Security in Android Oreo

Android always supports Verified Boot, which is designed to prevent devices from booting up with software that has been tampered with.

AVB(Android Verified Boot) has a couple of good features to make updates easily and more securely, such as a common footer format and rollback protection. Rollback protection is also there. It is designed to prevent device boot if downgraded to an older version of android, which could be vulnerable.

Oreo also includes the new OEM Lock Hardware Abstraction Layer (HAL) that gives more flexibility to
device manufacturers. They can decide how they want to protect a device in 3 different states which are locked, unlocked, or unlockable.  

The Android framework was re-architected to make updates easier and less costly for device manufacturers.

Following the principle of least privilege, these
Hardware Abstraction Layers run in their own sandbox environment and only have access to the drivers and permissions that are mostly required.