标签:
Several security companies have already announced their intention of porting their security solutions to Android. For example, in 2008, SMobile released a security solution for Android-based handsets that includes antivirus and antitheft applications. Savant Protection, which specializes in intrusion prevention, announced in March 2008 that it ported its security solution, “Savant Technology,” to Android. Mocana, another company that ported its solution to Android, claims that it offers the following capabilities: a secure browser; virtual private network (VPN) clients; malware protection; secure firmware update and secure boot capabilities; and certificate-handling features to authenticate devices, network services, and individuals to each other. DroidHunter is another security application available for Android. We can assume that companies that already have security solutions for mobile devices (such as Symantec, F-Secure, McAfee, and CheckPoint) will also port those to Androidbased devices. Among the features these solutions include are antivirus software and intrusion-detection systems (IDSs) that run on the devices themselves. To further harden an Android device and reduce the harmful potential of identified high-risk threats, users can employ several additional safeguards. We tested and evaluated some of these safety measures in our mobile security laboratory. For example, we ported a SELinux into Android and activated a security policy for enhancing
几个保安公司已经宣布他们将他们的安全解决方案移植到Android的意图。例如,2008年,SMobile发布了一个安全解决方案基于android系统的手机,包括杀毒和防盗应用程序。莎凡特保护专门入侵预防,在2008年3月宣布它移植安全解决方案,“莎凡特技术,”Android。Mocana,另一个安卓移植其解决方案的公司,声称,它提供了以下功能:一个安全的浏览器;虚拟专用网(VPN)客户;恶意软件保护;安全固件更新和安全引导功能;并确认处理特性验证设备,网络服务,和个人。DroidHunter是另一个安全Android应用程序可用。我们可以假设公司已经为移动设备安全解决方案(如赛门铁克,f - secure,McAfee和检查点)也将这些Androidbased设备端口。在这些解决方案包括杀毒软件、入侵检测系统(ids)运行在设备上的自己。进一步强化Android设备和减少有害的潜力确定高风险威胁,用户可以使用一些额外的安全措施。我们测试和评估这些安全措施在我们的移动安全实验室。例如,我们SELinux移植到Android和激活增强的安全策略
the protection of system processes. 10 Moreover, we enabled a NetFilter-based firewall that users can easily configure via an Android-compliant interface. We also started investigating methods for locking an Android handset, such as with a password or other similar mechanism. In addition, we’re developing and evaluating an IDS based on anomaly detection (called Andromaly). Table 2 summarizes applicable security solutions and the current state of market offerings. Using the aforementioned five threat clusters, we assessed the mitigation level and effort required to apply various countermeasures for each cluster (see Table 3).
系统进程的保护。10此外,我们启用了一个NetFilter-based防火墙,用户可以很容易地通过一个Android-compliant接口配置。我们也开始调查方法锁定一个Android手机,如密码或其他类似的机制。此外,我们正在开发和评估一个id基于异常检测(称为Andromaly)。表2总结了适用的安全解决方案和当前状态的市场产品。使用上述五个威胁集群,我们评估所需的减排水平和工作为每个集群应用各种对策(见表3)。
Threat Cluster 1 The first threat cluster compromises availability, confidentiality, or integrity by maliciously using the permissions granted to an installed application. This attack scenario is likely to happen and has a potentially high impact on the device. There are several possible countermeasures.
威胁集群1第一个威胁妥协集群可用性、机密性或完整性通过恶意使用的权限授予一个已安装的应用程序。这种攻击的情况是可能发生的,一个潜在的高对设备的影响。有几个可能的对策。
Intrusion-detection/prevention system. An IDS solution is well-suited for defining the normal behavior of the system, application, or user to detect deviations or, alternatively, malware behavioral patterns. An IDS can also serve as an effective tool in discovering initially unknown and isolated threats. However, because malware can quickly adapt and mask its behavior according to the security tools that can detect it, an IDS’s effectiveness might decrease over time. Based
入侵检测/预防系统。一个id的解决方案非常适合定义系统的正常行为,应用程序,或用户检测偏差,或者或者,恶意软件行为模式。IDS还可以作为有效的工具在最初发现未知的和孤立的威胁。然而,因为恶意软件可以快速适应和掩盖其行为根据安全工具可以检测它,一个id的有效性可能减少。基于
on our implementation of the Andromaly IDS we developed for Android, we classify the development effort as medium because it requires system modification for more advanced capabilities.
