Back to top
Home / Samsung Knox / Samsung Knox white papers / Samsung Knox Mobile Security / System Security /

Defeat Exploit

Last updated March 7th, 2025

Due to the intricate nature of modern devices, it is impossible to anticipate every potential threat. Effective protection requires a delicate balance between robust security measures and seamless system functionality. To achieve this, security frameworks must proactively prevent malicious activity, while minimizing disruptions to legitimate actions and performance.

To strengthen the Samsung Knox platform, Defeat Exploit (DEFEX) safeguards the Android kernel against tampering and corruption, preventing unauthorized behavior whenever the kernel is activated.

How it works

System calls are service requests executed by an operating system, such as Android, on behalf of applications. Since invoking system calls requires elevating the processor to kernel mode, they run with higher privileges and are prime targets for exploits.

Samsung DEFEX mitigates this risk by intercepting and filtering system call requests:

  • Authorized invocations proceed normally.
  • Unauthorized ones generate a report and typically result in termination of the offending process.

Core components

Samsung DEFEX includes the following core components:

  • SafePlace (executing processes): Ensures that only authorized programs are launched by root processes.

    SafePlace secures the root account, ensuring that only authorized programs are launched by root processes. This is particularly important because programs loaded and executed by root processes through the “execve” system call inherit their privileges, making them a prime target for exploits.

  • Privilege Escalation Detection (PED): Monitors attempts to change credentials and terminates non-root processes attempting to elevate privileges.

    PED monitors privileges for Android processes, which are primarily defined by their real or effective user, group, or file system identifiers. These credentials dictate which resources system calls can access on behalf of a process. PED tracks these identifiers throughout the process lifecycle and terminates non-root processes attempting to escalate privileges.

In addition to these core components, Samsung DEFEX includes auxiliary tools for maintaining and generating policies, exception lists, and runtime facilities supporting PED and other features. Samsung DEFEX policies, described by “allow lists”, implement Mandatory Access Control (MAC) strategy and explicitly permit or deny access depending on the component.

The core engine is built into the device binary and performs runtime loading and verification of Samsung DEFEX policies.

On this page

Is this page helpful?