安卓的机制与安全性 毕业论文外文翻译.doc

附录a 外文翻译-原文部分android security mechanismthenextgenerationofopenoperatingsystemswontbeondesktopsormainframesbutonthesmallmobiledeviceswecarryeveryday.theopennessofthesenewenvironmentswillleadtonewapplicationsandmarketsandwillenablegreaterintegrationwithexistingonlineservices.however,astheimportanceofthedataandservicesourcellphonessupportincreases,sotoodotheopportunitiesforvulnerability.itsessentialthatthisnextgenerationofplatformsprovidesacomprehensiveandusablesecurityinfrastructure.developedbytheopenhandsetalliance(visiblyledbygoogle),androidisawidelyanticipatedopensourceoperatingsystemformobiledevicesthatprovidesabaseoperatingsystem,anapplicationmiddlewarelayer,ajavasoftwaredevelopmentkit(sdk),andacollectionofsystemapplications.althoughtheandroidsdkhasbeenavailablesincelate2007,thefirstpubliclyavailableandroidready“g1”phonedebutedinlateoctober2008.sincethen,androidsgrowthhasbeenphenomenal:t-mobilesg1manufacturerhtcestimatesshipmentvolumesofmorethan1millionphonesbytheendof2008,andindustryinsidersexpectpublicadoptiontoincreasesteeplyin2009.manyothercellphoneprovidershaveeitherpromisedorplantosupportitinthenearfuture.alargecommunityofdevelopershasorganizedaroundandroid,andmanynewproductsandapplicationsarenowavailableforit.oneofandroidschiefsellingpointsisthatitletsdevelopersseamlesslyextendonlineservicestophones.themostvisibleexampleofthisfeatureis,unsurprisingly,thetightintegrationofgooglesgmail,calendar,andcontactswebapplicationswithsystemutilities.androiduserssimplysupplyausernameandpassword,andtheirphonesautomaticallysynchronizewithgoogleservices.othervendorsarerapidlyadaptingtheirexistinginstantmessaging,socialnetworks,andgamingservicestoandroid,andmanyenterprisesarelookingforwaystointegratetheirowninternaloperations(suchasinventorymanagement,purchasing,receiving,andsoforth)intoitaswell.traditionaldesktopandserveroperatingsystemshavestruggledtosecurelyintegratesuchpersonalandbusinessapplicationsandservicesonasingleplatform.althoughdoingsoonamobileplatformsuchasandroidremainsnontrivial,manyresearchershopeitprovidesacleanslatedevoidofthecomplicationsthatlegacysoftwarecancause.androiddoesntofficiallysupportapplicationsdevelopedforotherplatforms:applicationsexecuteontopofajavamiddlewarelayerrunningonanembeddedlinuxkernel,sodeveloperswishingtoporttheirapplicationtoandroidmustuseitscustomuserinterfaceenvironment.additionally,androidrestrictsapplicationinteractiontoitsspecialapisbyrunningeachapplicationasitsownuseridentity.althoughthiscontrolledinteractionhasseveralbeneficialsecurityfeatures,ourexperiencesdevelopingandroidapplicationshaverevealedthatdesigningsecureapplicationsisntalwaysstraightforward.androidusesasimplepermissionlabelassignmentmodeltorestrictaccesstoresourcesandotherapplications,butforreasonsofnecessityandconvenience,itsdesignershaveaddedseveralpotentiallyconfusingrefinementsasthesystemhasevolved.thisarticleattemptstounmaskthecomplexityofandroidsecurityandnotesomepossibledevelopmentpitfallsthatoccurwhendefininganapplicationssecurity.weconcludebyattemptingtodrawsomelessonsandidentifyopportunitiesforfutureenhancementsthatshouldaidinclarityandcorrectness.androidapplicationstheandroidapplicationframeworkforcesastructureondevelopers.itdoesnthaveamain()functionorsingleentrypointforexecutioninstead,developersmustdesignapplicationsintermsofcomponents.exampleapplicationwedevelopedapairofapplicationstohelpdescribehowandroidapplicationsoperate.interestedreaderscandownloadthesourcecodefromourwebsite(/android_sec_tutorial.html).letsconsideralocation-sensitivesocialnetworkingapplicationformobilephonesinwhichuserscandiscovertheirfriendslocations.wesplitthefunctionalityintotwoapplications:onefortrackingfriendsandoneforviewingthem.asfigure1shows,thefriendtrackerapplicationconsistsofcomponentsspecifictotrackingfriendlocations(forexample,viaawebservice),storinggeographiccoordinates,andsharingthosecoordinateswithotherapplications.theuserthenusesthefriendviewerapplicationtoretrievethestoredgeographiccoordinatesandviewfriendsonamap.bothapplicationscontainmultiplecomponentsforperformingtheirrespectivetasks;thecomponentsthemselvesareclassifiedbytheircomponenttypes.anandroiddeveloperchoosesfrompredefinedcomponenttypesdependingonthecomponentspurpose(suchasinterfacingwithauserorstoringdata).componenttypesandroiddefinesfourcomponenttypes:activitycomponentsdefineanapplicationsuserinterface.typically,anapplicationdeveloperdefinesoneactivityper“screen.”activitiesstarteachother,possiblypassingandreturningvalues.onlyoneactivityonthesystemhaskeyboardandprocessingfocusatatime;allothersaresuspended.servicecomponentsperformbackgroundprocessing.whenanactivityneedstoperformsomeoperationthatmustcontinueaftertheuserinterfacedisappears(suchasdownloadafileorplaymusic),itcommonlystartsaservicespecificallydesignedforthataction.thedevelopercanalsouseservicesasapplication-specificdaemons,possiblystartingonboot.servicesoftendefineaninterfaceforremoteprocedurecall(rpc)thatothersystemcomponentscanusetosendcommandsandretrievedata,aswellasregistercallbacks.contentprovidercomponentsstoreandsharedatausingarelationaldatabaseinterface.eachcontentproviderhasanassociated“authority”describingthecontentitcontains.othercomponentsusetheauthoritynameasahandletoperformsqlqueries(suchasselect,insert,ordelete)toreadandwritecontent.althoughcontentproviderstypicallystorevaluesindatabaserecords,dataretrievalisimplementationspecificforexample,filesarealsosharedthroughcontentproviderinterfaces.broadcastreceivercomponentsactasmailboxesformessagesfromotherapplications.commonly,applicationcodebroadcastsmessagestoanimplicitdestination.broadcastreceiversthussubscribetosuchdestinationstoreceivethemessagessenttoit.applicationcodecanalsoaddressabroadcastreceiverexplicitlybyincludingthenamespaceassignedtoitscontainingapplication.figure1showsthefriendtrackerandfriendviewerapplicationscontainingthedifferentcomponenttypes.thedeveloperspecifiescomponentsusingamanifestfile.therearenorestrictionsonthenumberofcomponentsanapplicationdefinesforeachtype,butasaconvention,onecomponenthasthesamenameastheapplication.frequently,thisisanactivity,asinthefriendviewerapplication.thisactivityusuallyindicatestheprimaryactivitythatthesystemapplicationlauncherusestostarttheuserinterface;however,thespecificactivitychosenonlaunchismarkedbymetainformationinthemanifest.inthefriendtrackerapplication,forexample,thefriendtrackercontrolactivityismarkedasthemainuserinterfaceentrypoint.inthiscase,wereservedthename“friendtracker”fortheservicecomponentperformingthecoreapplicationlogic.thefriendtrackerapplicationcontainseachofthefourcomponenttypes.thefriendtrackerservicepollsanexternalservicetodiscoverfriendslocations.inourexamplecode,wegeneratelocationsrandomly,butextendingthecomponenttointerfacewithawebserviceisstraightforward.thefriendprovidercontentprovidermaintainsthemostrecentgeographiccoordinatesforfriends,thefriendtrackercontrolactivitydefinesauserinterfaceforstartingandstoppingthetrackingfunctionality,andthebootreceiverbroadcastreceiverobtainsanotificationfromthesystemonceitboots(theapplicationusesthistoautomaticallystartthefriendtrackerservice).thefriendviewerapplicationisprimarilyconcernedwithshowinginformationaboutfriendslocations.thefriendvieweractivitylistsallfriendsandtheirgeographiccoordinates,andthefriendmapactivitydisplaysthemonamap.thefriendreceiverbroadcastreceiverwaitsforfriendtrackercontrolactivity,forinstance,canstartandstopthefriendtrackerservicethatrunsinthebackground.thebindactionestablishesaconnectionbetweencomponents,allowingtheinitiatortoexecuterpcsdefinedbytheservice.inourexample,friendtrackerbindstothelocationmanagerinthesystemserver.oncebound,friendtrackerinvokesmethodstoregisteracallbackthatprovidesupdatesonthephoneslocation.notethatifaserviceiscurrentlybound,anexplicit“stop”actionwontterminatetheserviceuntilallboundconnectionsarereleased.broadcastreceiverandcontentprovidercomponentshaveuniqueformsofinteraction.icctargetedatabroadcastreceiveroccursasanintentsent(broadcast)eitherexplicitlytothecomponentor,morecommonly,toanactionstringthecomponentsubscribesto.forexample,friendreceiversubscribestothedeveloper-defined“friend_near”actionstring.friendtrackerbroadcastsanintenttothisactionstringwhenitdeterminesthatthephoneisnearafriend;thesystemthenstartsfriendreceiveranddisplaysamessagetotheuser.contentprovidersdontuseintentsrather,theyreaddressedviaanauthoritystringembeddedinaspecialcontenturioftheformcontent:/.here,indicatesatableinthecontentprovider,andoptionallyspecifiesarecordinthattable.componentsusethisuritoperformasqlqueryonacontentprovider,optionallyincludingwhereconditionsviathequeryapi.securityenforcementasfigure3shows,androidprotectsapplicationsanddatathroughacombinationoftwoenforcementmechanisms,oneatthesystemlevelandtheotherattheicclevel.iccmediationdefinesthecoresecurityframeworkandisthisarticlesfocus,butitbuildsontheguaranteesprovidedbytheunderlyinglinuxsystem.inthegeneralcase,eachapplicationrunsasauniqueuseridentity,whichletsandroidlimitthepotentialdamageofprogrammingflaws.forexample,thewebbrowservulnerabilitydiscoveredrecentlyaftertheofficialreleaseoft-mobileg1phonesonlyaffectedthewebbrowseritself(/content/case-studies/android/index.jsp).becauseofthisdesignchoice,theexploitcouldntaffectotherapplicationsorthesystem.asimilarvulnerabilityinapplesiphonegavewaytothefirst“jailbreaking”technique,whichletusersreplacepartsoftheunderlyingsystem,butwouldalsohaveenabledanetwork-basedadversarytoexploitthisflaw(/content/case-studies/iphone/index.jsp).iccisntlimitedbyuserandprocessboundaries.infact,alliccoccursviaani/ocontrolcommandonaspecialdevicenode,/dev/binder.becausethefilemustbeworldreadableandwritableforproperoperation,thelinuxsystemhasnowayofmediatingicc.althoughuserseparationisstraightforwardandeasilyunderstood,controllingiccismuchmoresubtleandwarrantscarefulconsideration.asthecentralpointofsecurityenforcement,theandroidmiddlewaremediatesalliccestablishmentbyreasoningaboutlabelsassignedtoapplicationsandcomponents.areferencemonitor1providesmandatoryaccesscontrol(mac)enforcementofhowapplicationsaccesscomponents.initssimplestform,accesstoeachcomponentisrestrictedbyassigningitanaccesspermissionlabel;thistextstringneednotbeunique.developersassignapplicationscollectionsofpermissionlabels.whenacomponentinitiatesicc,thereferencemonitorlooksatthepermissionlabelsassignedtoitscontainingapplicationandifthetargetcomponentsaccesspermissionlabelisinthatcollectionallowsiccestablishmenttoproceed.ifthelabelisntinthecollection,establishmentisdeniedevenifthecomponentsareinthesameapplication.figure4depictsthislogic.thedeveloperassignspermissionlabelsviathexmlmanifestfilethataccompanieseveryapplicationpackage.indoingso,thedeveloperdefinestheapplicationssecuritypolicythatis,assigningpermissionlabelstoanapplicationspecifiesitsprotectiondomain,whereasassigningpermissionstothecomponentsinanapplicationspecifiesanaccesspolicytoprotectitsresources.becauseandroidspolicyenforcementismandatory,asopposedtodiscretionary,allpermissionlabelsaresetatinstalltimeandcantchangeuntiltheapplicationisreinstalled.however,despiteitsmacproperties,androidspermissionlabelmodelonlyrestrictsaccesstocomponentsanddoesntcurrentlyprovideinformationflowguarantees,suchasindomaintypeenforcement.securityrefinementsandroidssecurityframeworkisbasedonthelabel-orientediccmediationdescribedthusfar,butourdescriptionisincomplete.partiallyoutofnecessityandpartiallyforconvenience,thegoogledeveloperswhodesignedandroidincorporatedseveralrefinementstothebasicsecuritymodel,someofwhichhavesubtlesideeffectsandmakeitsoverallsecuritydifficulttounderstand.publicvs.privatecomponentsapplicationsoftencontaincomponentsthatanotherapplicationshouldneveraccessforexample,anactivitydesignedtoreturnauser-enteredpasswordcouldbestartedmaliciously.insteadofdefininganaccesspermission,thedevelopercouldmakeacomponentprivatebyeitherexplicitlysettingtheexportedattributetofalseinthemanifestfileorlettingandroidinferifthecomponentshouldbeprivatefromotherattributesinitsmanifestdefinition.privatecomponentssimplifysecurityspecification.bymakingacomponentprivate,thedeveloperdoesntneedtoworrywhichpermissionlabeltoassignitorhowanotherapplicationmightacquirethatlabel.anyapplicationcanaccesscomponentsthatarentexplicitlyassignedanaccesspermission,sotheadditionofprivatecomponentsandinferencerules(introducedinthev0.9r1sdkrelease,august2008)significantlyreducestheattacksurfaceformanyapplications.however,thedevelopermustbecarefulwhenallowingandroidtodetermineifacomponentisprivate.security-awaredevelopersshouldalwaysexplicitlydefinetheexportedattributeforcomponentsintendedtobeprivate.implicitlyopencomponentsdevelopersfrequentlydefineintentfiltersonactivitiestoindicatethattheycanhandlecertaintypesofaction/datacombinations.recalltheexampleofhowthesystemfindsanimageviewerwhenanintentspecifyingtheviewactionandanimagereferenceispassedtothe“startactivity”api.inthiscase,thecallercantknowbeforehand(muchlessatdevelopmenttime)whataccesspermissionisrequired.thedeveloperofthetargetactivitycanpermitsuchfunctionalitybynotassigninganaccesspermissiontoitthatis,ifapubliccomponentdoesntexplicitlyhaveanaccesspermissionlistedinitsmanifestdefinition,androidpermitsanyapplicationtoaccessit.althoughthisdefaultpolicyspecificationenablesfunctionalityandeaseofdevelopment,itcanleadtopoorsecuritypracticesandiscontrarytosaltzerandschroedersprincipleoffail-safedefaults.4referringbacktoourexamplefriendviewerapplication,ifthefriendreceiverbroadcastreceiverisntassignedanaccesspermission,anyunprivilegedinstalledapplicationcanforgeafriend_nearmessage,whichrepresentsasignificantsecurityconcernforapplicationsmakingdecisionsbasedoninformationpassedviatheintent.asageneralpractice,securityawaredevelopersshouldalwaysassignaccesspermissionstopubliccomponentsinfact,theyshouldhaveanexplicitreasonfornotassigningone.allinputsshouldbescrutinizedundertheseconditions.附录b 外文翻译-译文部分安卓的机制与安全性下一代开放式操作系统不会是在电脑或大型主机上而是在我们可以每天携带的小手机上。这些新环境的开放性会带来新的应用和市场，同时会促进现存网络设备的更大程度集成。但是，在我们手机所能支持的设备和数据的重要性不断提升的情况下，出现问题和故障的几率也在不断提升。所以，下一代平台必须要能提供一个综合且有用的安全底层架构支撑。由手机开放联盟（明显由google领导的）开发的android，是一个为手机设备制作的被广为期待的开源式操作系统。他提供了一个基础运行系统，一个应用中间层，一个java软件开发包（sdk），和一个系统应用的集合。尽管androidsdk从2007年后期便可以使用，但是第一个真正为公共准备的androidg1手机在2008年底才初次登台。从这以后，android的成长十分显著。t-mobile的第一代手机制造厂商htc预估与2008年年底，手机的总销售量会超过1百万台，并且产业内部人员期待他的使用率会在2009年陡升。许多其他的手机提供厂商也保证或计划在不久的将来支持这个系统。大量的开发者围绕android组成了开发社区，现在有很多新的产品和应用已经可以使用了。android的主要卖点之一就是允许开发者将网络设备无缝的延伸到手机上。这个功能最为显著的一个例子，毫无疑问，就是将google的gmail，日历和通过系统功能连接网页应用的紧密集成。android用户只需要申请一个用户名和密码，然后他们的手机就可以自动的与google的服务同步。其他的供应商也正在迅速的改变他们已有的即时通信，社交网络和游戏服务以适用于android，还有许多其他的企业也正在寻找把它们自己的内部运行（例如存货管理，购买，接收等等）集成进去的方法。传统的电脑和服务器运行系统一直致力于解决如何安全的将私人的和公司的应用集成到一起并且在一个平台上服务。尽管像android一样在手机平台上达到了这个功能是十分不平凡的，许多研究者仍希望他能提供一个没有遗留软件引起的并发症的干净的石板。android并不官方的支持为其他平台开发的应用软件：在java中间层上方执行的应用软件实际是运行在一个嵌入式的linux内核中，所以开发者若想将他们的应用传送到android系统，则必须使用他们定制的用户接口环境。另外，android通过把每个应用看做他自己的用户认证来运行，从而很好的限制了应用与他们的特殊的api的交互。尽管这些交互的控制措施有一些有益的安全特性，但是我们开发android应用的体验揭露了设计安全的应用不总是简单而直接的。android使用一个简单的许可证标签分配模型来限制对信息源和其他应用的使用，但是由于必要性和方便性的原因，他的设计者在系统进化的时候增加了几个潜在的混乱精炼。这篇文章意图揭开复杂的android安全性的神秘面纱并且指出一些可能发生在定义一个应用的安全性时的开发陷阱。我们通过尝试借鉴一些经验教训和为将来的能够为透明性和正确性提供帮助的功能改善定义机会来下结论。android应用android应用的架构为开发者规定了一个结构。他没有一个主要功能或者一个单一的执行入口替代这些的是，开发者必须以组件的形式设计应用程序。样例应用我们开发了一些应用程序来帮助描述android应用是怎么运行的。感兴趣的读者可以从我们的网站上下载这些源代码。我们来考虑一个手机上的位置敏感的社交网络应用用户可以用它来定位朋友的位置。我们按照功能将它分成两个应用：一个用来跟踪朋友，另一个用来观察他们。在功能一种，朋友追踪这个应用包含了特定用于追踪朋友位置的组件（举个例子，通过一个网页服务），储存地理坐标，并且与其他应用共享这些坐标。用户接下来使用朋友观察器应用来检索已经储存的地理坐标并在地图上观察他的朋友的位置。这两个应用都包含了多种用于实现各自功能的组件；这些组件自己是通过他们的组件类型分类的。一个android开发者从按照组件目的预定义的组件类型（例如和用户交互或者储存数据）中选择。组件类型android定义了四个组件类型：activity组件被定义为一