实施Andromaly id我们为Android开发的,我们把开发工作划分为媒介,因为它需要系统修改为更先进的功能。
Firewall. A firewall is a solution for network-related attacks that can prevent data leakage via malware that’s already been installed. However, given that not all attacks that abuse permissions are network-based, a firewall might also be useful against a partial set of attacks. Because the NetFilter module that provides firewall capabilities at the Linux-kernel level is enabled on the HTC G1, only a control application is needed. We’ve developed a preliminary control GUI for managing these capabilities, based on the intermediate “iptables” command-line utility. Consequently, we can classify the effort needed to develop such an application as low.
防火墙。防火墙是网络相关攻击的解决方案可以防止数据泄漏通过恶意软件已经被安装。然而,考虑到并不是所有的滥用权限是基于网络的攻击,防火墙也可能是有用的部分的攻击。因为NetFilter模块提供了防火墙功能在linux内核级别上启用了HTC G1,只需要控制应用程序。我们已经开发了一种初步控制GUI来管理这些功能,基于中间iptables命令行实用程序。因此,我们可以分类所需的努力开发低等应用程序。
Application certification. Certification is an ideal countermeasure against malicious applications. Because each application would have to be thoroughly tested and reviewed prior to certification and permission to use any feature of the device, malicious applications would certainly be caught in their early phases and be unable to receive the proper certification. Unfortunately, nothing comes without a cost; with application certification, the cost of verifying every application is quite high.
应用程序认证。认证是一个理想的对策对恶意应用程序。因为每个应用程序之前,必须彻底测试和审核认证和许可使用任何设备的特性,恶意应用程序肯定会陷入他们的早期阶段,无法得到适当的认证。不幸的是,没有是没有成本;与应用程序认证,验证每个应用程序的成本很高。
Selective Android permissions. Letting the user approve only a subset of permissions to an installed application would reduce the risk of an application maliciously using granted permissions. This solution requires modifying and adding an advanced feature to
选择Android权限。让用户批准只有一个子集的权限已安装的应用程序会降低应用程序的风险恶意使用授予权限。这个解决方案需要修改和添加一个先进的特性
the package installer activity so that the user could decline a particular requested permission. This wouldn’t interfere with installing the application. Such a change would yield a high gain for security-aware users and wouldn’t degrade usability for unaware users. It would also protect against granting unnecessary permissions. Overall, the required effort is low but necessitates a system modification and possible design changes.
安装包活动,这样用户可以减少一个特定请求的权限。这不会干扰安装应用程序。这样的变化将产生高增益对安全性敏感的用户,也不会降低不知道用户的可用性。它还将防止给予不必要的权限。总的来说,系统所需的努力很低但需要修改和可能的设计更改。
Threat Cluster 2 The second threat cluster occurs when an application exploits a vulnerability in the Linux kernel or system libraries, thus compromising availability, confidentiality, or integrity. This scenario was proved possible, and our security analysis showed that additional vulnerabilities are likely to be found. Although this cluster of threats has a low probability of occurring, such threats could inflict severe damage. The primary countermeasure to this threat is the SELinux solution. SELinux is well-suited to limiting the abilities of operating system entities. The hazardous potential of exploitable vulnerabilities could lead to a situation in which the whole could be undermined if the attacker obtained super-user privileges. By limiting the abilities of root processes and otherwise potentially vulnerable or high-priority entities, SELinux would prevent the attacker from forcing the system to do his or her bidding and so render the attack much less effective. However, because each entity must be able to execute certain commands for normal operation, SELinux can’t block these commands. If the entity has been compromised, the attacker would still have some maneuvering space for unleashing an attack. In other words, the attack can only be partially deflected. Our experimentation with SELinux on Android has shown that it consumes very few resources, incurs low overhead on the system, and requires a low effort to apply. 10 The only issue to consider is creating a proper SELinux policy.
