You Can Rand but You Can’t Hide: A Holistic Security Analysis of Google Fuchsia’s (and gVisor’s) Network Stack
Inon Kaplan
Network and Distributed System Security (NDSS) Symposium 2025 · Day 1 · Android Security 1
This talk, presented by Amit Klein from the Hebrew University of Jerusalem, delves into a comprehensive security analysis of the network stacks within Google Fuchsia and Google gVisor. Fuchsia, a general-purpose operating system designed for a diverse hardware and software ecosystem, is already deployed on millions of Google Nest Hub devices and is widely conjectured as a potential successor to Android. Crucially, its TCP/IP stack, known as **netstack**, is a direct copy of gVisor's network stack, which serves as an application kernel for containers across multiple Google Cloud offerings including App Engine, Cloud Functions, and Google Kubernetes Engine (GKE). This shared codebase means that vulnerabilities discovered in one often impact the other, highlighting the broad security implications of this research.
AI review
Amit Klein does the real work here: a holistic cryptanalytic teardown of a shared network stack across two Google production systems, producing a practical zero-packet PRNG seed recovery attack and a persistent cross-site tracking primitive that survives incognito mode and network changes. The research is methodologically tight, the impact surface is significant (Nest Hub deployments plus GKE/App Engine containers), and Google shipped fixes based on it — that's the validation loop that matters.