Randomization (‘ASLR’), which was fully completed in Android 4.1 with support for PIE (Position Independent Executables) and is now on over 85% of Android devices. This technology makes it more difficult for an attacker to guess the location of code, which is required for them to build a successful exploit.  (For the layperson — ASLR makes writing an exploit like trying to get across a foreign city without access to Google Maps, any previous knowledge of the city, any knowledge of local landmarks, or even the local language.  Depending on what city you are in and where you’re trying to go, it might be possible but it’s certainly much more difficult.)  But we didn’t stop with ASLR, we’ve also added NX, FortifySource, Read-Only-Relocations, Stack Canaries, and more.

Like most advanced security technologies, we’re always assessing the effectiveness of these new approaches, and looking for ways to refine them to better protect users. We know that some bugs are simply not exploitable, even without exploit mitigation.  We know these technologies make exploitation more difficult — and that in some instances that they make exploitation impossible.  But the research community today is incentivized to find lots of bugs rather than to test exploit mitigation technologies, so it can be difficult to know if exploitation of bugs is actually possible.

So, to help test these technologies, we designed the Android Security Rewards [ https://g.co/androidsecurityrewards ] program to strongly incentivize researchers to actually prove that an issue is exploitable.  We will pay up to $30,000 for developers that provide working remote exploits against current Nexus devices.  So far we have had a few issues filed as security bugs, but haven’t had anyone submit an exploit in an attempt to be paid via Android Security Rewards.  (Some people warn me that it’s tempting fate to make that statement.  But that’s not true: this is an intentional request for researchers to start testing those defenses. We want to know about when Android’s exploitation mitigation works, and when it doesn’t work. So I hope this will result in an exploit being presented. The sooner we know about it, the sooner Android users will get better protections.)

Of course, if there is any chance that an issue might be exploitable, we’ll quickly provide a patch for the issue to our partners, to our Android devices, and to the public via the Android Open Source Project.

But updates are truly a last resort.  They should be neither the first nor the only step in a multi-layered stack of security technology. I’m optimistic that advanced exploitation mitigation technology in Android will help us to move beyond the period of time when fast patching was the only solution available to secure devices.  And I look forward to more research into how these technologies can be used to prevent exploitation on Android and other platforms.
11 comments on original post
2
1
Thomas Christensen's profile photo
Add a comment...

Kevin O'Quinn

Shared publicly  - 
 
Also selling a white Nexus 5 32GB.  I'm including a bunch of Spigen cases, two official Google cases (the red one is not pictured), and Ringke case.
For sale on Swappa: a gently-used VQW435 Nexus 5 (Unlocked) for $260. Buy safely on Swappa and save time and money.
4
Add a comment...

Kevin O'Quinn

Shared publicly  - 
 
So far Apple is talking about an awful lot of user information that they'll need access to for all this cool "new" stuff.
5
Ryan Saldana's profile photoKevin O'Quinn's profile photoDaniel M's profile photoDaniel Cook's profile photo
4 comments
 
If it stays on the device it will require your device to do all the processing... 
Add a comment...

Kevin O'Quinn

Shared publicly  - 
 
Happy birthday!
Happy Birthday Jerry Hildenbrand
5
Add a comment...

Kevin O'Quinn

Shared publicly  - 
 
Sorry +Jerry Hildenbrand but your dreams have been crushed.
Mozilla is learning that making smartphones dirt cheap doesn't guarantee success when you're running up against Google's Android operating system. CNET reports that in an email to employees sent...
3
Jerry Hildenbrand's profile photoKevin O'Quinn's profile photo
2 comments
 
+Jerry Hildenbrand probably all they were doing anyway :P
Add a comment...

Kevin O'Quinn

Shared publicly  - 
 
This is great.
 
" 9-year explained Net Neutrality to his friend "

#reddit #NetNeutrality  
118 comments on original post
17
4
Zachary Riffle's profile photomelvin mcquay III's profile photo
Add a comment...
Have him in circles
2,098 people
Brett Christiansen's profile photo
Ronnie  G's profile photo
Ghassan Al-Noubani's profile photo
Tegra TM's profile photo
Lucas Vollmer's profile photo
Aaron McCreery's profile photo
William Volk's profile photo
Chris Mason's profile photo
stephanie atkinson's profile photo

Kevin O'Quinn

Shared publicly  - 
 
Just lowered the price.  :)
For sale on Swappa: a gently-used VQW435 Nexus 5 (Unlocked) for $240. Buy safely on Swappa and save time and money.
3
Add a comment...