威胁集群2第二威胁集群发生在应用程序在Linux内核中利用漏洞或系统库,从而影响可用性、保密性、完整性。这个场景被证明是可能的,我们的安全分析表明,额外的漏洞可能被发现。虽然这群威胁发生率较低的疾病,这种威胁会造成严重损失。这一威胁的主要对策是SELinux的解决方案。SELinux是适合限制操作系统实体的能力。可利用的漏洞可能导致潜在的危险情况,可能会影响整个如果攻击者获得超级用户权限。通过限制根过程的能力,否则可能脆弱或高优先级实体,SELinux阻止攻击者迫使系统会做他或她的投标,所以呈现攻击更有效。然而,由于每个实体必须能够执行某些命令正常运行,SELinux不能阻止这些命令。如果实体已被破坏,攻击者仍然会有一些机动空间释放攻击。换句话说,攻击只能部分偏转。我们的SELinux在Android上的实验表明,它消耗很少的资源,系统上的开销低,需要低努力申请。10唯一需要考虑的问题是创建一个适当的SELinux策略。
Threat Cluster 3 The third cluster of threats compromises the availability, confidentiality, or integrity of private or confidential content. Any application can read the SD card’s contents, and attackers can eavesdrop on wireless communication remotely. There are several solutions to this threat.
威胁威胁妥协的集群3第三集群可用性、保密性、完整性的私人或机密的内容。任何应用程序可以读取SD卡的内容,和攻击者可以监听无线远程通信。有几种解决方案这一威胁。
Login. The requirement to enter a password or draw pattern to unlock certain device functionalities is a well-known and effective tool against various threats—in particular, the exposure of private content. If an attacker steals a device with the lock in place, he or she couldn’t access any private information without the password. However, if the attacker steals the device when it’s unlocked, the defense mechanism is useless, and the attacker can do whatever he or she wishes with the device. Android has a simple screenlock pattern mechanism, but normal applications can’t override the “Home” button. So, any implementation or enhancement to the login mechanism requires modifying the system. We classify the effort needed to develop such a solution as low.
登录。要求输入密码或画图案解锁特定设备的功能是一个著名的和有效的工具对各种威胁,特别是私人内容曝光。如果攻击者窃取一个设备有了锁,他或她没有密码无法访问任何私人信息。然而,如果攻击者窃取设备解锁的时候,防御机制是无用的,攻击者可以做任何他或她希望与设备。Android有一个简单的screenlock模式的机制,但正常的应用程序不能覆盖“家”按钮。所以,任何实现或需要修改系统的登录机制,增强。我们分类所需的努力开发低等解决方案。
Firewall. Firewalls can protect against information leaks through any network interface. Using either stateless or stateful content inspection on the communication medium, a firewall can decide whether an application is sending sensitive or confidential information to determine whether to block communication. Because the firewall operates on the kernel’s lowest levels, malicious applications can’t bypass it (absent exploitable vulnerabilities in the Linux kernel or system libraries). It can also work hand-in-hand with an access control mechanism, such as SELinux, to provide greater protection. Nevertheless, network interfaces aren’t the only path malware can take to leak private data from the device; an alternative attack would be to send the data through SMS/MMS messages. Unfortunately, firewalls can’t block such an attack.
防火墙。防火墙可以防止信息泄漏,通过任何网络接口。使用无状态或有状态的内容检查通信媒介,防火墙可以决定一个应用程序发送敏感或机密信息来确定是否阻碍沟通。因为防火墙运行在内核的最低水平,恶意应用程序不能绕过它(在Linux内核中没有可利用的漏洞或系统库)。它还能工作与访问控制机制,如SELinux,提供更多的保护。然而,网络接口并不是唯一路径恶意软件可以从设备泄漏私有数据;另一种攻击是通过SMS / MMS消息发送数据。不幸的是,防火墙不能阻止这样的攻击。
Data encryption. Encrypting data is an excellent way to counter private data exposure. Because only the owner knows the key for deciphering data, the information is secure even if an attacker steals the device and has full access, because he or she can’t decipher the encryption in a reasonable amount of time. Encrypting sensitive data handled by core applications (such as SMS messaging, emails, and contacts) will require developers to modify those applications. We classify realizing this effort as low.
数据加密。加密数据是一个很好的方式来应对私有数据。因为只有老板知道解密数据的关键,是安全的,即使攻击者窃取的信息设备和有完全访问,因为他或她不能破译加密在合理的时间内。加密敏感数据处理核心应用程序(比如SMS消息传递、电子邮件和联系人)将需要开发人员修改这些应用程序。我们意识到这种努力归为低。
Context-aware access control. By employing context-aware access control (CAAC), users can limit access to their private data depending on the context in which the device is operating. Among the contextual factors are location, time, the cellular network, and whether the device is connected to Wi-Fi and other similar elements. Such a mechanism could defend against various information disclosure attacks depending on the surrounding circumstances. If the attack occurs while the device is in a context that allows access to information, the device will permit access and disclose information. However, if the device is stolen and transferred to a foreign location, for example, the data would be secure and inaccessible to the attacker. This solution’s primary challenge is to define policies and procedures that the device would implement either automatically or via manual input. Implementing this solution would require medium effort and a system modification.
环境敏感访问控制。通过使用上下文感知访问控制(CAAC),用户可以限制访问他们的私人数据根据上下文的设备操作。语境因素之间的位置、时间、手机网络、设备是否连接到wi - fi和其他类似的元素。这种机制可以抵御各种信息披露攻击取决于周围的环境。如果袭击发生时,设备是允许访问的上下文信息,设备将允许访问和披露信息。然而,如果设备被盗和转移到外国的位置,例如,数据将是安全的,攻击者无法访问。这个解决方案的主要挑战是如何定义的政策和程序,设备将实现自动或通过手工输入。实现这个解决方案需要媒介的努力和一个系统修改。
Remote management. Remote management capabilities, when combined with additional security solutions, such as a firewall or context-aware access control mechanism, can improve security substantially. If an attacker steals a device, users could protect information remotely by turning on a defensive mechanism. Even during the device’s everyday operation, if the remote manager can identify a worm prowling the cellular or wireless network, he or she could configure the firewall accordingly to block the worm and prevent any information disclosure. Due to the high availability the enterprise market requires, such an implementation needs a medium effort, given that the required privileges for access to relevant information and for effectively controlling the device would mandate a system modification. Nevertheless, remotely managed protection features depend on human intervention during or prior to an attack. Moreover, to defend against attacks at the right time, a remote manager must constantly monitor the device. Such a requirement is likely to be costly in terms of device resources and might place excessive demands on the remote manager.
远程管理。远程管理功能,加上额外的安全解决方案,如防火墙或环境敏感的访问控制机制,可以大大提高安全性。如果攻击者窃取一个设备,用户可以通过打开一个防御机制保护远程信息。即使在设备的日常操作,如果远程管理器可以确定一个蠕虫病毒在细胞或无线网络,他或她可能相应地配置防火墙阻止蠕虫,防止任何信息披露。由于企业市场需要高可用性,这样的实现需要一个媒介工作,考虑到需要的特权访问相关信息和有效控制设备将授权系统修改。然而,远程管理保护特性依赖于人工干预期间或之前攻击。此外,在正确的时间来抵挡攻击,远程管理必须不断监视设备。这样的要求可能是昂贵的设备资源和可能的地方过度要求远程管理。
Threat Cluster 4 The fourth threat cluster involves attackers draining a mobile device’s resources. Applications for Android have neither disk storage nor memory (RAM) quotas, and hogging the CPU is also possible. This threat cluster has two primary solutions.
