http://source.android.com/devices/tech/security/index.html#android-security-program-overview
Linux Security
The foundation of the Android platform is the Linux kernel. The Linux kernelitself has been in widespread use for years, and is used in millions ofsecurity-sensitive environments. Through its history of constantly beingresearched, attacked, and fixed by thousands of developers, Linux has become astable and secure kernel trusted by many corporations and securityprofessionals.
As the base for a mobile computing environment, the Linux kernel providesAndroid with several key security features, including:
- A user-based permissions model
- Process isolation
- Extensible mechanism for secure IPC
- The ability to remove unnecessary and potentially insecure parts of the kernel
As a multiuser operating system, a fundamental security objective of the Linuxkernel is to isolate user resources from one another. The Linux securityphilosophy is to protect user resources from one another. Thus, Linux:
- Prevents user A from reading user B's files
- Ensures that user A does not exhaust user B's memory
- Ensures that user A does not exhaust user B's CPU resources
- Ensures that user A does not exhaust user B's devices (e.g. telephony, GPS,bluetooth)
The Application Sandbox
The Android platform takes advantage of the Linux user-based protection as ameans of identifying and isolating application resources. The Android systemassigns a unique user ID (UID) to each Android application and runs it as that userin a separate process. This approach is different from other operating systems(including the traditional Linux configuration), where multiple applicationsrun with the same user permissions.
This sets up a kernel-level Application Sandbox. The kernel enforces securitybetween applications and the system at the process level through standard Linuxfacilities, such as user and group IDs that are assigned to applications. Bydefault, applications cannot interact with each other and applications havelimited access to the operating system. If application A tries to do somethingmalicious like read application B's data or dial the phone without permission(which is a separate application), then the operating system protects againstthis because application A does not have the appropriate user privileges. Thesandbox is simple, auditable, and based on decades-old UNIX-style userseparation of processes and file permissions.
Since the Application Sandbox is in the kernel, this security model extends tonative code and to operating system applications. All of the software above thekernel in Figure 1, including operating system libraries, applicationframework, application runtime, and all applications run within the ApplicationSandbox. On some platforms, developers are constrained to a specificdevelopment framework, set of APIs, or language in order to enforce security.On Android, there are no restrictions on how an application can be written thatare required to enforce security; in this respect, native code is just assecure as interpreted code.
In some operating systems, memory corruption errors generally lead tocompletely compromising the security of the device. This is not the case inAndroid due to all applications and their resources being sandboxed at the OSlevel. A memory corruption error will only allow arbitrary code execution inthe context of that particular application, with the permissions established bythe operating system.
Like all security features, the Application Sandbox is not unbreakable.However, to break out of the Application Sandbox in a properly configureddevice, one must compromise the security of the the Linux kernel.
扫一扫
7054
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