Kevin O'Quinn

Shared publicly  - 
 
Yes it's an iPhone.  But it's a well maintained and taken care of iPhone.  :)
For sale on Swappa: a gently-used HVN973 Apple iPhone 5S (AT&T) for $285. Buy safely on Swappa and save time and money.
3
Add a comment...

Kevin O'Quinn

Shared publicly  - 
 
 
You spoke. We listened. 
255 comments on original post
3
5
Bruce Perra's profile photoJoshua Bye's profile photo
Add a comment...

Kevin O'Quinn

Shared publicly  - 
 
First time with Vsco cam. Pretty easy to use and straight forward. 
3
Add a comment...

Kevin O'Quinn

Shared publicly  - 
 
Nice auto awesome. 
2
Add a comment...
People
Have him in circles
2,098 people
Brett Christiansen's profile photo
Ronnie  G's profile photo
Ghassan Al-Noubani's profile photo
Tegra TM's profile photo
Lucas Vollmer's profile photo
Aaron McCreery's profile photo
William Volk's profile photo
Chris Mason's profile photo
stephanie atkinson's profile photo
Links
Contributor to
Basic Information
Gender
Male
Kevin O'Quinn's +1's are the things they like, agree with, or want to recommend.
HDtracks
plus.google.com

The WORLD's Greatest Sounding Downloads!

Corsair Vengeance K95 Mechanical Gaming Keyboard & M95 Gaming Mouse ...
www.makeuseof.com

When it comes to PC gaming, just owning a beast of a machine is not enough - at least not for the majority of gamers. Instead, gamers demand

MakeUseOf
plus.google.com

Cool Websites, Tools And Internet Tips

Android Central - The App!
market.android.com

Welcome to v1.4! (Be sure to hit the "What's new" section for what's new — and get a more detailed changelog at http://phon.es/achange.)The

Lantern: A Campfire Client
market.android.com

Lantern is a Campfire client for Android designed for phones and tablets. Some of the features include:- Multiple 37Signal account support -

Google Play Music
market.android.com

Google Play Music makes it easy to discover, play and share the music you love on Android and the web. With our new All Access service, you

Zooper Widget
market.android.com

Minimal, classy, extremely customizable and battery friendly "do it yourself" Widget with almost limitless possibilities! If you like the so

Android Central
plus.google.com

The center of the Android universe. The best news, reviews, tips and rumors you'll find.

Android Forums at Android Central
forum.androidcentral.com

Android Forums - Android Help, information, hacking, and more

Stephen Colbert | "America Again: Re-Becoming the Greatness We Never Wer...
www.youtube.com

The uncut interview of Stephen Colbert's visit to Google's New York office. You can find Stephen's book on Google Play here: http://goo.gl/J

Transformers: Dark of the Moon
market.android.com

The interstellar war between the Autobots and Decepticons shifts into overdrive following the discovery of Sentinel Prime (voice of Leonard

Chicago Bears | Schedule
www.chicagobears.com

Mon., Sep. 03, 2012 7:00PM - 8:00PM CDT Live Bears Insider Listen to Lovie Smith every week on Bears Insider radio. Sun., Sep. 09, 2012 12:0

Deal of the Day: Samsung Flip Case for Galaxy S3 | Android Central
www.androidcentral.com

Downloads: Free Android Wallpapers · Weekly podcast. From the Forums: Get the app · Today's Posts · Getting Started · All Forums · Cases · D

Paranormal Activity 4 Official Trailer #1 (2012) Horror Movie HD
www.youtube.com

Subscribe to TRAILERS: http://bit.ly/sxaw6h Subscribe to COMING SOON: http://bit.ly/H2vZUn Paranormal Activity 4 Official Trailer #1 (2012)

Samsung Galaxy S III video walkthrough | Android Central
www.androidcentral.com

As we put the finishing touches to our definitive Samsung Galaxy S III review, why not take a few minutes to check out our complete video wa

AT&T's Galaxy S IIIs stick with 16GB of storage, but you can get...
www.androidcentral.com

AT&T's not offering a 32GB version of the Galaxy S III, but, hey, you can get it in red, too!

Adobe Flash Player 10.3
market.android.com

Bring the FULL web to your device with Flash Player- videos, games, apps & more Flash Player enables a complete web browsing experience