威胁集群4第四威胁集群攻击者使移动设备的资源。Android应用程序没有磁盘存储也没有内存(RAM)配额,并占用CPU也是可能的。这一威胁集群有两个主要的解决方案。
Resource management. The resource management security solution mitigates the threat of malicious applications draining resources. This mechanism consists of fairly allocating resources to applications according to their needs and importance (for example, the phone application is very important and should thus receive more CPU than a game). In this case, unsupervised
资源管理。资源管理安全解决方案减轻了恶意应用程序耗尽资源的威胁。这种机制包括公平分配资源到应用程序根据他们的需求和重要性(例如,手机应用程序是非常重要的,因此它们应该得到更多的CPU游戏)。在这种情况下,无监督
resource drainage isn’t possible. If a resource management solution maintains disk storage quotas and disk and network I/O are rate limited and permitted up to a certain quota, then it can fully mitigate a DoS attack. However, implementing such resource management configurations requires system modifications. Due to such a change’s invasiveness, the implementation effort ranges from medium to high, depending on the exact implementation (enabling a configuration or adjusting the framework to support such an implementation).
资源排水是不可能的。如果一个资源管理解决方案保持磁盘存储配额和磁盘和网络I / O速率有限,允许一定的配额,那么它可以完全缓解DoS攻击。然而,实现这样的资源管理配置需要系统的修改。由于这种变化的侵袭性,实现工作范围从中等高,根据具体实现(启用配置或调整框架来支持这样一个实现)。
Intrusion-detection/prevention system. A host-based IDS can counter malicious drainage in the battery, memory, or CPU by detecting abnormal rate changes in resource levels. In practice, any malware aims to remain undetected, so the IDS should continuously maintain and validate the normal usage profile.
入侵检测/预防系统。一个基于主机的IDS可以对抗恶意的排水在电池、内存或CPU通过检测异常率资源水平的变化。在实践中,任何恶意软件的目标是保持未被发现,所以id应该不断维护和验证正常使用概要文件。
Threat Cluster 5 The final threat cluster deals with compromised internal or protected networks. Attackers can use Android devices to compromise other devices, computers, or networks by running network or port scanners, SMS/ MMS/email worms, and various other attacks.
威胁集群5最后威胁集群内部或保护网络交易与妥协。攻击者可以使用Android设备妥协其他设备,电脑,或通过运行网络或网络端口扫描器,SMS / MMS /电子邮件蠕虫和其他各种攻击。
Virtual private network. A VPN solution relies on mature principles such as message authentication codes and encryption to protect communication. The Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and IPSecbased VPN connections are enabled on Android release 1.6 (that is, the Donut update). Enabling additional Linux-based VPN solutions on Android requires only a low effort.
虚拟专用网络。VPN解决方案依赖于成熟原则如消息认证码和加密保护通信。点对点隧道协议(PPTP),第二层隧道协议(L2TP)和IPSecbased VPN连接上启用Android 1.6版本(也就是说,甜甜圈更新)。在Android上启用额外的基于linux的VPN解决方案只需要较低的工作。
Remote management. Enforcing a security policy when dealing with internal or protected networks is easy using a centralized remote management framework controlled by network administrators. However, threat mitigation’s effectiveness depends on the administrator’s vigilance—that is, a human factor, which is the biggest chink in the solution’s armor.
远程管理。执行一个安全策略在处理内部或受保护的网络很容易使用一个集中的远程管理框架由网络管理员控制。然而,缓解威胁的有效性取决于管理员的警惕的是,人的因素,这是最大的裂缝在解决方案的盔甲。
Context-aware access control. When dealing with internal or protected networks, we can view contextaware access control as an automated version of the remote management approach. Upon detecting a context involving an active connection to the internal or protected network, the CAAC mechanism can
环境敏感访问控制。在处理内部或受保护的网络,我们可以把contextaware访问控制作为一个自动化版本的远程管理方法。一旦检测到一个上下文涉及一个活跃的连接到内部的或受保护的网络,民航总局机制
标签:
原文地址:http://www.cnblogs.com/XACOOL/p/5479882.html
