Android(安卓)Security Overview

http://source.android.com/devices/tech/security/index.html#android-security-program-overview

Linux Security

The foundation of the Android platform is the Linux kernel. The Linux kernelitself has been in widespread use for years, and is used in millions ofsecurity-sensitive environments. Through its history of constantly beingresearched, attacked, and fixed by thousands of developers, Linux has become astable and secure kernel trusted by many corporations and securityprofessionals.

As the base for a mobile computing environment, the Linux kernel providesAndroid with several key security features, including:

A user-based permissions model
Process isolation
Extensible mechanism for secure IPC
The ability to remove unnecessary and potentially insecure parts of the kernel

As a multiuser operating system, a fundamental security objective of the Linuxkernel is to isolate user resources from one another. The Linux securityphilosophy is to protect user resources from one another. Thus, Linux:

Prevents user A from reading user B's files
Ensures that user A does not exhaust user B's memory
Ensures that user A does not exhaust user B's CPU resources
Ensures that user A does not exhaust user B's devices (e.g. telephony, GPS,bluetooth)

The Application Sandbox

The Android platform takes advantage of the Linux user-based protection as ameans of identifying and isolating application resources. The Android systemassigns a unique user ID (UID) to each Android application and runs it as that userin a separate process. This approach is different from other operating systems(including the traditional Linux configuration), where multiple applicationsrun with the same user permissions.

This sets up a kernel-level Application Sandbox. The kernel enforces securitybetween applications and the system at the process level through standard Linuxfacilities, such as user and group IDs that are assigned to applications. Bydefault, applications cannot interact with each other and applications havelimited access to the operating system. If application A tries to do somethingmalicious like read application B's data or dial the phone without permission(which is a separate application), then the operating system protects againstthis because application A does not have the appropriate user privileges. Thesandbox is simple, auditable, and based on decades-old UNIX-style userseparation of processes and file permissions.

Since the Application Sandbox is in the kernel, this security model extends tonative code and to operating system applications. All of the software above thekernel in Figure 1, including operating system libraries, applicationframework, application runtime, and all applications run within the ApplicationSandbox. On some platforms, developers are constrained to a specificdevelopment framework, set of APIs, or language in order to enforce security.On Android, there are no restrictions on how an application can be written thatare required to enforce security; in this respect, native code is just assecure as interpreted code.

In some operating systems, memory corruption errors generally lead tocompletely compromising the security of the device. This is not the case inAndroid due to all applications and their resources being sandboxed at the OSlevel. A memory corruption error will only allow arbitrary code execution inthe context of that particular application, with the permissions established bythe operating system.

Like all security features, the Application Sandbox is not unbreakable.However, to break out of the Application Sandbox in a properly configureddevice, one must compromise the security of the the Linux kernel.

Linux Security

The Application Sandbox

更多相关文章

随机推荐